Why Privacy Laws Matter for Everyday People
You don't need to be a lawyer to benefit from data privacy regulations. The EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA) both give individuals concrete, actionable rights over their personal data. Understanding them helps you make informed requests to companies that hold your information.
Quick Comparison: GDPR vs. CCPA
| Feature | GDPR (EU) | CCPA (California) |
|---|---|---|
| Who it covers | All EU residents | California residents |
| Applies to | Any company handling EU resident data | For-profit businesses above a threshold |
| Right to access | Yes | Yes |
| Right to delete | Yes ("Right to be forgotten") | Yes (with exceptions) |
| Right to opt out of sale | Not explicitly — consent-based | Yes — "Do Not Sell My Info" |
| Data portability | Yes | Yes |
| Enforcement | Supervisory authorities, heavy fines | California AG, private right of action (limited) |
Your Key Rights Under GDPR
If you're in the European Union (or dealing with a company that serves EU customers), the GDPR gives you these rights:
- Right to be informed: Companies must tell you clearly what data they collect and why.
- Right of access: You can request a copy of all data a company holds about you (Subject Access Request, or SAR).
- Right to rectification: If data is inaccurate, you can demand it be corrected.
- Right to erasure: The famous "right to be forgotten" — request that your data be deleted, though companies may have legal grounds to retain some of it.
- Right to restrict processing: You can ask a company to stop using your data while a dispute is being resolved.
- Right to data portability: Get your data in a structured, machine-readable format to transfer to another service.
- Right to object: Opt out of processing for direct marketing or profiling.
Your Key Rights Under CCPA / CPRA
California's law (now expanded under CPRA) provides similar protections for California residents:
- Know what's collected: Request the categories and specific pieces of personal information a business has collected about you.
- Delete your data: Request deletion of personal data (with some business necessity exceptions).
- Opt out of the sale or sharing of data: Businesses must provide a "Do Not Sell or Share My Personal Information" link.
- Correct inaccurate data: Added by CPRA — you can request corrections to incorrect personal information.
- Limit use of sensitive data: CPRA restricts how companies use sensitive categories like health data, precise location, and financial information.
- Non-discrimination: Companies cannot penalize you (higher prices, lower service quality) for exercising your rights.
How to Actually Exercise These Rights
- Identify the company's privacy contact. Most privacy policies now list a dedicated email or online form for data requests.
- Submit a formal Data Subject Access Request (DSAR) under GDPR or a Consumer Request under CCPA. Reference the specific law and right you're invoking.
- Verify your identity. Companies are required to confirm you are who you say you are before complying — expect to provide basic identification.
- Track the deadline. GDPR requires a response within 30 days (extendable to 90 in complex cases). CCPA requires a response within 45 days (extendable once).
- Escalate if needed. Under GDPR, file a complaint with your national data protection authority. Under CCPA, contact the California Privacy Protection Agency.
What If You're Not in the EU or California?
Other jurisdictions are catching up. Canada's PIPEDA, Brazil's LGPD, Australia's Privacy Act, and Virginia's VCDPA all offer overlapping protections. Even if you're not covered by GDPR or CCPA, many major companies honor these requests globally as a matter of policy — it's always worth asking.