essay

Entering the age of data privacy

How regulation, emerging tech, and shifting public sentiment are converging to reshape data privacy.

Something is shifting. For a decade, the implicit bargain of the internet held steady: you get free services, companies get your data, and everyone pretends this is a fair trade. That bargain is breaking down — not from one direction, but from three at once.

Regulation, technology, and public sentiment are converging on the same conclusion: the current model of data ownership is unsustainable. Each force alone might be containable. Together, they mark the beginning of a genuine transition in how we think about data, privacy, and the relationship between people and platforms.

Force 1: Regulation catches up

GDPR went into effect in May 2018, and it matters more than most people in tech want to admit. For the first time, a major regulatory body codified the principle that people have rights over their data — the right to access it, the right to correct it, the right to delete it, and the right to take it somewhere else.

GDPR isn’t perfect. Enforcement is inconsistent. Compliance is often performative (those cookie banners aren’t making anyone safer). But the principle it enshrines is significant: your data belongs to you, and companies that hold it are custodians, not owners.

California’s CCPA followed, and more regulation is coming. The direction is clear even if the execution is still catching up.

Force 2: New technology makes alternatives possible

For most of the internet’s history, decentralized data control was a nice idea with no viable implementation. You could argue philosophically that users should own their data, but there was no infrastructure to make it work.

That’s changing. Blockchain networks provide tamper-proof, decentralized record-keeping. Encryption advances make it possible to use data without exposing it. Decentralized storage networks can host data without centralized servers. Cryptographic identity systems let users authenticate without passwords controlled by platforms.

These technologies are early — too early for mainstream adoption. But they’ve crossed the threshold from theoretical to buildable. The question is no longer “is user-controlled data possible?” but “how do we make it usable?”

This is what we’re building at 3Box: infrastructure that gives users control over their own data, using Ethereum for identity and IPFS for storage, wrapped in interfaces simple enough that regular people can use them. It’s early. But the pieces are coming together.

Force 3: Public sentiment shifts

Cambridge Analytica cracked something open. Not because data misuse was new — it wasn’t — but because it made the abstract concrete. People could see, in specific terms, how their data had been harvested, sold, and weaponized against their interests.

The Pew Research Center reported that 79% of Americans were concerned about how companies use their data. That number has only gone up. Every new breach, every new scandal, every new revelation about surveillance advertising erodes the social license that tech companies have operated under.

Public sentiment alone doesn’t change systems. But it creates the political will for regulation and the market demand for alternatives. When people start actively seeking products that respect their privacy — encrypted messaging, privacy-focused browsers, data-minimal services — the economics shift.

The convergence

Any one of these forces could be dismissed. Regulation moves slowly and is often captured by incumbents. New technology takes years to mature. Public sentiment is fickle and rarely translates to changed behavior.

But the convergence is what matters. Regulation creates demand for privacy-preserving solutions. Technology makes those solutions buildable. Public sentiment creates the market for them. Each force reinforces the others.

Privacy is not about hiding

A common misunderstanding: privacy advocates want everyone to hide their data and live anonymously online. This misreads the argument entirely.

Privacy is about agency. It’s about having the ability to decide what you share, with whom, under what conditions, and for how long. A world with good data privacy isn’t a world where no one shares anything — it’s a world where sharing is intentional rather than coerced.

The current model extracts data as a condition of participation. Want to use a social network? Hand over your behavioral data. Want to use email? Let us scan your messages. Want to navigate somewhere? Give us your location history forever.

The alternative isn’t no sharing — it’s conscious sharing. Data as something you actively give rather than something passively taken. Data as an extension of self, managed with the same care you’d apply to any personal possession.

What comes next

The transition won’t be fast or clean. Incumbents have enormous advantages and no incentive to change. Most users still prioritize convenience over privacy (and that’s a rational choice given the current options). Infrastructure for user-controlled data is young and rough.

But the trajectory is set. The age of treating personal data as a free resource to be mined — data as oil — is ending. What replaces it is still being built. That’s the work ahead.