Table of Contents
Privacy laws exist to give you control over your personal data, but they only work if you understand them and exercise the rights they provide. As part of your broader digital privacy and online safety approach, knowing the legal framework is as important as knowing the technical tools. These laws are your leverage – the reason companies must provide opt-out mechanisms, honor deletion requests, and disclose what data they collect about you.
This guide covers the three most impactful privacy regulations for individuals in 2026: the European Union’s GDPR, California’s CCPA/CPRA, and the more recent DELETE Act. Each has different scopes, rights, and enforcement mechanisms, but they share a common principle: your personal data belongs to you, and companies that collect it owe you transparency and control.
GDPR (General Data Protection Regulation)
What It Is
The GDPR is the European Union’s comprehensive data protection law, enacted in 2018. It is the most influential privacy regulation in the world, and its effects extend far beyond Europe. Many companies apply GDPR standards globally rather than maintaining separate data practices for different regions.
Who It Applies To
The GDPR applies to:
- Any organization that processes the personal data of individuals in the EU, regardless of where the organization is based
- If you are in the EU, every company that interacts with you is bound by it
- If you are outside the EU, you still benefit from it indirectly because many companies apply GDPR standards universally
Your Rights Under GDPR
Right to access – You can request a copy of all personal data a company holds about you. The company must respond within 30 days.
Right to rectification – If a company holds inaccurate data about you, you can request correction.
Right to erasure (right to be forgotten) – You can request that a company delete your personal data. There are exceptions (legal obligations, freedom of expression), but for most commercial data, the company must comply.
Right to data portability – You can request your data in a machine-readable format and transfer it to another service. This is the legal foundation that prevents vendor lock-in – and it is one reason why open formats like the KeePass KDBX format matter. When your password manager uses an open format, you are exercising this right by design. Apps like PanicVault, a native macOS/iOS password manager built on the KDBX format, embody this principle: your data stays in an open, portable format that you can take to any compatible app at any time.
Right to object – You can object to your data being used for direct marketing, profiling, or processing based on “legitimate interests.”
Right to restrict processing – You can request that a company stop processing your data while a dispute is resolved.
Right to not be subject to automated decision-making – You have the right to request human review of decisions made solely by automated systems (like AI) that significantly affect you.
How to Exercise GDPR Rights
- Find the company’s Data Protection Officer or privacy contact (usually listed in their privacy policy)
- Submit a written request specifying which right you are exercising
- The company must respond within 30 days
- If the company does not comply, file a complaint with your country’s data protection authority
GDPR Enforcement
GDPR violations can result in fines of up to 4% of annual global revenue or 20 million euros, whichever is higher. This has teeth – major fines have been levied against Meta, Google, Amazon, and others.
CCPA/CPRA (California Consumer Privacy Act and California Privacy Rights Act)
What It Is
The CCPA was California’s landmark privacy law, effective since 2020. It was significantly strengthened by the CPRA (California Privacy Rights Act), which took full effect in 2023. Together, they provide California residents with substantial privacy rights – not as comprehensive as GDPR, but the strongest in the United States.
Who It Applies To
The CCPA/CPRA applies to:
- For-profit businesses that collect personal information of California residents AND meet one of these thresholds: annual revenue over $25 million, buying/selling data of 100,000+ consumers/households, or deriving 50%+ of revenue from selling personal information
- This captures most major companies that operate in California, which effectively means most major companies
Your Rights Under CCPA/CPRA
Right to know – You can request that a business disclose what personal information it collects about you, the sources, the purposes, and the third parties it shares with.
Right to delete – You can request deletion of your personal information. Exceptions apply for legal obligations, security, and certain business purposes.
Right to opt out of sale or sharing – You can direct a business to stop selling or sharing your personal information. Businesses must provide a “Do Not Sell or Share My Personal Information” link on their website.
Right to correct – Added by CPRA. You can request correction of inaccurate personal information.
Right to limit use of sensitive personal information – Added by CPRA. You can limit how a business uses sensitive data like Social Security numbers, financial information, precise geolocation, race, religion, and health data.
Right to non-discrimination – A business cannot discriminate against you for exercising your privacy rights (no charging more, providing worse service, or denying services).
How to Exercise CCPA/CPRA Rights
- Look for the “Do Not Sell or Share My Personal Information” link on the company’s website
- Use the company’s designated privacy request method (usually found in their privacy policy)
- The company must respond within 45 days (can be extended by another 45 days with notice)
- If the company does not comply, file a complaint with the California Attorney General or the California Privacy Protection Agency
CCPA/CPRA Enforcement
The CPRA created the California Privacy Protection Agency (CPPA), the first dedicated state privacy enforcement agency. Violations can result in fines of $2,500 per violation or $7,500 per intentional violation – and each affected consumer counts as a separate violation, so the totals can be substantial.
DELETE Act (California’s Data Broker Deletion Law)
What It Is
The DELETE Act, signed into law in 2023 with its system fully operational by 2026, is specifically targeted at data brokers – companies that collect and sell personal information about people who are not their direct customers. This is a significant law because data brokers are the backbone of the surveillance economy, and they have historically operated with minimal oversight.
How It Works
The DELETE Act created a centralized mechanism for Californians to request deletion of their personal information from all registered data brokers through a single request. Instead of contacting hundreds of data brokers individually, you submit one request through the California Data Broker Registry, and all registered brokers must process it.
Why It Matters
Before the DELETE Act, removing your personal information from data brokers was a Sisyphean task. You had to identify each broker, find their opt-out process, submit individual requests, and follow up – often repeatedly, since brokers re-acquire data. The DELETE Act does not eliminate the need for individual opt-out requests (since not all data brokers may be registered), but it provides a powerful centralized tool.
How to Use It
- Visit the California Data Broker Registry website
- Submit a deletion request (you will need to verify your identity)
- All registered data brokers must process your deletion within the specified timeframe
- You can submit a new request periodically to address re-acquired data
Other State Privacy Laws
California is not alone. Several other states have enacted privacy laws:
- Virginia – Consumer Data Protection Act (VCDPA)
- Colorado – Colorado Privacy Act (CPA)
- Connecticut – Connecticut Data Privacy Act (CTDPA)
- Utah – Utah Consumer Privacy Act (UCPA)
- Texas – Texas Data Privacy and Security Act (TDPSA)
- Oregon – Oregon Consumer Privacy Act (OCPA)
- Montana, Tennessee, Indiana, Iowa – Each have enacted their own privacy laws
These laws vary in scope and strength but generally provide rights similar to the CCPA, including the right to know, right to delete, right to opt out of sale, and right to correct.
No Federal Privacy Law (Yet)
As of early 2026, the United States does not have a comprehensive federal privacy law. The American Data Privacy and Protection Act (ADPPA) has been proposed but has not passed. This means your privacy rights depend significantly on where you live, with Californians having the strongest protections.
Some sector-specific federal laws exist:
- HIPAA – Protects health information
- FERPA – Protects student education records
- COPPA – Protects children’s online privacy (under 13)
- GLBA – Protects financial information
These are important but do not provide the comprehensive data rights that GDPR or CCPA offer.
Practical Steps to Exercise Your Rights
Audit Your Data Exposure
Before exercising your rights, understand the landscape. Search for yourself online, review what data brokers have on you, and identify companies that hold your personal data. Our guide to removing your personal information provides a structured process.
Use Opt-Out Links
When you visit a website, look for “Do Not Sell My Personal Information” or “Your Privacy Choices” links, usually in the footer. Click them. These are legally required under CCPA/CPRA and increasingly common on sites that serve users in states with privacy laws.
Submit Deletion Requests
For services you no longer use, submit deletion requests. Under GDPR and CCPA, companies must delete your data upon request (with limited exceptions). A personal security audit is a good time to identify accounts to delete.
Use the DELETE Act
If you are a California resident, use the centralized data broker deletion system. If you are not in California, you can still contact data brokers individually.
Manage Your Data Proactively
The best way to exercise your privacy rights is to generate less data in the first place:
- Use email aliases so your primary address is not spread across hundreds of services
- Provide minimal information when creating accounts
- Use a password manager with unique credentials for every service, so a breach at one service does not expose your credentials elsewhere
- Opt out of data collection wherever possible
The Bigger Picture
Privacy laws are tools, and like any tools, they require you to pick them up and use them. The existence of GDPR, CCPA, and the DELETE Act does not automatically protect you – it gives you the right to protect yourself.
The trend is clear: more jurisdictions are enacting privacy laws, existing laws are being strengthened, and enforcement is increasing. Companies are slowly adapting, but the pace of change depends on individuals exercising their rights. Every deletion request, every opt-out, and every data access request sends a signal that privacy matters.
Understanding these laws is not about becoming a legal expert. It is about knowing that you have rights, understanding broadly what those rights are, and being willing to exercise them. The companies collecting your data certainly understand the law – you should too.
