In a two-period model, I examine the incentives of a digital service monopolist to invest in unobserved data security, when it charges no access fees but instead monetizes consumer data. Consumers suffer privacy-related disutility when data-breaches occur, and the firm wants to earn a reputation for protecting users’ data to maintain high activity in period two. I analyse two regimes of endogenous data-sharing, depending on which side has ex-post control over it: if it is the firm, data-sharing requirements are chosen in every period to maximize current profits. If it is consumers, data-sharing is chosen to maximize consumer surplus (CS), accounting for the firm’s reputation. I ask whether a social planner can improve ex-ante consumer surplus by committing to different levels of data-sharing in period two, relative to the regulation-free equilibria, and I allow data-sharing to depend on the firm’s posterior reputation. Ex-ante commitment to data-sharing affects consumer surplus directly, but also via equilibrium investment. Starting at the firm-control equilibrium, the effects on investment are dominated, and the planner can improve total CS by reducing the amount of data that both high and low reputation firms collect. On the other hand, compared to the ex-post consumer optimum, committing to less data-sharing following a breach induces higher security; the ex-ante optimal level trades-off higher security and more \say{signal-jamming}: greater investment impedes learning about the true levels of cyber-risk which harms consumers in the second period. I discuss how these results relate to GDPR-type regulation regarding optional cookies, and also examine penalties and minimum-security standards.