This paper examines a monopolist platform’s data strategy comprising of data collection and data protection under two different data ownership regimes: one, where users have no control over the amount of data shared with the platform, and the other, where users can set privacy controls. Moreover, we also consider the welfare implications of introducing a minimum data protection regulation under the two data ownership regimes. Our analysis yields novel insights: (i) empowering users leads to a sub-optimal level of data collection and protection, and (ii) combining minimum data protection with empowering users to control data can better achieve the regulator’s objective of enhancing consumer welfare.