Privacy interests arise from relationships of trust: people share information with those they trust and conceal things from those they don’t. Trust grows when it is respected and diminishes if it is betrayed. Firms in the online ecosystem need consumers to trust them, so the consumers keep coming online, being surveilled, viewing ads, and buying things. But those same entities make money by exploiting consumer trust—using the information they gain to develop individualized profiles that facilitate advertising that gets people to buy things they may not really want or need, at individualized rather than generally available prices. Trust and, thus, privacy, is therefore best viewed as a common-pool resource for the online ecosystem to manage, not as a commodity exchanged in a market between consumers and sellers. The common-pool resource model explains why online entities have incomprehensible privacy policies, why they accept regulation by the Federal Trade Commission, and why they recognize the seriousness of data breaches even as they reject any obligation to compensate consumers when a breach occurs. This model also clarifies the nature of the ongoing economic and political conflict between consumers and online entities about pervasive surveillance and the use of targeted ads. Market-based models, by contrast, do not fit these realities and, as a result, there is no reason to think that “market forces” will optimally equilibrate consumer and seller interests. Some modest regulatory correctives are therefore advisable.