Skip to main content
M
Learn

Data Protection Laws

Understand the laws that protect your personal data — GDPR, CCPA, and beyond — and what they mean for your rights as an everyday person.

Most people assume they have no control over what companies do with their personal data. In reality, a growing number of laws around the world give you significant rights — the right to know what data is collected about you, to have it deleted, and to stop it from being sold. The problem is that most people do not know these rights exist or how to use them.

This guide breaks down the most important data protection laws in plain language, explains what they mean for you as an everyday person, and shows you how to actually exercise the rights they grant you.

Why Data Protection Laws Exist

For years, companies collected personal data with very few restrictions. Your browsing habits, purchase history, location data, contacts, health information, and even biometric data were harvested, stored, sold, and shared — often without your meaningful knowledge or consent. The "I agree" button on a 30-page privacy policy was considered sufficient permission.

Data protection laws were created to rebalance this relationship. They establish that your personal data belongs to you, not to the companies that collect it. These laws set rules for how organisations must handle personal data and give you enforceable rights to control your own information.

The rise of these laws reflects a fundamental shift in thinking: privacy is not a privilege — it is a right. And that right needs legal backing to be meaningful in a world dominated by data-driven business models.

GDPR — The Gold Standard

The General Data Protection Regulation (GDPR) is a European Union law that came into effect on 25 May 2018. It is widely considered the most comprehensive data protection law in the world, and it has influenced legislation in dozens of other countries. Even if you do not live in the EU, GDPR matters to you — it applies to any company that processes the personal data of people in the EU, regardless of where the company is based. This means most major global companies comply with GDPR standards.

What Counts as Personal Data Under GDPR

GDPR defines personal data very broadly. It includes any information that can identify you, directly or indirectly. This means:

  • Obvious identifiers — your name, email address, phone number, home address, date of birth, national ID number
  • Digital identifiers — your IP address, cookie data, device IDs, advertising IDs, browser fingerprints
  • Behavioural data — your browsing history, purchase history, search queries, location data, app usage patterns
  • Sensitive data (special category) — health information, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, trade union membership

This broad definition is important because it means companies cannot claim that tracking cookies or IP addresses are "not personal data." Under GDPR, they are.

Your Rights Under GDPR

GDPR grants you eight fundamental rights over your personal data. These are not suggestions — they are legally enforceable, and companies face significant fines for failing to comply.

1. Right to Be Informed

Companies must tell you clearly and in plain language what data they collect, why they collect it, how long they keep it, and who they share it with. This is why you see privacy notices and cookie banners on websites. The information must be provided at the time your data is collected, not buried in a document you will never find.

2. Right of Access (Subject Access Request)

You have the right to ask any company whether they hold personal data about you and, if so, to receive a copy of that data. This is called a Subject Access Request (SAR). Companies must respond within one month and provide the data free of charge. Many major platforms (Google, Facebook, Amazon, Apple) have self-service data download tools that let you do this instantly.

What this means for you: You can find out exactly what data a company holds about you. The results are often eye-opening — many people are surprised by how much is stored, including data they did not consciously provide.

3. Right to Rectification

If a company holds inaccurate or incomplete personal data about you, you have the right to have it corrected. This is straightforward but important — incorrect data can affect credit decisions, insurance, employment, and more.

4. Right to Erasure (Right to Be Forgotten)

You can request that a company delete your personal data. This right applies when the data is no longer necessary for its original purpose, you withdraw your consent, the data was processed unlawfully, or there is no legitimate reason to keep it.

What this means for you: When you close an account or stop using a service, you can demand that your data is actually deleted — not just hidden. Companies must comply unless they have a legal obligation to retain the data (such as financial records required for tax purposes).

5. Right to Restrict Processing

You can ask a company to stop using your data while a dispute is resolved — for example, if you have requested correction and are waiting for them to verify your claim. During restriction, the company can store the data but not process it further.

6. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transfer it to another service. This prevents vendor lock-in and recognises that your data should move with you.

What this means for you: If you want to switch from one email provider, social media platform, or cloud service to another, you can take your data with you rather than starting from scratch.

7. Right to Object

You can object to the processing of your personal data for specific purposes, including direct marketing and profiling. Companies must stop processing your data for those purposes unless they can demonstrate compelling legitimate grounds.

What this means for you: You can tell any company to stop using your data for marketing. When it comes to direct marketing specifically, the right to object is absolute — the company cannot refuse.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions made entirely by automated systems (including AI and algorithms) that significantly affect you — such as automated credit scoring, job application screening, or insurance pricing. You can request human review of any such decision.

Consent Under GDPR

GDPR fundamentally changed how consent works. Companies can no longer bury consent in dense terms and conditions or use pre-ticked boxes. Valid consent under GDPR must be:

  • Freely given — you must have a genuine choice, and refusing consent cannot result in being denied a service (unless the data is strictly necessary for that service)
  • Specific — consent must be given for each distinct purpose, not as a blanket approval
  • Informed — you must clearly understand what you are consenting to
  • Unambiguous — consent requires a clear affirmative action (opt-in), not silence or inaction
  • Withdrawable — you must be able to withdraw consent as easily as you gave it

This is why you now see detailed cookie consent banners with options to accept or reject different categories of cookies. Those banners exist because of GDPR.

GDPR Enforcement and Fines

GDPR has real teeth. Companies that violate it face fines of up to 4% of their annual global turnover or 20 million euros, whichever is higher. Major fines have been issued to some of the world's largest companies:

  • Meta (Facebook/Instagram) — fined 1.2 billion euros for transferring EU user data to the US without adequate safeguards
  • Amazon — fined 746 million euros for advertising targeting practices
  • Google — fined multiple times, including 50 million euros for lack of transparency in data processing
  • TikTok — fined 345 million euros for failing to protect children's data

These fines demonstrate that GDPR is actively enforced and that even the largest corporations are held accountable.

CCPA and CPRA — California's Data Protection

The California Consumer Privacy Act (CCPA), effective since January 2020 and strengthened by the California Privacy Rights Act (CPRA) in 2023, is the most comprehensive data protection law in the United States. While it applies specifically to California residents, its reach extends much further — most major US companies apply CCPA standards to all their US users rather than maintaining separate systems.

Your Rights Under CCPA/CPRA

  • Right to know — You can request that a company disclose what personal information it has collected about you, where it came from, what it is used for, and who it has been shared with or sold to.
  • Right to delete — You can request deletion of your personal information, with some exceptions (such as data needed to complete a transaction or comply with legal obligations).
  • Right to opt out of sale or sharing — You can direct a company to stop selling or sharing your personal information. This is why many US websites now display a "Do Not Sell or Share My Personal Information" link.
  • Right to correct — Added by CPRA, you can request correction of inaccurate personal information.
  • Right to limit use of sensitive information — Added by CPRA, you can restrict how companies use sensitive data such as precise geolocation, race, health information, and financial data.
  • Right to non-discrimination — Companies cannot penalise you for exercising your privacy rights by charging higher prices, providing lower quality service, or denying you service.

How CCPA Differs from GDPR

While both laws protect personal data, there are key differences:

  • Consent model: GDPR requires opt-in consent before collecting data. CCPA uses an opt-out model — companies can collect data by default, but you can tell them to stop selling it.
  • Scope: GDPR applies to all organisations processing EU residents' data. CCPA applies only to businesses that meet certain revenue or data volume thresholds.
  • Private right of action: Under CCPA, you can sue companies directly if your data is exposed in a breach due to their negligence. Under GDPR, enforcement is primarily through regulatory authorities.

Other Important Data Protection Laws

GDPR and CCPA are the most prominent, but data protection laws are spreading rapidly around the world. Here are other significant laws you should know about:

UK GDPR and Data Protection Act 2018

After Brexit, the UK adopted its own version of GDPR (UK GDPR) alongside the Data Protection Act 2018. The rights and obligations are essentially the same as EU GDPR, ensuring continuity of protection for UK residents. The Information Commissioner's Office (ICO) is the UK's supervisory authority and actively enforces these rules.

LGPD — Brazil

Brazil's Lei Geral de Proteção de Dados (LGPD), effective since 2020, is closely modelled on GDPR. It grants Brazilian citizens rights to access, correct, delete, and port their personal data. It applies to any organisation that processes the data of people in Brazil, regardless of where the organisation is located.

POPIA — South Africa

South Africa's Protection of Personal Information Act (POPIA), fully effective since 2021, establishes similar principles of lawful data processing, purpose limitation, and data subject rights. It is enforced by the Information Regulator.

PIPEDA — Canada

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organisations collect, use, and disclose personal information. It is built around ten fair information principles and gives Canadians the right to access and challenge the accuracy of their personal data.

PDPA — Various Asian Countries

Several Asian countries have enacted their own data protection laws, including Singapore's Personal Data Protection Act, Thailand's PDPA, and India's Digital Personal Data Protection Act (DPDPA) of 2023. While the specifics vary, they share common themes: consent requirements, purpose limitation, data subject rights, and penalties for non-compliance.

US State Laws Beyond California

While the US lacks a comprehensive federal privacy law, a growing number of states have passed their own legislation. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and others have enacted consumer privacy laws with similar rights to know, delete, correct, and opt out of data sales. More states pass privacy laws every year, creating an increasingly strong patchwork of protection for US residents.

What This Means for You in Practice

Understanding these laws is useful, but what really matters is knowing how to use them. Here is what data protection laws mean for your everyday digital life:

You Can Say No

When a website asks you to accept cookies, you have the right to decline non-essential ones. When a company asks for consent to use your data for marketing, you can refuse. When an app asks for permissions it does not need, you can deny them. These are not just good habits — they are legally protected choices.

You Can Ask What They Know

You have the legal right to ask any company what personal data they hold about you. Under GDPR, this is called a Subject Access Request. Under CCPA, it is a Right to Know request. Most major companies now have online portals or forms for this. The process is usually straightforward: submit a request, verify your identity, and receive your data within 30 days (GDPR) or 45 days (CCPA).

You Can Demand Deletion

If you no longer use a service, you can request that the company deletes your personal data — not just deactivates your account, but actually removes your information from their systems. This is your right under both GDPR (Right to Erasure) and CCPA (Right to Delete).

You Can Stop the Sale of Your Data

Under CCPA, you can tell companies to stop selling your personal information. Look for the "Do Not Sell or Share My Personal Information" link, typically found in the footer of US websites. Under GDPR, the sale of your data generally requires your explicit consent in the first place.

You Can Report Violations

If a company violates your data protection rights, you can file a complaint with the relevant supervisory authority. In the EU, each country has a Data Protection Authority (DPA). In the UK, it is the ICO. In California, it is the California Privacy Protection Agency (CPPA). These complaints are taken seriously and can trigger investigations.

How to Exercise Your Rights — Step by Step

Here is a practical guide to using your data protection rights:

Step 1: Identify What You Want

Decide what you are asking for: Do you want to see what data a company holds? Have your data deleted? Stop your data from being sold? Correct inaccurate information? Being specific makes the process faster.

Step 2: Find the Right Channel

Look for a privacy settings page, a "Your Privacy Rights" link in the website footer, or a dedicated email address (often privacy@company.com or dpo@company.com). Many large companies have self-service privacy dashboards where you can download or delete your data directly.

Step 3: Submit Your Request

State your request clearly. Mention the specific law you are invoking (GDPR, CCPA, etc.) and what right you are exercising. You do not need legal language — a clear, plain-English request is sufficient. For example: "Under GDPR Article 17, I request the erasure of all personal data you hold about me."

Step 4: Verify Your Identity

The company will need to verify that you are who you say you are before acting on your request. This typically involves confirming your email address or providing identifying details that match their records.

Step 5: Follow Up

Companies must respond within the legally mandated timeframe — 30 days under GDPR, 45 days under CCPA. If they do not respond or refuse your request without valid justification, you can escalate to the relevant supervisory authority.

Common Misconceptions

  • "These laws only apply if I live in the EU or California." — Not entirely true. GDPR applies to any company that processes EU residents' data, which means most global companies comply with it worldwide. Many countries now have their own similar laws. And in the US, more states are passing privacy legislation every year.
  • "Clicking Accept on a cookie banner means I have given up my rights." — No. You can withdraw consent at any time. Most websites allow you to change your cookie preferences after initially accepting them. And accepting cookies does not affect your other rights like access, deletion, or objecting to processing.
  • "These laws are only useful if you want to sue a company." — The most valuable aspect of these laws is not lawsuits — it is the everyday rights they give you. Requesting data downloads, demanding deletion, opting out of data sales, and filing complaints are all practical actions that do not require a lawyer.
  • "Small companies do not have to follow these rules." — GDPR applies to any organisation that processes personal data, regardless of size. CCPA has revenue thresholds, but even smaller companies are subject to general consumer protection laws and increasingly to state-level privacy legislation.
  • "If a company is not based in my country, they do not have to comply." — Most data protection laws apply based on where the data subject (you) is located, not where the company is based. If a company offers goods or services to people in the EU, GDPR applies to them regardless of where they are headquartered.

The Bigger Picture

Data protection laws represent a growing global consensus that people deserve control over their personal information. The trend is clear: more countries are adopting stronger protections, existing laws are being strengthened, and enforcement is increasing. Companies that once treated personal data as a free resource are now facing real accountability.

But laws alone are not enough. They work best when people understand and use the rights they provide. Every time you reject unnecessary cookies, request a data download, demand deletion of old accounts, or opt out of data sales, you are exercising rights that millions of people do not even know they have.

This is central to the Monzign Foundation's mission: your digital life should be shaped by your design, not by companies that profit from your data. Understanding your legal rights is a powerful step toward that goal.

Next Steps

Now that you understand the legal framework protecting your data, put it into practice. Visit our Privacy Settings guide for step-by-step instructions on configuring your privacy across browsers, social media, and apps. Or explore Digital Footprint to understand the trail you leave online and how to manage it.

Content last reviewed: February 2026