Fact-checked by the VisualEnews editorial team
Quick Answer
Online privacy laws are shifting meaningful control back to consumers by requiring companies to disclose data practices, honor deletion requests, and obtain explicit consent. As of July 2025, 19 U.S. states have enacted comprehensive privacy laws, and the EU’s GDPR has issued over €4.5 billion in fines since 2018 — forcing corporations to treat data protection as a legal obligation, not an option.
Online privacy laws consumers can now invoke span an unprecedented number of jurisdictions, giving individuals the legal standing to demand transparency, portability, and deletion of their personal data. According to the IAPP’s U.S. State Privacy Legislation Tracker, 19 states have passed comprehensive consumer privacy statutes as of mid-2025, with more bills advancing through legislatures.
This matters now because data has become the world’s most valuable commercial resource — and until recently, consumers had almost no legal recourse when companies misused it.
What Rights Do Privacy Laws Actually Give Consumers?
Modern privacy laws grant consumers four core enforceable rights: access, deletion, portability, and opt-out of sale. These are not suggestions — companies that ignore them face regulatory action and substantial fines.
The EU’s General Data Protection Regulation (GDPR), enforced since May 2018, was the first major framework to codify these rights at scale. It applies to any business handling EU residents’ data, regardless of where that business is headquartered. California’s Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA) in 2023, mirrors many GDPR principles and covers the world’s fifth-largest economy.
Key Rights Consumers Can Exercise Today
- Right to access: Request a copy of all personal data a company holds about you.
- Right to deletion: Demand removal of your data, with limited exceptions.
- Right to portability: Receive your data in a machine-readable format.
- Right to opt out: Refuse the sale or sharing of your data with third parties.
- Right to correct: Fix inaccurate personal information in company databases.
Understanding what companies collect about you is also tied to how you engage with digital products. Our guide on Free vs Paid Apps: What You’re Actually Giving Up When You Pay Nothing explains the data tradeoffs baked into no-cost software.
Key Takeaway: Consumers in the EU and across 19 U.S. states now hold legally enforceable rights to access, delete, and port their personal data, backed by the GDPR and state-level statutes — meaning non-compliant companies face real financial and legal consequences.
How Are Regulators Enforcing These Laws Against Companies?
Enforcement is accelerating, and the financial penalties are large enough to change corporate behavior. The GDPR alone has generated over €4.5 billion in cumulative fines since its 2018 launch, according to GDPR Enforcement Tracker.
Meta received a record €1.2 billion fine from Ireland’s Data Protection Commission in May 2023 for unlawfully transferring EU user data to U.S. servers. Amazon was fined €746 million by Luxembourg’s data authority in 2021. These are not outliers — they signal that regulators are willing to pursue the largest technology companies.
In the United States, the Federal Trade Commission (FTC) has expanded its enforcement posture under Section 5 of the FTC Act. The agency secured a $5 billion settlement with Facebook in 2019 over Cambridge Analytica-related privacy violations — still the largest consumer privacy fine in U.S. history, per the FTC’s official announcement.
“Privacy enforcement has moved from theoretical risk to a core business cost. Companies are now building compliance teams the same way they once built legal and finance departments — because the exposure is existential.”
Key Takeaway: Global regulators have levied over €4.5 billion in GDPR fines since 2018, with single penalties exceeding €1.2 billion against Meta, proving that enforcement is no longer symbolic — it is a material financial risk for non-compliant businesses.
How Do U.S. State Privacy Laws Compare to the GDPR?
The GDPR remains the global gold standard, but U.S. state laws are converging toward similar consumer protections — with notable gaps. The absence of a federal U.S. privacy law means consumers’ rights still vary dramatically by state.
The American Privacy Rights Act (APRA), proposed in Congress in 2024, would establish a national baseline, but it has not yet passed. In the meantime, states including Virginia, Colorado, Connecticut, Texas, and Oregon have enacted laws modeled loosely on the CCPA and GDPR framework.
| Law / Regulation | Jurisdiction | Opt-Out Right | Max Penalty (per violation) | Private Right of Action |
|---|---|---|---|---|
| GDPR | European Union | Yes (broad) | €20 million or 4% of global revenue | Yes |
| CCPA / CPRA | California | Yes | $7,500 per intentional violation | Limited (data breaches) |
| VCDPA | Virginia | Yes | $7,500 per violation | No |
| CPA | Colorado | Yes | $20,000 per violation | No |
| CTDPA | Connecticut | Yes | $5,000 per violation | No |
One practical gap: most U.S. state laws do not give consumers a private right of action for general violations — they rely on state attorneys general to prosecute. The GDPR, by contrast, allows individuals to sue directly. This structural difference means U.S. enforcement depends heavily on government resources and political will.
If you’re thinking about how your digital identity is constructed and exposed across platforms, understanding which laws protect you in your state is a critical starting point.
Key Takeaway: The GDPR allows fines up to 4% of global annual revenue and grants individuals the right to sue directly — advantages most U.S. state laws lack, though 19 states have now enacted baseline consumer protections that are narrowing the gap.
What Do Online Privacy Laws Mean for Data Brokers and Ad Tech?
Data brokers — companies that compile and sell personal profiles without a direct consumer relationship — are now in regulators’ crosshairs. Online privacy laws consumers can use to fight back include specific data broker opt-out mechanisms in California, Oregon, and Texas.
California’s Delete Act (SB 362), signed in 2023, requires all registered data brokers to honor deletion requests submitted through a single state-run portal by January 2026. This is a landmark shift: consumers will no longer need to contact hundreds of brokers individually. The California Privacy Protection Agency (CPPA) is overseeing implementation.
The ad tech ecosystem is also restructuring. Google has faced pressure from the UK’s Competition and Markets Authority (CMA) over its Privacy Sandbox initiative, which aims to phase out third-party cookies while preserving targeted advertising. As our coverage of how AI is changing internet search explains, the shift away from cookie-based tracking is already reshaping how platforms monetize user attention.
Health data deserves special mention. Wearable devices generate some of the most sensitive personal data — biometrics, location, sleep patterns — and fall into a legal gray zone. The FTC has signaled it will apply a broad interpretation of health data protections. Readers tracking health metrics should review the privacy implications covered in our piece on how wearable technology is transforming personal health tracking.
Key Takeaway: California’s Delete Act mandates a single opt-out portal for all registered data brokers by January 2026, and the California Privacy Protection Agency is actively enforcing compliance — marking the most significant structural change to the data broker industry in U.S. history.
How Should Consumers Act on These Rights Today?
Awareness of online privacy laws consumers hold is not enough — exercising those rights requires deliberate action. Most companies bury privacy controls, but they are legally required to make them accessible.
Start with high-value targets: your email provider, social media platforms, and data brokers. Under the CCPA, California residents can submit deletion and opt-out requests directly on company websites. Non-California residents in covered states have equivalent mechanisms. The FTC’s consumer guidance on identity theft and data rights provides a practical starting framework.
Audit your digital subscriptions regularly. Many services tie personal data collection to account features — canceling unused subscriptions also reduces your data footprint. Our guide on auditing digital subscriptions to stop wasting money walks through exactly how to do this systematically.
Review app permissions on mobile devices at least twice a year. Location, microphone, and contact list access are frequently granted once and never revisited. iOS and Android both now offer per-permission audit tools in system settings.
Key Takeaway: Consumers in 19 U.S. states can submit legally binding data deletion and opt-out requests today — starting with the FTC’s consumer rights resources and each company’s privacy settings page is the fastest way to reduce your exposure.
Frequently Asked Questions
What does the GDPR actually do for consumers?
The GDPR gives EU residents the right to access, correct, delete, and port their personal data held by any company worldwide that processes EU data. It also requires explicit consent for data collection and mandates breach notifications within 72 hours. Non-compliance can trigger fines up to 4% of a company’s global annual revenue.
Does the U.S. have a federal online privacy law?
No. As of July 2025, the United States does not have a comprehensive federal consumer privacy law. The American Privacy Rights Act was proposed in 2024 but has not passed. Consumer protections currently depend on a patchwork of 19 state laws, with California’s CCPA and CPRA being the strongest.
How do I opt out of data broker sales under U.S. privacy laws?
California residents can use the state’s upcoming centralized Delete Act portal (launching January 2026) or submit individual requests directly to each data broker’s opt-out page today. Residents in Virginia, Colorado, Connecticut, and other covered states have similar opt-out rights under their respective state statutes, accessible through each company’s privacy policy page.
Are online privacy laws consumers can use actually enforced?
Yes, enforcement is increasing. GDPR regulators have issued over €4.5 billion in fines, and the FTC secured a $5 billion settlement with Facebook in 2019. State attorneys general in California, Texas, and Colorado have also opened active investigations and enforcement actions against major technology companies.
Does app usage fall under consumer privacy law protections?
Yes, in most covered jurisdictions. Mobile apps that collect personal data from residents of covered states or EU countries must comply with applicable privacy laws. This includes disclosing what data is collected, offering opt-out mechanisms, and honoring deletion requests. Health and location data collected by apps often carry additional legal protections.
What is the California Delete Act and when does it take effect?
The California Delete Act (SB 362) requires all registered data brokers to participate in a single opt-out portal managed by the California Privacy Protection Agency. Consumers will be able to submit one request to delete their data from all participating brokers simultaneously. The portal is required to be operational by January 1, 2026.
Sources
- IAPP — U.S. State Privacy Legislation Tracker
- GDPR Enforcement Tracker — Cumulative Fine Data
- Federal Trade Commission — FTC Imposes $5 Billion Penalty on Facebook
- GDPR.eu — What Is GDPR? The Summary Guide to GDPR Compliance
- California Privacy Protection Agency — Official CPPA Website
- California Attorney General — California Consumer Privacy Act (CCPA)
- Federal Trade Commission — Consumer Guidance on Identity Theft and Data Rights
