Your Privacy Rights in 2026: What GDPR, CCPA, and Other Laws Actually Mean for You

There's a good chance you have legal rights over your personal data that you've never used. Rights that companies are legally required to respect. Rights that let you demand to know exactly what data a company has collected about you, require them to delete it, and prevent them from selling it.

These rights exist because of privacy laws that have been enacted around the world over the past decade. But most people either don't know these laws exist, don't understand what they entitle them to, or assume the process of exercising them is too complicated to bother with.

It's not. And in 2026, with the expansion of state-level privacy laws in the US and the continued enforcement of GDPR in Europe, your rights are stronger and more actionable than ever.

Here's what you actually have the power to do — and how to do it.

GDPR: The European Standard That Set the Bar

The General Data Protection Regulation, which took effect in May 2018, is the most comprehensive data privacy law in the world. It applies to any company that processes the personal data of people located in the European Economic Area — regardless of where the company itself is based.

This means if you're in Europe, GDPR applies to how Google, Facebook, Amazon, and every other company handles your data, even though they're American companies. The law also applies to small businesses, local shops with websites, and any entity that collects personal data.

Your Rights Under GDPR

Right to Access (Article 15). You can request a copy of all personal data a company holds about you. They must provide it within one month, free of charge.

Right to Rectification (Article 16). If data about you is inaccurate, you can demand correction.

Right to Erasure / "Right to Be Forgotten" (Article 17). You can request that a company delete your personal data. There are exceptions (legal obligations, public interest), but for most commercial data collection, companies must comply.

Right to Restrict Processing (Article 18). You can tell a company to stop using your data while a dispute is being resolved.

Right to Data Portability (Article 20). You can request your data in a machine-readable format so you can transfer it to another service.

Right to Object (Article 21). You can object to your data being used for direct marketing. The company must stop immediately — no exceptions.

How to Exercise GDPR Rights

Most companies subject to GDPR have a dedicated privacy contact or a data protection officer. You can usually find this through their privacy policy page.

Send a written request (email is fine) identifying yourself, specifying which right you're exercising, and what data or action you're requesting. The company has 30 days to respond. If they don't respond or refuse without valid justification, you can file a complaint with your country's data protection authority — which has the power to impose significant fines.

Template: "Under Article [15/17/21] of the GDPR, I am requesting [access to / deletion of / cessation of processing of] all personal data you hold relating to me. My account email is [email]. Please respond within the statutory 30-day period."

CCPA / CPRA: California's Privacy Framework

The California Consumer Privacy Act (2020) and its amendment, the California Privacy Rights Act (2023), give California residents specific data rights. While state-level, CCPA/CPRA has had national impact because many companies apply California-level protections to all US users rather than building separate systems.

Your Rights Under CCPA/CPRA

Right to Know. You can request what categories of personal data a business has collected about you, the sources, the purposes, and what third parties it's been shared with.

Right to Delete. You can request deletion of your personal data.

Right to Opt Out of Sale or Sharing. If a business sells your personal data or shares it for cross-context behavioral advertising, you can opt out. Businesses must provide a "Do Not Sell or Share My Personal Information" link on their website.

Right to Correct. You can request correction of inaccurate personal information.

Right to Limit Use of Sensitive Information. You can limit how businesses use sensitive data like Social Security numbers, precise geolocation, and biometric data.

How to Exercise CCPA Rights

Look for the "Do Not Sell or Share My Personal Information" link in the footer of any website. For access or deletion requests, most companies provide an online form or designated email address in their privacy policy.

Businesses must respond within 45 days. You don't need to be a lawyer — the request can be a simple email.

US State Privacy Laws: The Growing Patchwork

California isn't alone. As of 2026, numerous states have enacted comprehensive privacy laws, including Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, and others with laws in various stages of implementation.

Most follow a similar framework: right to access, right to delete, right to opt out of targeted advertising, right to correct. The specific thresholds (which businesses are covered) and enforcement mechanisms vary.

For US residents outside California, check whether your state has a privacy law. The IAPP US State Privacy Legislation Tracker maintains a current list.

Practical Steps to Exercise Your Rights Today

1. Start With the Biggest Data Holders

You don't need to send requests to every website you've ever visited. Start with the companies that have the most data about you:

Google: myaccount.google.com/data-and-privacy — download your data, delete activity, manage ad personalization.

Facebook/Meta: Settings → Your Information → Download Your Information, or submit a deletion request through Settings → Your Information → Deactivation and Deletion.

Amazon: Request your data through the "Request My Data" option in your account settings.

Data brokers: We covered this in detail in our data broker removal guide.

2. Use the "Do Not Sell" Opt-Out Links

Visit the websites of companies you interact with frequently and look for "Do Not Sell or Share My Personal Information" or "Your Privacy Choices" links, typically in the website footer. Click through and submit the opt-out. This is legally required for covered businesses.

3. Submit Data Deletion Requests

For services you no longer use, submit deletion requests rather than just abandoning your account. An abandoned account with your personal data is a liability — it can be breached, sold, or exposed.

Use JustDelete.me to find direct links to account deletion pages.

4. Global Privacy Control (GPC)

Global Privacy Control is a browser setting that automatically signals to every website you visit that you don't want your data sold or shared. Under CCPA and several other state laws, websites are legally required to honor this signal.

Firefox and Brave support GPC natively. Chrome users can enable it through extensions. Turn it on once and it works on every website going forward.

The Limits of Privacy Laws

I want to be honest about what these laws can and can't do.

Privacy laws give you rights over data that companies collect directly from you. They're less effective at controlling data that's been aggregated, derived, or purchased from third parties. A data broker who bought your information from a loyalty card program may have different obligations than the company that collected it directly.

Enforcement is uneven. GDPR has resulted in billions in fines against major companies. US state laws are newer and enforcement is still ramping up. Not every complaint results in action.

Companies sometimes make exercising your rights deliberately inconvenient — requiring multiple verification steps, imposing long processing times, or making the request forms hard to find. This is a dark pattern, and regulators are increasingly cracking down on it, but it remains a friction point.

And perhaps most importantly: exercising your rights today doesn't prevent future data collection. It's a continuous process, not a one-time fix. That's why combining legal rights with technical protections — privacy browsers, ad blockers, email aliases, encrypted services — gives you the strongest overall position.

Your Data, Your Rights

The most important takeaway from this article is simple: you have rights. Legal, enforceable rights over your personal data. Rights that companies must respect.

Most people never exercise these rights because they don't know they exist or assume the process is too complicated. It's not. A simple email is often enough.

Start with one company today. Download your data from Google. Submit a deletion request for an old account. Click the "Do Not Sell" link on a website you visit regularly. Enable Global Privacy Control in your browser.

Each action is small. Together, they reclaim a meaningful degree of control over your digital life.

The laws are on your side. Use them.