Get organizations to delete your account or send you a copy of your personal data.

There are currently two main regulations protecting individual privacy online. The General Data Protection Regulations, or GDPR protects Europian Union residents, and the California Consumer Privacy Act, or CCPA protects California residents.

The General Data Protection Regulations, or GDPR for short, is a new regulation introduced in the European Union in May 2018. It protects the fundamental right of people to the protection of personal data.

Read the regulation

The GDPR applies to:

• Organizations established within the EU who collect or process personal data (even of people located outside the EU)

• Organizations established outside the EU collecting or processing personal information while providing goods or services (paid or for free) to people located within the EU

• Organizations established outside the EU collecting or processing personal information while engaged in the monitoring of the behavior of people while they are in the EU

The GDPR does not apply to certain activities including law enforcement, national security, and purely for personal / household activities.

Find out more

The California Consumer Privacy Act, or CCPA for short, is a new regulation introduced in California in January 2020. It protects the fundamental right of people to the protection of their personal data and privacy online.

Read the regulation

The CCPA applies to organizations that collect consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

• Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)

• Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices

• Derives 50 percent or more of its annual revenues from selling consumers’ personal information

Under the GDPR:

Any information relating to a person which can be directly or indirectly used to identify them. A person can be identified in a wide range of ways including name, identification number, location data or other online identifiers.

Find out more

Under the CCPA:

Personal information is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Read the definition

Under the GDPR:

The right to erasure is not absolute, and concerns data processing where consent is the legal basis for the processing. For example, data needed due to a contract, or data which is in the public interest does not fall under this definition. More specifically, the right only applies in the following circumstances:

• The organization no longer needs your data. Example: after you have cancelled your gym membership, it no longer needs to keep details of your name, address, age and health conditions.

• You initially consented to the use of your data, but have now withdrawn your consent. Example: you agreed to take part in a market-research study and now no longer wish to do so.

• You have objected to the use of your data, and your interests outweigh those of the organization using it.

• The organization has collected or used your data unlawfully. Example: it hasn’t complied with the rules on data protection.

• The organization has a legal obligation to erase your data.

• The data was collected from you as a child for an online service. Example: social media or a gaming app. The law gives children special protection because they may be less aware of the risks and consequences of giving their data to organizations. Even if you are now an adult, you have a right to have your data erased if it was collected from you as a child.

Find out more

There are certain circumstances where an organization is legally permitted to refuse to erase your data.

Under the GDPR:

• When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).

• When the organization is legally obliged to keep hold of your data.

• When keeping hold of your data is necessary for reasons of public health.

• When keeping your data is necessary for establishing, exercising or defending legal claims.

• When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.

• If, having considered your request, the organization decides it does not need to erase your data, it must still respond to you. It should explain to you why it believes it does not have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.

The organization can also refuse your request if it is, as the law states, “manifestly unfounded or excessive”.

Find out more

Under the CCPA:

• Free speech or another right provided by law.

• Processing for research purposes, if the deletion of personal information would render impossible or seriously impair the achievement of such research.

• Processing of that personal information is necessary to protect against illegal activity or prosecute those responsible for the activity.

• For complying with a legal obligation.

• To perform a contract between the business and the consumer.

• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.

• Debug to identify and repair errors that impair existing intended functionality.

• To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.

• Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

Find out more

Under the GDPR:

An organization has one month to comply with a request. The deadline can be extended to 2 additional months taking into account the complexity and number of requests. In any case, the organization must inform you of such extension within one month from the receipt of the request.

Under the CCPA:

The deadline to respond to a request is 45 days from the receipt of the consumer’s request. The deadline can be extended an additional 45 days when reasonably necessary, if the consumer is informed within the first 45 days.

Under the GDPR:

If you are unhappy with how the organization has handled your request, you should first complain to it. Having done so, if you remain dissatisfied you can make a complaint to the local Data Protection Authorities (DPA). You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first. You can download a list of DPAs here (PDF).

Under the CCPA:

If you are unhappy with how an organization has handled your request, you should first complain to it. Having done so, if you remain dissatisfied you have two options. Complain to the Attorney General or take private action.

Under the GDPR:

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or 20 Million Euro.

Find out more.

Under the CCPA:

The penalty for an intentional violation of the CCPA is $7,500 per incident, and for an unintentional violation $2,500 per incident. Consumers are entitled to between $100-$750 in compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach of sensitive personal information.

Find out more.

Under the GDPR:

The Data Protection Office (DPO), although the legislation states that organizations should train staff to recognize GDPR requests no matter who they reach or in which format.

Under the CCPA:

The CCPA does not define who specifically within an organization is responsible for this.

To fix this issue you will need to configure a default email client on your system. Here are instructions on how to do this on Mac and Windows.