Privacy is not just a technical challenge. It is a legal right, one that is increasingly protected by legislation around the world. Understanding the laws that protect your personal data gives you concrete tools to control how companies collect, use, and share your information.
GDPR: The European Standard
The General Data Protection Regulation (GDPR), which took effect in 2018, is the most comprehensive privacy law in the world. It applies to any organization that processes data of EU residents, regardless of where the company is based. If a company in California collects data from someone in Germany, GDPR applies.
GDPR grants EU residents several fundamental rights:
- Right to access. You can request a copy of all personal data a company holds about you. They must respond within 30 days.
- Right to erasure (the "right to be forgotten"). You can request that a company delete all of your personal data. They must comply unless they have a legal obligation to retain it.
- Right to data portability. You can request your data in a machine-readable format so you can transfer it to another service.
- Right to rectification. You can request correction of inaccurate personal data.
- Consent requirements. Companies must obtain explicit, informed consent before collecting your data. Pre-checked boxes and buried terms do not count as valid consent.
- Data breach notification. Companies must notify authorities within 72 hours of discovering a data breach, and affected individuals must be notified without undue delay.
Enforcement is meaningful. GDPR fines can reach 4% of global annual revenue or 20 million euros, whichever is higher. Major fines have been issued to companies including Meta, Google, Amazon, and TikTok.
CCPA and CPRA: California Leading the US
The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), is the strongest privacy law in the United States. It applies to businesses that meet certain thresholds for revenue or data volume and collect data from California residents.
Key rights under CCPA/CPRA:
- Right to know. You can request that a business disclose what categories and specific pieces of personal information it has collected about you, where it came from, and who it has been shared with.
- Right to delete. You can request deletion of your personal information, with some exceptions for legal compliance and essential business operations.
- Right to opt out of sale. You can direct businesses not to sell or share your personal information. Businesses must provide a "Do Not Sell or Share My Personal Information" link on their website.
- Right to non-discrimination. Businesses cannot deny you services, charge you different prices, or provide a different quality of service because you exercised your privacy rights.
- Categories of personal information covered include identifiers, commercial information, internet activity, geolocation data, biometric data, professional information, and inferences drawn to create a consumer profile.
Other Privacy Laws Around the World
- PIPEDA (Canada) governs how private sector organizations collect, use, and disclose personal information in the course of commercial activity. It provides rights similar to GDPR including access, correction, and consent requirements.
- LGPD (Brazil) closely mirrors GDPR and provides Brazilian residents with rights to access, correction, deletion, and data portability. It established the ANPD (National Data Protection Authority) as the enforcement body.
- US state laws. Beyond California, states including Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, and Texas have enacted their own privacy laws. While they vary in scope and strength, the trend is clear: comprehensive state-level privacy legislation is expanding across the country.
Exercising Your Rights
Knowing your rights only matters if you use them. Here is how to take action:
- File data access requests (DARs or DSARs). Most companies provide a privacy portal or email address for submitting requests. Under GDPR, search for "data subject access request" on the company's website. Under CCPA, look for a "Do Not Sell" or "Privacy Rights" link in the website footer.
- Request deletion. Use the same channels to request that your data be erased. Be specific about what data you want deleted and keep records of your request and the company's response.
- Use tools and templates. Organizations like the Electronic Frontier Foundation, noyb.eu, and the Open Rights Group provide template letters for data access and deletion requests. These templates are drafted by legal experts and cover the necessary legal language.
- Follow up and escalate. If a company does not respond within the legally required timeframe (30 days under GDPR, 45 days under CCPA), you can file a complaint with the relevant supervisory authority. Under GDPR, complaints go to your national Data Protection Authority. Under CCPA, complaints go to the California Attorney General's office.
The Limits of Privacy Laws
Privacy laws are powerful but imperfect:
- Enforcement challenges. Regulatory bodies have limited resources and cannot investigate every complaint. Large companies can afford to litigate and delay compliance.
- Small companies may not comply. Many small businesses lack the legal knowledge or resources to implement proper privacy protections, even when legally required.
- The US lacks a comprehensive federal privacy law. The patchwork of state laws means that protections vary dramatically depending on where you live. Residents of states without privacy laws have very limited legal recourse.
- Surveillance exemptions. Most privacy laws include broad exemptions for national security and law enforcement. Government surveillance programs often operate outside the scope of consumer privacy legislation.
Privacy laws give you legal tools to fight for your data. They are not a complete solution, but combined with technical measures and good habits, they are an essential part of protecting your privacy in the digital age.