For most of the internet’s history, companies could collect, use, and sell personal data with few legal restrictions. That’s changed in recent years as governments have enacted significant privacy laws. Understanding these laws helps you exercise your rights and recognize when companies aren’t respecting them.
Why Privacy Laws Matter
Privacy laws give individuals specific rights regarding personal data and impose obligations on organizations that collect it. They:
Establish baseline protections regardless of company policies
Provide enforcement mechanisms (fines, lawsuits)
Create incentives for better privacy practices
Give individuals tools to control their data
Enable cross-border privacy frameworks
The European GDPR
The General Data Protection Regulation (GDPR) took effect in 2018 and remains the most influential global privacy law. Key principles include:
Lawful basis for processing: Organizations must have legal grounds (consent, contract, legitimate interest, etc.) to process personal data
Purpose limitation: Data collected for one purpose can’t be repurposed without justification
Data minimization: Collect only what’s necessary
Accuracy: Keep personal data accurate and up to date
Storage limitation: Don’t keep data longer than necessary
Security: Protect data with appropriate safeguards
Accountability: Demonstrate compliance with these principles
Rights Under GDPR
GDPR establishes individual rights including:
Right to access: Get a copy of your data and information about how it’s processed
Right to rectification: Correct inaccurate data
Right to erasure (“right to be forgotten”): Have your data deleted in certain circumstances
Right to restrict processing: Limit how your data is used
Right to data portability: Get your data in a machine-readable format to move to another service
Right to object: Object to processing based on legitimate interest or for marketing
Rights regarding automated decisions: Not be subject to decisions based solely on automated processing
GDPR Enforcement
GDPR has significant teeth:
Fines up to 4% of global annual revenue or €20 million (whichever is higher)
Major fines have been issued against Amazon, Meta, Google, and others
Data Protection Authorities in each EU country investigate complaints
Individuals can sue for damages
The threat of large fines has driven significant changes in corporate privacy practices.
The California CCPA and CPRA
The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), provides:
Right to know: What personal information businesses collect about you
Right to delete: Personal information collected from you
Right to correct: Inaccurate personal information
Right to opt out: Of sale or sharing of personal information
Right to limit: Use of sensitive personal information
Right to non-discrimination: For exercising these rights
Because California is huge, CCPA effectively affects practices nationwide.
Other US State Laws
Following California, several states have enacted their own privacy laws:
Virginia (VCDPA)
Colorado (CPA)
Connecticut (CTDPA)
Utah (UCPA)
Several others with varying provisions
This patchwork creates complexity but extends privacy rights to more Americans.
International Privacy Laws
Many countries have enacted privacy laws:
Brazil: LGPD (similar to GDPR)
Canada: PIPEDA
UK: UK GDPR (post-Brexit version)
South Korea: PIPA
China: PIPL
Japan: APPI
Coverage varies but global trend is toward stronger privacy protection.
Sectoral Laws in the US
The US lacks comprehensive federal privacy law but has sector-specific laws:
HIPAA: Health information privacy
FERPA: Educational records
GLBA: Financial information
COPPA: Children under 13
FCRA: Credit reporting
These provide important but fragmented protections.
How to Exercise Your Rights
To use your privacy rights:
Find the privacy policy: Most companies have specific procedures
Look for “data subject request” forms: Standard mechanism under GDPR
Submit requests in writing: Creates a record
Be specific: Identify exactly what you want
Track responses: Companies have specific timeframes (usually 30-45 days)
File complaints: If companies don’t comply, contact relevant authorities
Limitations of Current Laws
Privacy laws have important gaps:
“Consent” is often manufactured through dark patterns
“Legitimate interest” is broadly interpreted
Enforcement is uneven
International transfers create jurisdictional gaps
Government surveillance often exempted
Anonymization standards are weak
Laws are necessary but not sufficient for genuine privacy.
The Cookie Consent Problem
You’ve seen those cookie banners on every website. They emerged from GDPR and ePrivacy requirements but have largely become a frustrating ritual rather than meaningful consent. Many use dark patterns to push acceptance and bury rejection options.
Recent enforcement actions have targeted misleading cookie banners, but the system remains imperfect.
Privacy by Design
GDPR requires “privacy by design and by default” – building privacy into systems from the start rather than adding it later. This includes:
Default settings that protect privacy
Pseudonymization where possible
Data minimization in system design
Privacy impact assessments for high-risk processing
Why These Laws Matter to You
Even if you live where laws are weaker:
Global companies often extend GDPR rights to all users
Stronger laws elsewhere drive global improvements
Exercising your rights creates pressure for better practices
Understanding rights helps you recognize violations
For Students and Researchers
Privacy law is a rapidly evolving field with rich research opportunities in legal scholarship, policy analysis, technical compliance, and comparative law.
Understanding privacy law helps you protect your own data, contribute to better systems, and participate in policy discussions about the future of digital privacy.