The Privacy Law Landscape in 2026

You have more legal rights over your personal data than ever before. The EU's General Data Protection Regulation (GDPR), in force since May 2018, established a comprehensive framework for data rights that has become the global benchmark. California's Consumer Privacy Act (CCPA), in force since 2020 and significantly strengthened by the 2023 CPRA amendments, provides similar (though somewhat weaker) protections for California residents.

By 2026, more than 160 countries have enacted some form of data protection law, most of them influenced by GDPR. Brazil's LGPD, India's DPDP Act, Canada's CPPA, Thailand's PDPA — the global convergence toward GDPR-style protections is real. But GDPR and CCPA remain the most significant frameworks, covering two of the world's largest economies and setting enforcement precedents that influence global practice.

This guide focuses on what these laws actually give you — practically, not theoretically.

Your Rights Under GDPR

GDPR applies to you if you are in the EU or EEA at the time data is collected, regardless of where the collecting company is based. That means GDPR applies to American, Chinese, and Indian companies when they process the data of EU residents. Post-Brexit UK has its own UK GDPR, which is nearly identical.

Right of Access (Article 15)

You can request a complete copy of all personal data any organisation holds about you. This includes not just your account data but all derived data — profiling information, inferred attributes, scoring models, automated decision outputs. The organisation has 30 days to respond. The copy must be provided free of charge.

In practice, access requests reveal how much data companies hold. One German journalist famously received 800 pages of data from a ride-sharing app after a single access request, including every trip, every location ping, every driver rating, and a complete log of app opens.

Right to Erasure — "The Right to Be Forgotten" (Article 17)

You can demand that an organisation delete all your personal data if:

The data is no longer necessary for the purpose it was collected
You withdraw consent and there is no other lawful basis for processing
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed

This right has limits. Organisations can retain data for legal compliance, scientific research, or the exercise of legal claims. But for most commercial processing — advertising, analytics, profiling — erasure requests must be honoured.

Right to Rectification (Article 16)

If an organisation holds inaccurate data about you, you can demand it be corrected. If data is incomplete, you can request it be completed. The 30-day deadline applies.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, machine-readable format (typically JSON or CSV). You can then transfer it to another service provider. This is particularly relevant for social media, health apps, and financial services.

Right to Object (Article 21)

You can object to processing based on legitimate interests — the most commonly used lawful basis by advertising companies. Once you object, the organisation must stop processing unless it can demonstrate compelling legitimate grounds that override your interests. You always have an absolute right to object to direct marketing.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. Credit scoring, insurance pricing, job application screening — if these are fully automated, you have the right to request human review, express your point of view, and contest the decision.

Your Rights Under CCPA/CPRA

CCPA applies to California residents and to businesses that meet any of these thresholds: annual revenue over $25 million, process data of 100,000+ consumers/households, or derive 50%+ of revenue from selling personal information.

Right to Know

You can request disclosure of: what categories of personal information are collected, the sources, the business purpose, the categories of third parties the data is shared with, and the specific pieces of information collected about you. Unlike GDPR, CCPA limits disclosure to data collected in the 12 months before the request.

Right to Delete

Similar to GDPR's right to erasure, but with more exceptions. Businesses can retain data for completing transactions, security purposes, legal compliance, research, and "internal uses reasonably aligned with consumer expectations." These exceptions are broader than GDPR, which is why CCPA is generally considered weaker.

Right to Opt Out of Sale/Sharing

Businesses must provide a "Do Not Sell or Share My Personal Information" link on their homepage. Clicking it means the business cannot sell your data or share it for cross-context behavioural advertising. This is CCPA's most powerful provision because it is actionable without a third-party complaint process.

Right to Correct

Added by the CPRA amendments: you can request correction of inaccurate personal information.

Right to Limit Use of Sensitive Personal Information

The CPRA created a special category for sensitive data — Social Security numbers, financial account information, health data, racial/ethnic origin, religious beliefs, sexual orientation, and precise geolocation. You can limit the use of this data to what is necessary to provide the service you requested.

How to Exercise Your Rights Effectively

Making a GDPR Request

Most large companies have a privacy centre or data subject request portal. Search for "[company name] privacy centre" or "[company name] GDPR request". Alternatively, email the company's Data Protection Officer — GDPR requires DPOs to be publicly reachable. Your email should state clearly: "This is a Subject Access Request under Article 15 of the GDPR" and specify what data you want.

If the company fails to respond within 30 days, you can file a complaint with your national data protection authority. In the UK, this is the ICO (ico.org.uk). In Germany, it is the federal or state DPA. In Ireland, it is the DPC. Complaints are free. Authorities take them seriously — GDPR fines can reach €20 million or 4% of global annual revenue, whichever is higher.

Making a CCPA Request

California businesses must provide at least two methods for submitting requests: a toll-free phone number and a web form. Look for "Your California Privacy Rights" links in website footers. Businesses have 45 days to respond (extendable to 90 days with notice).

When Companies Refuse

Unjustified refusals are violations. Document everything and file complaints. The California Privacy Protection Agency (CPPA) has subpoena power and civil penalty authority. The FTC also has jurisdiction over deceptive privacy practices. GDPR DPAs have issued multi-billion euro fines against Google, Meta, and Amazon.

The Gap Between Rights and Reality

Legal rights are only as good as their enforcement. Most tracking and data collection happens without your awareness, by companies you have never heard of, in jurisdictions where enforcement is weak. Your rights under GDPR and CCPA apply to the data brokers, analytics companies, and advertising networks — but exercising those rights requires knowing who they are, which requires awareness in the first place.

This is where tools matter. PrivacyGuard's tracker blocking prevents the data collection before it happens, making legal requests about already-collected data less necessary. The Privacy Scanner shows you which third-party companies are present on each site you visit, so you know who to send requests to if you want to exercise your erasure rights.

Your rights are real. Use them. And use tools that reinforce them technically, not just legally.