Right to Own Your Own Data

In 2014, an FTC study of nine data brokers found that one company held information on more than 1.4 billion consumer transactions and 700 billion aggregated data elements, and another added more than 3 billion records to its databases each month (FTC, Data Brokers: A Call for Transparency and Accountability, May 2014). As of 2026, 283 brokers are registered under Vermont’s 2018 data broker registry, the only public registry of its kind in the United States. The proposal adds a constitutional amendment recognizing the right to control personal data, paired with an implementing statute that prohibits non-consensual collection, requires deletion on verified request, and conditions any commercial use on individual consent and compensation at rates set by federal rule.

What current data law does

The federal Constitution does not recognize a right to control personal data. The Fourth Amendment limits government access to certain digital records. In Carpenter v. United States, 585 U.S. 296 (2018), the Supreme Court held that the government must obtain a warrant before accessing seven or more days of historical cell-site location records. The Fourth Amendment does not constrain private collection. Federal statutory protection is sectoral: the Health Insurance Portability and Accountability Act covers medical records, the Family Educational Rights and Privacy Act covers education records, the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act cover financial records, and the Children’s Online Privacy Protection Act covers children under 13. The general consumer-data field is unregulated at the federal level.

State laws fill part of that gap. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, grants rights to know, delete, and opt out of sale. The California Delete Act (SB 362), signed October 10, 2023, requires data brokers to honor deletion requests submitted through a single state-administered portal. Vermont’s data broker registry, codified at 9 V.S.A. § 2446, requires brokers to register annually with the Secretary of State and pay a $100 fee; 283 data brokers appeared in the registry as of 2026. The Consumer Financial Protection Bureau finalized its Section 1033 rule on October 22, 2024, requiring covered financial institutions to make consumer financial data portable on request. As of 2026 the rule is the subject of litigation and reconsideration by new CFPB leadership.

Two recent federal proposals — the American Data Privacy and Protection Act (H.R. 8152, 117th Congress) and the American Privacy Rights Act of 2024 (H.R. 8818, 118th Congress) — would have established a baseline federal privacy regime. Neither bill became law. ADPPA cleared the House Energy and Commerce Committee 53–2 in July 2022 and did not receive a floor vote. APRA’s June 2024 markup was canceled.

The amendment and statute

The proposal pairs a constitutional amendment with implementing legislation. The amendment establishes the right. The implementing statute defines its operational scope at the time of ratification.

The amendment would:

• Recognize a right of every person to control the collection, use, transfer, and storage of personal data concerning that person
• Prohibit non-consensual collection of personal data, with narrow exceptions defined by statute (public safety, journalism, and academic research subject to institutional review)
• Authorize Congress to enforce the article through appropriate legislation, mirroring the enforcement clauses of the Thirteenth, Fourteenth, and Fifteenth Amendments

The implementing statute would:

• Establish a default-deny rule for collection, processing, transfer, and sale of personal data, conditioned on informed, specific, revocable consent
• Require deletion within 45 days of a verified request, modeled on California SB 362
• Require data portability in a machine-readable format, modeled on Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act
• Create a federal data broker registry administered by the Federal Trade Commission, modeled on Vermont 9 V.S.A. § 2446 and California SB 362
• Prohibit the sale or transfer of sensitive categories of data, including precise geolocation, biometric identifiers, health data, communications content, browsing history, and data on minors
• Establish a statutory schedule of compensation rates for any commercial use of non-sensitive personal data, set by Federal Trade Commission rulemaking and reviewed biennially based on industry revenue audits
• Provide a private right of action with statutory damages, attorney’s fees, and class certification eligibility
• Preempt no state law that provides equal or greater protection

Precedent

Federal law already provides sectoral data rights. The Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191) creates a federal right to access and amend medical records. The Family Educational Rights and Privacy Act of 1974 (20 U.S.C. § 1232g) creates a parental and student right to access and challenge educational records. The Gramm-Leach-Bliley Act of 1999 (Pub. L. 106-102) and the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) regulate financial-data handling and create individual rights of access and dispute. The Consumer Financial Protection Bureau’s Section 1033 rule, finalized October 2024, establishes a federal right to portable financial data. The proposed framework extends these sectoral rights to all personal data and raises the legal basis from statute to constitutional right.

Comparative precedent is more extensive. Article 8 of the Charter of Fundamental Rights of the European Union, in force since 2009, recognizes data protection as a fundamental right separate from the right to private life under Article 7. The General Data Protection Regulation (Regulation (EU) 2016/679, in force May 2018) implements that right with rules on lawful basis, data subject rights, data protection authority supervision, and administrative fines up to €20 million or 4 percent of annual global turnover. State-level United States precedent includes California SB 362 (2023) and Vermont 9 V.S.A. § 2446 (2018). The closest constitutional precedent for digital privacy in the United States is Carpenter v. United States, 585 U.S. 296 (2018), in which the Supreme Court extended Fourth Amendment protection to historical cell-site location records and limited the third-party doctrine with respect to “detailed, encyclopedic, and effortlessly compiled” digital records.

First 100 days

Day one. The president transmits the proposed amendment to Congress with an Office of Legal Counsel memorandum analyzing textual scope, the relationship between the amendment and the First Amendment (commercial speech, journalism, public-record collection), and the scope of statutory exceptions. The Federal Trade Commission opens a Section 6(b) study of the data broker industry, modeled on its 2014 study, with orders to file special reports issued to a representative set of brokers.

Day thirty. Joint House Energy and Commerce and Senate Commerce, Science, and Transportation Committee hearings on the implementing statute. The Department of Commerce releases an interagency report identifying the categories of federal records and federally regulated commercial records that contain personal data, along with the existing legal authorities governing each category.

Day ninety. Both houses pass a joint resolution proposing the amendment by the required two-thirds majority and send it to the states under Article V. The implementing statute is introduced as a separate bill, with the federal data broker registry, default-deny consent rule, deletion mechanism, sensitive-category prohibition, statutory compensation schedule, and private right of action set out as title-by-title provisions.

Effect of the right

Under the right, personal data belongs to the individual it concerns. Collection, processing, transfer, and sale require informed and revocable consent. Sale of sensitive categories is prohibited. Non-sensitive categories may be used commercially only on a compensated, opt-in basis at rates set by Federal Trade Commission rulemaking. The implementing statute carries a private right of action with statutory damages and class certification eligibility. The right applies against private actors and against government. Separate Fourth Amendment protections are preserved.