AnonymFlow
privacy-legaliteINFO

Privacy Laws 2026: GDPR, CCPA, LGPD - Your Rights Practical Guide

The GDPR (EU), CCPA (California) and LGPD (Brazil) protect your digital privacy in 2026 - here are your concrete rights, how to exercise them against Meta, Google, Amazon, and the year's record fines.

By Eric Gerard · Editor · AnonymFlow11 min readPhoto via Unsplash

Three laws frame the personal data ecosystem in 2026 - the European GDPR (since 2018), the Californian CCPA/CPRA (2018 strengthened 2023), and the Brazilian LGPD (2020). Together, they cover ~700 million people and structure compliance of tech giants (Meta, Google, Amazon, Apple, Microsoft) across most of the Western and Latin world. Understanding which rights you can exercise, how to exercise them concretely, and what to do when a company ignores them - that's the topic of this practical 2026 guide.

EU GDPR - global standard in 2026

The General Data Protection Regulation (GDPR), in force since May 25, 2018, remains in 2026 the global reference for personal data protection. Six years after entry into force, the compliance ecosystem has matured: mandatory DPOs in any organization processing > 250 employees or sensitive data, standardized records of processing activities, impact assessments (DPIA) integrated into product processes at most EU tech companies.

Scope: 27 EU + 3 EEA countries (Norway, Iceland, Liechtenstein), covering ~450 million inhabitants. GDPR also applies to non-EU companies targeting EU residents (extraterritoriality art. 3) - that's why Meta, Google, Amazon, Microsoft apply GDPR globally to their European users.

Six fundamental rights enshrined in articles 15 to 22:

  • Right of access (art. 15): obtain a copy of all data concerning you.
  • Right to rectification (art. 16): correct inaccurate or incomplete data.
  • Right to erasure / forgotten (art. 17): have data deleted when processing is no longer justified.
  • Right to restriction (art. 18): temporarily freeze processing.
  • Right to portability (art. 20): retrieve your data in structured, commonly readable format to transfer to another provider.
  • Right to object (art. 21): refuse certain processing, especially direct marketing (absolute) or legitimate interest (conditional).

Standardized exercise procedure:

  1. Identify the data controller (the company deciding why/how your data is processed) and its DPO (Data Protection Officer).
  2. Send a written request to the DPO with: identity, nature of request, desired format.
  3. The company has 1 month to respond (extendable 2 months for complexity).
  4. In case of refusal or non-response: complaint to your national supervisory authority (CNIL France, ICO UK, AEPD Spain, Garante Italy, Datatilsynet Norway).

Record fines 2024-2026

GDPR has demonstrated its deterrent reach with record sanctions:

CompanyAmountDateAuthorityReason
Meta€1.2 BnMay 2023DPC (Ireland)Illegal US transfers post-Schrems II
Amazon€746MJuly 2021CNPD (Luxembourg)Non-consented ad targeting
TikTok€345MSeptember 2023DPC (Ireland)Minor data processing without consent
Meta€390MJanuary 2023DPC (Ireland)Legal basis for targeted advertising
Criteo€40MJune 2023CNIL (France)Third-party cookie consent
Yahoo€10MJanuary 2025CNIL (France)Cookie refusal not equivalent to accept
Google€250MMarch 2024AGCM (Italy)News Showcase and press neighboring right

2025-2026 trend: CNIL multiplies medium sanctions (€5-50M) on cookie consent - 73% of French sites were non-compliant in January 2026 per CNIL annual audit.

CCPA / CPRA California - opt-out model

The California Consumer Privacy Act (CCPA) entered into force January 1, 2020, strengthened by the California Privacy Rights Act (CPRA) on January 1, 2023. It protects California residents defined as natural persons residing in California regardless of nationality.

Fundamental difference from GDPR: CCPA follows the opt-out model by default (collection is authorized unless you object), whereas GDPR follows opt-in (prior consent required). This model reflects more permissive American legal culture on ad processing.

Application scope: companies meeting at least one of three criteria:

  • Global annual revenue > $25M USD; OR
  • Processing > 100,000 California consumers or households/year; OR
  • 50% of revenue from sale or sharing of personal data.

Seven CPRA rights (extended from initial CCPA):

  1. Right to Know - Request which categories and specific elements of data are collected. Response in 45 days, extendable.
  2. Right to Delete - Have data deleted (with legal exceptions).
  3. Right to Correct - Correct inaccurate information (added by CPRA 2023).
  4. Right to Opt-Out of Sale - Refuse sale to third parties. "Do Not Sell or Share My Personal Information" button mandatory in footer.
  5. Right to Opt-Out of Sharing for Cross-Context Behavioral Advertising - Refuse sharing for cross-context behavioral advertising purposes (added by CPRA 2023).
  6. Right to Limit Use of Sensitive Personal Information - Limit use of sensitive data (precise geolocation, health, finance, communication content). New CPRA right.
  7. Right to Non-Discrimination - No commercial disadvantage if you exercise your rights.

Execution: via company dedicated form (typically privacy@ page), or complaint to California Privacy Protection Agency (CPPA), created by CPRA in 2023. CPPA has direct sanctioning power since July 2023.

Practical impact for European users

CCPA does not apply to European residents, except temporary travel to California. But in practice, many tech companies apply CCPA rights globally for operational simplicity - that's the "California effect": the strictest standard becomes the default standard.

Concretely, in May 2026:

  • The "Do Not Sell or Share My Personal Information" button appears on ~85% of US sites visible from US IP.
  • Many US sites hide it from non-US IPs - using a US VPN allows displaying and exercising it (with CA postal address provided).
  • Apple generalized App Tracking Transparency to all global users following CCPA (April 2021).

LGPD Brazil - Latin America 2026

The Lei Geral de Proteção de Dados (LGPD), in force since August 18, 2020, transposes the GDPR model to Brazil. Scope: 215 million Brazilians + companies processing Brazilian residents' data even outside Brazil.

Six legal bases identical to GDPR: consent, contract performance, legal obligation, vital interest, public interest, legitimate interest. User rights quasi-identical: existence confirmation, access, correction, anonymization/blocking/elimination, portability, information on third-party sharing, consent withdrawal.

Sanctions: up to 2% of Brazilian revenue capped at 50 million Brazilian Reais (~€9M) per infraction. Significantly weaker than GDPR but represents real risk for Brazilian players. 2024-2025 records:

  • Cielo (payment) - 7M BRL (~€1.3M) for non-consented sharing with marketing partners.
  • Locaweb (hosting) - 2.5M BRL for security breach not declared to ANPD.

The ANPD (Autoridade Nacional de Proteção de Dados) regulator, operational since 2020, progressively ramps up in 2025-2026.

How to concretely exercise your rights

Planet Earth at night seen from space
Planet Earth at night seen from space

Unified procedure applicable GDPR / CCPA / LGPD:

Step 1 - Identify the contact

CompanyGDPR DPO EmailCCPA Opt-Out Page
Meta (Facebook, Instagram, WhatsApp)dpd@meta.comfacebook.com/privacy/center
Google (Gmail, YouTube, Android)data-protection-office@google.commyaccount.google.com/data-and-privacy
Amazoneu-privacy@amazon.comamazon.com/privacy
Microsoftmsdpo@microsoft.comaccount.microsoft.com/privacy
Appleprivacyeurope@apple.comprivacy.apple.com
X (Twitter)data-protection@x.comtwitter.com/settings/privacy
TikTokprivacy@tiktok.comtiktok.com/legal/privacy-policy
LinkedIndpo@linkedin.comlinkedin.com/psettings/privacy

Step 2 - Draft the request

Minimal template for GDPR right of access:

Subject: Exercise of GDPR right of access (art. 15)

Dear DPO,

I wish to exercise my right of access under Article 15 of the GDPR. Please provide me, within the one-month deadline of Article 12.3:

  1. The complete copy of personal data concerning me that you process;
  2. The purposes of processing;
  3. Categories of recipients (third parties, providers, partners);
  4. Expected retention duration;
  5. The origin of data if not collected from me.

I attach a copy of my ID for verification.

[Name, address, relevant account identifiers]

Keep a trace of the sending (email with read receipt, registered mail). This trace is necessary in case of supervisory authority complaint.

Step 3 - Follow-up and escalation

DeadlineAction
D+0Send request to DPO
D+15First reminder if no acknowledgment
D+30GDPR deadline expired (45 days CCPA) - request formal notice
D+45Supervisory authority complaint if still no response
D+60Prepare civil recourse file if seriousness

Step 4 - Complaint if refused

Country/StateRegulatorComplaint link
FranceCNILcnil.fr/plaintes
EU - othersNational regulatorEDPB directory
United KingdomICOico.org.uk/concerns
SwitzerlandPFPDTedoeb.admin.ch
CaliforniaCPPAcppa.ca.gov/complaints
BrazilANPDgov.br/anpd
Editorial pick
4.6 / 5

NordVPN - privacy by design GDPR-compliant

Deloitte 2025 audited no-log · 1-month responsive DPO · Panama jurisdiction outside 14 Eyes

Deloitte audit 202430-day guarantee14M+ users
See the offer

GDPR/CCPA pitfalls to know in 2026

Pitfall 1 - Dark patterns on consent. 73% of French sites in 2026 still use deceptive designs: colored "Accept" button vs grayed "Refuse" at page bottom, mandatory scroll before refusal, banner re-display on each visit if refused. CNIL multiplies sanctions (Yahoo €10M January 2025). To detect: if refusal takes more than 2 clicks, it's non-compliant.

Pitfall 2 - Fake DPO or generic form. Many companies list a generic "contact" form instead of a reachable DPO. GDPR requires dedicated DPO email. If the company doesn't provide one, that's a GDPR violation in itself (art. 37-39).

Pitfall 3 - Partial response to right of access. Meta has been fined several times (DPC 2023, CNIL 2024) for providing incomplete exports - omitting ad inferences, engagement models, inference data. Verify the export received: must contain > 50 JSON/CSV files for a Meta account > 5 years old.

Pitfall 4 - "Anonymized data" not really anonymous. Many companies argue that "pseudonymized" data no longer falls under GDPR. False - pseudonymized data remains personal per CJEU (CFLA 2019, OC Vilnius 2023 rulings). Only truly anonymous data (irreversible, k-anonymity > 5) escapes GDPR.

Pitfall 5 - Unframed international transfer. Since Privacy Shield invalidation (CJEU Schrems II, July 2020), transfers to USA require Standard Contractual Clauses + EU-US Data Privacy Framework (July 2023). Check privacy policy: DPF mention must appear explicitly for US transfers.

Practical tools 2026

ToolUseType
Supervisory authority complaintOfficial complaint EUFree
NOYB.euEU collective complaintFree NGO
EFF.orgUS privacy watchdogNGO
GDPRhub.euGDPR case law databaseFree
Enforcement TrackerGDPR sanctions trackingFree
GDPR.eu TemplatesRequest templatesFree
Mine.comAutomated erasure requestsFreemium

Key takeaways

GDPR, CCPA/CPRA and LGPD constitute in 2026 the global legal trio framing the personal data ecosystem. Your rights are real and enforceable - not symbolic. Exercise requires method (dedicated DPO email, 30/45-day follow-up, escalation to regulator if refused) but succeeds in most cases. Record fines (Meta €1.2 Bn, Amazon €746M) prove regulators have the means to impose compliance on tech giants.

Combining these legal rights with technical tools (audited no-log VPN, DoH, ECH, privacy browser) maximizes effective protection. GDPR provides the framework, technical tools execute day-to-day protection. See our audited no-log VPN comparison and our DNS over HTTPS guide for the technical layer.

Editorial pick
4.6 / 5

NordVPN - technical protection beyond legal

Audited no-log · Responsive GDPR DPO · Panama jurisdiction · 30-day money back

Deloitte audit 202430-day guarantee14M+ users
See the offer

Going further. Related reading: VPN, P2P and torrent.

See also. Related: Are VPNs Legal.

Deepen privacy and rights 2026

Editorial pick
4.4 / 5

Privacy-first VPN → Proton VPN

Audited no-logs · Swiss jurisdiction · open-source · free tier

SEC Consult audit 2024Swiss jurisdictionOpen-source
See the offer
Everything you need to know.

Frequently asked questions

What's the concrete difference between GDPR, CCPA and LGPD in 2026?

Three legal frameworks from the same family but with distinct scopes. **GDPR** (General Data Protection Regulation, in force since May 2018): 27 EU + 3 EEA countries, ~450 million inhabitants, mandatory explicit prior consent, extensive rights (access, rectification, erasure, portability, objection), fines up to 4% of global revenue. **CCPA/CPRA** (California Consumer Privacy Act strengthened by CPRA in 2023): ~40 million California residents, opt-out model (default authorized unless user refuses), right to know, delete, refuse sale, correct. **LGPD** (Lei Geral de Proteção de Dados, in force since August 2020): 215 million Brazilians, modeled on GDPR with opt-in consent, equivalent rights, fines up to 2% of local revenue capped at 50 M BRL. In 2026, GDPR remains the global reference standard - ~80% of new protection laws adopted since 2020 (India DPDPA 2023, Australia revision 2024, Japan APPI 2022) draw directly from it.

How do I exercise my GDPR right of access concretely?

Structured procedure in 4 steps. (1) **Identify the data controller**: the company that decides why and how your data is processed (Meta for Facebook/Instagram, Google for Gmail/YouTube, Amazon for amazon.com). Its DPO (Data Protection Officer) is reachable via dedicated email: `dpd@meta.com`, `data-protection-office@google.com`, `eu-privacy@amazon.com` notably. (2) **Send a written request** specifying: your identity (ID copy accepted but with strict minimum limits), nature of the request (full access, specific fragment), desired format (JSON, PDF, CSV). Template templates available on supervisory authority sites. (3) **Legal deadline**: 1 month, extendable by 2 months for justified complexity. Beyond that, direct complaint to your national supervisory authority. (4) **Reception**: you typically receive a bulky JSON export (Meta: 200-2000 files depending on account age) covering post history, messages, logins, geolocation, inferred ad models. Record 2024 fines: Meta fined 1.2 billion € by Irish DPC for insufficiently protected US transfers.

Does the CCPA apply to me if I'm in Europe?

Not directly. The CCPA protects California residents defined as natural persons residing in California regardless of nationality - so a Briton traveling to Los Angeles is temporarily covered by CCPA for interactions with CCPA-eligible businesses (revenue > $25M USD, processing > 100k consumers/year, or > 50% of revenue from selling data). Conversely, a permanent California resident traveling in Europe remains covered by CCPA for exchanges with CA-regulated companies even via VPN. The critical point: **residence location** prevails, not temporary IP geolocation. Many US sites display a 'Do Not Sell My Personal Information' banner only to US IPs - using a US VPN allows accessing these options even from Europe. But legally, CCPA rights only apply to CA residents - it's informational use, not an exercisable right.

What GDPR protection for data passing through a VPN?

Excellent question rarely asked. When you use a no-log VPN, **the VPN potentially becomes data controller** under GDPR for the minimal data retained (customer account, billing email, payment). NordVPN (Panama HQ, EU structure via Lithuania) applies GDPR fully to EU customers since 2018 - their DPO is `dpo@nordvpn.com` and you can exercise your access, rectification, erasure rights as for Meta. **Audited no-log policy** means no connection log (origin IP, sites visited, session duration) is retained - there is therefore *nothing to export* about your actual activity. You can only exercise your rights on billing and account data. Independent audit Deloitte 2025 confirms this policy at NordVPN; PwC 2024 at ExpressVPN; Cure53 2024 at Mullvad. To ensure compliance: check the annual transparency report published on the VPN's site.

What to do if a company ignores my GDPR request?

Structured escalation procedure. (1) **First written reminder** to the company's DPO with explicit mention of the one-month deadline exceeded and threat of supervisory authority complaint if no response within 15 days. Include exchange history. (2) **Online supervisory authority complaint** via your national authority - structured form, instruction within 6-12 months on average. The authority can issue formal notice, financial sanction up to 4% global revenue, or public injunction. (3) **Civil court action**: individual recourse before competent court with claim for damages. GDPR Article 82 provides right to compensation for moral and material harm. 2024-2025 precedents: €500 to €5,000 on average for complete ignorance of an erasure request. (4) **Class action**: defense association (NOYB by Max Schrems, EFF, Privacy International) can act in European class action. NOYB has obtained €250 M cumulatively since 2020 against Meta, Google, Amazon.

Do record GDPR fines 2024-2026 have real impact?

Yes, but delayed and uneven. Cumulative 2023-2025 records: €5.9 billion of GDPR sanctions pronounced in 5 years (2018-2023 per enforcementtracker.com). Top 3: Meta €1.2 Bn (May 2023, Irish DPC, illegal US transfers), Amazon €746M (July 2021, Luxembourg CNPD, non-consented ad targeting), TikTok €345M (September 2023, Irish DPC, minor data processing). Observable impact: Meta re-architected its EU processing (exclusive Ireland Data Center post-2023), Amazon strengthened its EU ad consent. **Limits**: ongoing appeals delay execution (Meta got partial suspension in 2024), amounts represent <0.5% of GAFAM annual revenue, and the ad-tech ecosystem remains mostly non-compliant despite 6 years of GDPR (CNIL January 2026 study: 73% of French sites still non-compliant on ad consent). GDPR is a fundamental advance but not a completed victory.

Is there a GDPR equivalent in Switzerland, UK, Canada?

Yes, with nuances. **Switzerland**: nLPD (new Data Protection Act, in force since September 2023) - modeled on GDPR with some relaxations (no systematic mandatory DPO, sanctions capped at CHF 250k). EU adequacy recognition since 2000, confirmed 2024. **United Kingdom**: UK GDPR + DPA 2018 - quasi-identical to GDPR post-Brexit, ICO (Information Commissioner's Office) independent regulator. EU adequacy until 2025, renewal in progress. **Canada**: PIPEDA (Personal Information Protection and Electronic Documents Act) at federal level + provincial laws + Bill C-27 (Quebec Law 25, 2024) which progressively aligns Quebec with GDPR. Existing EU adequacy for PIPEDA. Note: the USA has **no** federal equivalent - only sectoral laws (HIPAA health, FERPA education, GLBA finance) and state laws (CCPA California, VCDPA Virginia, CPA Colorado, CTDPA Connecticut since 2023).

How to know if a site really complies with GDPR?

Seven objective signals to check. (1) **Compliant cookie banner**: refusal as simple as acceptance (CNIL January 2025 fined Yahoo €10M on this point). No 'accept all' default, no refusal button hidden behind 3 clicks. (2) **Clear privacy policy**: reasonable length (< 5000 words), exhaustive list of third-party cookies and their purpose, explicit retention periods by data type. (3) **Mentioned DPO**: dedicated email (`dpo@`, `data-protection@`), not generic form. (4) **Third parties explicitly listed**: Meta Pixel, Google Analytics, Hotjar, etc. must be named with their purpose. (5) **Reset preferences button** accessible anytime, not only on first visit. (6) **EU geolocation detected**: actually applies GDPR, not default US banner. (7) **Schrems II compatibility**: transfers to US framed via Standard Contractual Clauses + EU-US Data Privacy Framework (July 2023). Sites failing 2+ criteria: non-compliant.

Does GDPR really ban ad tracking in 2026?

No - it frames it but doesn't ban it. Ad tracking (third-party cookies, fingerprinting, mobile ad ID) remains legal under GDPR under three cumulative conditions: (1) **prior explicit consent** from the user (active opt-in, no pre-checking), (2) **transparent information** on purposes and third parties involved, (3) **withdrawal possibility** as simple as consent. The 2026 reality: ~70% of EU sites collect third-party cookies without valid consent (CNIL study January 2026), many use dark patterns (colored 'accept' button vs grayed 'refuse'). To truly escape tracking: (a) natively block third-party cookies (Firefox since 2019, Safari since 2017 via ITP, Chrome announced progressive Privacy Sandbox), (b) use a strict privacy browser (Brave, LibreWolf), (c) combine with no-log VPN + DoH to neutralize IP + DNS tracking. GDPR provides the framework, execution depends on the user.

What are my exact CCPA rights as a California resident?

Seven rights codified in CPRA (in force January 2023, strengthening initial CCPA 2018). (1) **Right to Know**: request specific categories and elements of personal data collected on you (equivalent to GDPR right of access), response within 45 days, extendable 45 days. (2) **Right to Delete**: request deletion of your data, except legal exceptions (legal obligations, ongoing transactions, security). (3) **Right to Correct**: demand correction of inaccurate information. (4) **Right to Opt-Out of Sale**: refuse the sale of your data to third parties - 'Do Not Sell or Share My Personal Information' button mandatory in footer. (5) **Right to Opt-Out of Sharing for Cross-Context Behavioral Advertising**: refuse sharing for behavioral advertising purposes (new CPRA 2023). (6) **Right to Limit Use of Sensitive Personal Information**: limit use of sensitive data (health, finance, precise geolocation, communication content). (7) **Right to Non-Discrimination**: no disadvantage if you exercise your rights - no different price, no degraded service. Execution via company form (typically `privacy@company.com` page) or CPPA (California Privacy Protection Agency) complaint if refusal.