Why Data Rights Laws Matter

For most of the internet's history, companies collected personal data with almost no restrictions and little obligation to tell users what they were doing with it. That started changing when the EU's General Data Protection Regulation (GDPR) came into force in 2018, followed by California's Consumer Privacy Act (CCPA) in 2020.

These laws give individuals concrete, enforceable rights over their personal data — and companies real obligations to respect them. Understanding what you're entitled to is the first step to using these rights effectively.

Who Do These Laws Cover?

GDPR applies to any organisation that processes the personal data of EU residents — regardless of where the organisation is based. If you're in the EU, GDPR protects you when interacting with companies worldwide.

CCPA (and its successor, CPRA) applies to California residents and to for-profit businesses operating in California above certain thresholds (revenue, data volume, or data-selling activity). Even if you live outside California, many companies apply CCPA-style rights broadly due to enforcement complexity.

Your Key Rights Under GDPR

  • Right to Access: Request a copy of all personal data a company holds about you (called a Subject Access Request, or SAR).
  • Right to Rectification: Ask for inaccurate data to be corrected.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data under certain conditions.
  • Right to Restrict Processing: Limit how a company uses your data while a dispute is resolved.
  • Right to Data Portability: Receive your data in a machine-readable format to transfer to another service.
  • Right to Object: Object to your data being used for direct marketing or profiling.
  • Right Not to Be Subject to Automated Decisions: Protection against purely automated decisions with significant legal effects.

Your Key Rights Under CCPA/CPRA

  • Right to Know: Find out what personal information is collected and how it's used or shared.
  • Right to Delete: Request deletion of your personal information (with some exceptions).
  • Right to Opt-Out of Sale/Sharing: Stop companies from selling or sharing your data with third parties.
  • Right to Correct: Request correction of inaccurate information.
  • Right to Limit Use of Sensitive Data: Restrict use of sensitive personal information (e.g. health, location, financial data).
  • Right of Non-Discrimination: Companies cannot penalise you for exercising your privacy rights.

How to Submit a Data Request

  1. Find the company's privacy policy. By law, it must explain how to submit requests. Look for a "Data Rights", "Privacy Request", or "Do Not Sell My Personal Information" link.
  2. Submit a Subject Access Request (GDPR) or Consumer Rights Request (CCPA) via the provided form or email address.
  3. Verify your identity. Companies are required to verify who you are before releasing data — this may involve providing an email address, account details, or ID in some cases.
  4. Wait for a response. GDPR requires a response within 30 days. CCPA requires 45 days (extendable by another 45 with notice).
  5. Escalate if ignored. Under GDPR, you can complain to your national Data Protection Authority (DPA). Under CCPA, complaints go to the California Privacy Protection Agency (CPPA).

Practical Tips for Exercising Your Rights

  • Keep records of all requests and responses — screenshot confirmation emails.
  • If a company doesn't have a visible request mechanism, email their Data Protection Officer (DPO) — GDPR requires companies to designate one.
  • Don't accept vague responses — companies must explain what data they hold and why they're retaining it.
  • Use tools like Mine or Jumbo Privacy to help discover and manage data requests at scale.

The Bigger Picture

Data rights laws are still evolving globally — Brazil's LGPD, India's DPDP Act, and various US state laws are expanding this landscape. The more you understand and exercise your existing rights, the more control you reclaim over your personal data in a world that profits from it.