A growing number of internet users are becoming aware that while browsing the web, they leave behind personal data that later becomes the subject of trade. Age, address, telephone number, are data commonly requested to access Internet web sites.
In the private sector, companies dedicated to collecting, managing, and selling data strive to obtain information about citizens, primarily from software applications and Internet websites. The data collected is stored, carefully compiled, and specifically categorised for sale in the marketplace. The price of data varies depending on its nature, the source from which it originates, and the strategic or commercial value it holds for the collector. The average value of personal data from a typical active user on Meta is estimated at 2 US dollars per month. In the advertising sector, the commercial value of a person’s personal data can reach up to 263 dollars per year. Recently, the American organisation The Generation Lab offered 50 dollars per month to young people who allowed tracking of their mobile phones to collect data about usage, search patterns, purchases, movements, and similar activities, excluding sensitive data such as passwords to bank accounts. Similarly, a well-known crypto-asset company currently offers tokens (valued at around 40 dollars) to users who permit biometric tracking of their eyeballs, currently holding data from over 12 million people.
Although these figures may be subject to debate or adjustment, it is clear that personal data has an evident inherent value. It is a different matter that individuals are unaware of this or simply do not perceive that their privacy can be monetised. A good testimony of this is the growing number of people willing to sell their data in exchange for varying levels of compensation based on the quantity and quality of the data being transferred. This means that digital operators no longer settle for data collected by cookies and other IT solutions, but aim to access much more specific personal data, which are therefore more valuable. The fact that most people entering the paid data transfer market are young likely stems from their perception that lacking privacy is harmless or that, since they are undoubtedly under constant scrutiny, they might as well receive something in return.
Two fundamental approaches are observed: (1) websites that allow users to choose between accepting cookies and accessing content “for free,” or paying for said content or service; (2) websites that offer a menu allowing users to choose between rejecting all cookies, managing them selectively, or accepting so-called “technical cookies,” which are always necessary. In this second group, most websites do not clearly indicate whether the acceptance or rejection button corresponds to consent or refusal (there is no explanation stating whether the selected position means acceptance or rejection); instead, the button merely changes colour. This lack of clarity may lead users to unknowingly or unwillingly consent to cookie use.
Furthermore, uncertainty arises regarding what data is collected from websites when users interact with them. It is worth asking how is it possible that a tab allows the rejection of all cookies, when we know that a website requires a certain number of cookies to function properly? In other words, what information or data does the user leave behind when clicking “reject all cookies”? The answer is not found on the websites themselves, but it is true that there are certain technical cookies which are essential for the correct functioning of a website, and which thus remain active. In addition, tracking that is not obtained via cookies is achieved through alternative methods such as the digital fingerprint of a browser, which can identify users without cookies. Therefore, in one way or another, user data is collected, to some extent, while they interact on the web. Lastly, consider cases beyond the Internet where data is constantly and unknowingly transferred, such as when renting a vehicle; it is inherent to the service to record information about usage times, speeds, braking, visited locations, etc., data obtained freely and without the user’s explicit consent.
The enormous profits made by the digital sector through tracking, compiling, and selling data on the Internet are largely due to the fact that the raw material they work with is practically free. Internet users, through computers, mobile phones, and other devices (vehicle navigators, AI-powered robotic assistants, etc.) are the ones who provide it.
The idea that personal data is not given away for free but rather in exchange for a service or content was born as an argument sponsored by the Internet industry and it cannot be sustained in light of the undeniable existence of a vigorous and profitable market for transforming, exchanging, and selling personal data. Secondly, and although it may seem obvious, because without users, the system would not function. Additionally, the supposed consideration that a website offers users merely by granting access to content is not such because the website’s underlying economic interest is only achievable through user interaction. Finally, if data transfer were understood as consideration for services or content, all websites should disclose this upon access, and prohibit interaction without cookie consent. However, as mentioned, cookies are not the only tool for tracking and collecting user data.
An example which effectively showcases the importance of personal data, and proves how in many cases the benefit to the Internet service provider does not come from the economic transaction with the user, is that of home delivery and sales companies. A company sells or is involved in the sale of a pen to a user for a total price of 2 euros; clearly, the profit does not arise from the transaction itself but from the collected data, otherwise, the company would not accept obviously unprofitable orders and it would set minimum amounts per transaction.
Therefore, if there is consensus that user data has value and that said value is transferred by the user to the owner of the website or app when the users interact with or operate on them, it also seems very reasonable that the user should be compensated for their contribution. Personal data is the raw material of the digital sector, from which complex information assets are created and incorporated into the economic value chain. In our view, when a user intends to interact with a website, they are faced with an emerging contractual relationship, where the website owner acts as the offeror and the user as the potential counterparty (as the provider of a quantifiable valuable asset, their data); that is to say, we are facing a true intangible asset transfer (a sale) executed when the user consents (by accepting cookies and continuing interaction); consequently, such transfer should be compensated with a consideration or price, as per Article 1445 of the Spanish Civil Code. Notwithstanding, this does not apply if the user waives the right to compensation, because in such case the transfer would be gratuitous (a donation).
Based on what has been discussed, it seems to be evident that there is: (a) a right of the user to accept or reject cookies and equivalent or alternative tracking methods capable of obtaining personal data; (b) the value of personal data; and (c) a transaction consisting of the transfer of personal data by the user, which gives rise to the right to obtain consideration if the user decides to transfer their data for a fee. This last point implies the need to quantify such consideration. This is where the market must play its regulatory role, which it will probably do on the basis of two basic parameters: the quality of information the user is willing to provide (in terms of time as well as nature of the data) and the expected profit that the acquirer intends to obtain from the data collected.
Leaving aside the specific agreements mentioned earlier, most data transactions occur within the framework of daily app usage or website browsing, thousands per second and in overwhelming total volume. Therefore, the proposed solution of variable compensation based on the market parameters mentioned in the previous paragraph implies the integration of a menu in such websites or apps so that users (potential data providers) may select the type of data they are willing to share and receive compensation based on the chosen category (which they may accept or reject). Ultimately, this requires a simple and fast technological application, as demanded by the dynamics of online transactions. Since the implementation of this technology may be delayed, especially if there is no legislation setting guidelines and a timetable for the transition to said new framework, a transitional system must be established, such as micropayments for browsing the website, discounts on transactions made through it, or the accrual of points redeemable for products or services.
Whatever the mechanism for setting the price, the essential factor lies in the paradigm shift: the right to obtain compensation for data means that the user ceases to be a passive contributor who provides data for free, and becomes an active party to a contract in which they willingly transfer their data and receive consideration in return.
Eduardo Vilá
Vilá Abogados
For more information, please contact:
17th October 2025
