Your Privacy Rights by Jurisdiction
Taking Your Data Back
Privacy rights vary dramatically depending on where you are. This topic maps the key frameworks — UK GDPR, EU GDPR, California CCPA/CPRA, and the broader US patchwork — explaining what each provides and where they differ. The aim is to help readers understand what the law says, not to give personalised legal advice.
Learning Material
4 pagesWhy Jurisdiction Determines Your Rights
One of the more counterintuitive features of modern privacy law is that the rights you hold depend almost entirely on where you happen to be — not on any universal standard, and not primarily on where the companies holding your data are located. A person in Germany, a person in California, and a person in Texas can interact with the same website, consent to the same privacy policy, and have dramatically different legal protections once their data has been collected. Understanding these differences is not a technical nicety: it is the foundation for understanding what any privacy right actually means.
This topic maps the principal frameworks in force as of 2026. It covers:
- UK GDPR: The UK's retained version of EU GDPR, in force since Brexit, administered by the Information Commissioner's Office (ICO).
- EU GDPR: The General Data Protection Regulation, in force across all EU member states since May 2018, enforced by national data protection authorities coordinated through the European Data Protection Board (EDPB).
- California CCPA/CPRA: The California Consumer Privacy Act (2018), strengthened by the California Privacy Rights Act (2020, operative 2023), enforced by the California Privacy Protection Agency.
- US state patchwork: The growing collection of state-level privacy laws in Virginia, Colorado, Texas, Florida, and elsewhere, in the absence of comprehensive federal legislation.
- Other Anglosphere frameworks: Canada's PIPEDA and its proposed successor Bill C-27; Australia's Privacy Act.
A critical baseline fact: as of 2026, the United States has no comprehensive federal privacy law governing personal data across sectors. This is not a temporary gap — multiple attempts at federal legislation have failed to pass, and the current landscape remains one of sector-specific federal laws (health, financial, children's data) supplemented by a growing but uneven patchwork of state laws.
A note on scope
This topic describes what these legal frameworks say. It is not legal advice, and the law in this area changes frequently. For questions about how these frameworks apply to specific situations, the appropriate sources are the relevant supervisory authorities (the ICO in the UK, national DPAs in the EU, the CPPA in California), or qualified legal counsel.