In an era of big data, harms caused by data technologies can no longer be effectively addressed under the predominant regulatory paradigm of individual empowerment. Even a sophisticated consumer cannot fully protect herself against collective harms triggered by others’ privacy choices or by technologies creating competitive harm without processing personal data or targeting individuals. While data protection and competition law can be applied more proactively to address such harms, difficulties are likely to remain. We therefore submit that stronger regulatory interventions are required to target collective, and sometimes competitive, harm from technologies like pervasive advertising, facial recognition, deepfakes and spyproducts.