MyData Business Models

Sergio Maldonado
Published in
9 min readDec 29, 2019


Photo by Ryoji Iwata on Unsplash

For all the consensus we have managed to build on the need for people to take control over their personal information, entrepreneurs around the world are still struggling to find a working business model that effectively replaces current “dirty data” practices*.

A few academic circles, discussion groups, and non-profit organizations have been paving the ground for quite some time, somewhat clarifying the various options available to empower individuals with an acceptable level of agency over their digital debris.

As one of the latter, the Finland-headquartered MyData Global has managed to gain a solid international footprint, laying out a set of underlying principles, including the need for human-centricity and empowerment, the portability and interoperability of personal data, transparency and accountability. Such principles have been kept open enough to give shelter to plenty of alternative approaches.

All the while, new players in the personal data management space are popping up by the minute, none of them apparently tapping on a present and real source of revenue (despite the obvious opportunity exposed by current inefficiencies in AdTech or Single Customer View endeavors).

Given how important it has become for a business model to find its place within a particular understanding of personal data or privacy, I thought I would summarize and correlate the two under a common structure, in the hope of simplifying the description of our own efforts, as well as the classification of new entrants. Needless to say, privacy does not have to be the primary goal of any of the listed models (they may just be after individual empowerment, human centricity, or increased transparency), nor are their different takes on it mutually exclusive.

I have definitely left behind a good number of options on both fronts (business models, underlying principles) for the sole reason of not being able to properly match them across each other, so I would recommend keeping in mind the wider range of initiatives listed in the Project VRM wiki, definitely a more exhaustive reference.

I will end this up with a summary of the mentioned business models, as well as a return to the MyData Global principles, hoping to discern them further under that particular light.

Six takes on privacy

a) Privacy as a fundamental, inalienable human right

  • Summary: privacy must be protected as a common good and cannot be contracted away or compromised.
  • Consequence: there is no room for a business model built on personal data, other than helping people exercise their legal rights (or helping companies comply with applicable laws).
  • Flaws: There already IS a personal data trade on which the entire ad-based internet has been built. Preventing the rise of incremental improvements will leave current practices unchallenged. Regulation alone cannot solve the existing issues — rights are not as easily enforceable as applicable laws seem to indicate.
  • Associated business models: Privacy Enhancement Tools, User Rights Management platforms.

b) Privacy as a natural consequence of contextual identity

  • Summary: as we keep marching towards self-sovereign identity (and its decentralized management), smarter data collection/activation practices result in the minimization of required data points for each digital interaction.
  • Consequence: Contextual identity will lead to Privacy by design and by default. Compatible business models should either help it take off or replace existing data-hungry practices with marketing, analytics, and optimization tools that feed on pseudonymous or anonymous data.
  • Flaws: In the absence of public demand, businesses have few incentives to make a u-turn in their current CRM (Customer Relationship Management), CDP (Customer Data Platform), DMP (Data Management Platform), personalization, or automated decision-making practices. All of them are built on a wider, objective notion of identity that can be easily deduplicated (by service providers) across “silos”.
  • Associated business models: Identity Management, Personal Data Stores, Brand Relationship Management.

c) Privacy as a side-effect of personal agency

  • Summary: Privacy is a relative concept (in Roman law derived from a particular expectation of intimacy) — personal agency is not. As long as specific data points pertain to them and can have an impact on their lives, people should be able to decide whether, how, or for how long they are exposed, shared, or put to work.
  • Consequence: Transparency and control. People get to choose how much brands or service providers learn about them. Value does not stem from our estimation of the money Google or Facebook have been making with our data, but rather from truly balanced individual-brand relationships (instead of contracts of adhesion and consent-gathering tricks).
  • Flaws: Harder to explain to the population at large in the absence of tangible rewards. People are used to allowing stealth data collection without much awareness or opposition, most likely finding greater value in the free services that come with all of it.
  • Associated business models: Personal Data Stores, Brand Relationship Management, Declared Data Platforms.

d) Data as personal property

  • Summary: personal data belongs to people, who should be able to transfer ownership for profit.
  • Consequence: People will be paid for their data. Calls to curtail this opportunity stem from an elitist approach to privacy: the few who “know better” are trying to “patronize” the many deemed incapable of discerning the impact of their own decisions.
  • Flaws: By rewarding the commoditization of personal data we will incentivize the very “dirty data” practices that have put us where we are, perpetuating the current role of data brokers (as it is them who set the price and define the market for the data being sold), turning privacy into a luxury — only enjoyed by those who can afford it. GDPR compliance is an elusive goal for data monetization initiatives built on a public blockchain, as most of them are.
  • Associated business models: Personal Data Marketplaces.

e) Personal data as a new kind of intellectual property

  • Summary: applying a legal framework akin to copyright will do away with important limitations in other property-based models, allowing for a separation of economic rights and “moral” rights, “derivative” data, joint “authorship”, or unlimited instantiation through combinations of transferability and exclusivity.
  • Consequence: People should be able to claim specific data points as wholly or partly theirs, subsequently licensing economic rights over such data points under pre-defined sets of terms, along the lines of some sort of Creative Commons. “Moral” rights would remain inalienable.
  • Flaws: It will still result in the commoditization of personal data, if only with less clear outcomes in terms of market definition and the role of current (AdTech) brokers. Hard to implement and hard to explain.
  • Associated business models: Declared Data Platforms, Attention Management and survey-based market research tools.

f) Privacy as an illusion

  • Summary: privacy is an outdated concept in a digital world.
  • Consequence: Nobody should expect to be able to have any control whatsoever over the manner in which their data spreads, but platforms and brands will have market incentives to treat it adequately. The younger people are, the less they tend to worry.
  • Flaws: We are starting to witness the side-effects of stealth data collection and out-of-control data brokerage. Creepy behavioral advertising practices are quickly eroding public trust in advertisers and the media. Younger internet users lead the adoption of ad blockers and tend to shun larger, traditional brands in favor of those committed to transparency and sustainability (often resulting in much less tracking).
  • Associated business models: Existing AdTech ecosystem, Personal Data Marketplaces, Attention Management and survey-based market research tools.

Eight business models vs. one set of principles

Here’s a more detailed description of the associated business models, including a few examples and some of our own (PrivacyCloud) initiatives. They are followed by my own attempt to match them against the current MyData Global principles.

[@Business founders: please do not hesitate to reach out if you believe that your own platform is in the wrong place or should not even be included here.]

  1. Privacy Enhancement Tools: Helping people avoid or remove trackers, automate their responses to business-driven User Rights Management platforms, or understand which organizations hold their data, as well as representing them in their exercise of other legal rights. Examples: Ghostery, Jumbo, One.Thing.Less, DuckDuckGo, Consent Manager (PrivacyCloud).
  2. User Rights Management platforms: Helping companies achieve compliance with existing regulatory frameworks (GDPR, CCPA, etc.). They include Consent Management Platforms and self-service environments for the exercise of access, restriction, rectification, erasure, objection, or portability rights. Examples: Cookiebot, TrustArc, OneTrust, Datawallet, Osano.
  3. Self-Sovereign Identity tools: Helping individuals manage their digital identities in a way that they enjoy increased convenience during service-specific sign-up processes while (unlike “Login with Google” or “Login with Facebook” users) remaining in full control over the amount of data points exposed to each organization, as well as the manner in which they are updated, spread or deleted. Examples: Evernym, globalID, uPort.
  4. Personal Data Stores: Personal Information Management Systems that aim to help people gather and, locally or remotely, store all of their personal data, privately sharing it on their own terms, as required by specific applications or services compatible with such distributed repositories. Examples: Inrupt (Solid),, PolyPoly.
  5. Brand Relationship Management tools: Personal Information Management Systems that help people connect with organizations in scenarios of equal bargaining power, remaining in control over their data while personal information is mostly gathered, maintained, and activated by each “brand” on the basis of its proximity to the digital interactions that generate such data in the first place. In other words, storage is replaced by “pointers” and identity management. Examples: Meeco, NODO (PrivacyCloud).
  6. Declared Data Platforms: Pseudonymized data pooling in the context of market research, healthcare, or the improvement of public services, including survey-based tools helping individuals collect, organize, and collectively share aggregate data for direct or indirect compensation. Examples:
  7. Attention Management and survey-based market research tools: Vendor-managed mobile apps rewarding individuals for the time spent watching ads or completing surveys, as well as for anonymously sharing basic socio-demographic information. Examples: Dabbl, Bid/R, Streetbees, Perksy, Jebbit.
  8. Personal Data Marketplaces: Tools that facilitate the collection, self-management, and trading of personal data (for blockchain-based tokens or money). Examples: metaMe,, Datum, Datacoup, Wibson.

Are any of them compatible with the MyData principles?

Although some of the listed models provide room for individual empowerment (principle 3) or human centricity (principle 1) in isolation, I would argue that few can make the cut to meet both of them simultaneously. At the same time, I believe that the remaining ones (“individual as the point of integration”, “portability”, “transparency and accountability”, “interoperability”) will most likely happen as a consequence of true human centricity.

I have tried to summarize this in the following chart:

Business models in light of human centricity and individual empowerment.

I find it particularly relevant to note how Personal Data Marketplaces (a category that counts the largest number of initiatives in the “individual empowerment” space) differ little from current AdTech players when it comes to an absolute lack of human centricity: data is sold once without much transparency as to where it will end up, or agency with regards to subsequent transfers and purposes, while the point of integration has not moved from where it stands today (brokers and advertisers).

Other models would also seem to fall beyond the boundaries of the said principles: both User Rights Management tools and Attention Management/survey-based market research applications are clearly vendor-centric, whereas Privacy Enhancement Technologies provide little empowerment insofar as they are hand-tied by the manner in which vendor-driven environments (and teams) are able to respond to specific data subject requests.

I guess the remaining four deserve, at the very least, the benefit of the doubt.


All in all pretty overwhelming, despite not even showing the tip of the iceberg. I do look forward to helping the entire space mature, hopefully producing a few really strong value propositions that can actually move the needle with the population at large.

Comments, thoughts, and corrections will be much appreciated.

[Edited on June 16 2021 to update/remove some of the links and references, a few of the initiatives mentioned above having disappeared since December 2019]

*Referring with this to much of AdTech, as well as any other ecosystems equally based on lack of transparency, broken consent mechanisms, and the complete absence of agency on the part of the individual when it comes to the collection, processing, integration, analysis or “activation” of such data.



Sergio Maldonado

Dual-admitted lawyer. LLM (IT & Internet law), Lecturer on ePrivacy and GDPR (IE Business School). Author. Founder: PrivacyCloud, Sweetspot, Divisadero/Merkle.