Skip to main content
Back to all posts
privacygdprlegalccpa

GDPR Rights Explained (And Why US Residents Should Still Care)

A practical walkthrough of the eight core GDPR rights, how to exercise them, and how they compare to the CCPA.

GoStealth Team8 min read

The General Data Protection Regulation, or GDPR, turned seven years old recently. It remains the most influential privacy law in the world, and its effects reach well beyond the European Union. If a company markets to, tracks, or serves EU residents, it has to comply — and in practice, most global companies apply GDPR-style controls to everyone because maintaining two data pipelines is expensive.

That is good news for you, even if you have never set foot in Europe.

The eight core rights

GDPR gives residents eight specific rights. Here is what they actually mean in day-to-day language.

1. The right to be informed

You have the right to know that your data is being collected, by whom, and for what purpose. This is what privacy notices and cookie banners are for. A company cannot quietly scrape you and process you as "legitimate interest" forever.

2. The right of access

You can file a Subject Access Request (SAR) and force a company to send you a copy of all the personal data they hold about you. They have 30 days to respond, and in most cases they cannot charge you.

3. The right to rectification

If a company has wrong information about you — a misspelled name, an outdated address, an incorrect transaction — you can demand they fix it.

4. The right to erasure

Also known as the "right to be forgotten". Under certain conditions you can demand that a company delete your data entirely. Conditions include: the data is no longer needed, you withdraw consent, the processing was unlawful, or you object and there are no overriding legitimate grounds.

5. The right to restrict processing

You can tell a company to pause processing your data without deleting it. Useful when you are disputing accuracy or lawfulness and do not want the company acting on bad data in the meantime.

6. The right to data portability

You can demand your data in a machine-readable format so you can take it to a competitor. This right is what allowed Google Takeout, Facebook Download Your Data, and similar export tools to exist.

7. The right to object

You can object to processing based on legitimate interest or direct marketing. For direct marketing, the objection is absolute — the company must stop.

8. Rights related to automated decision-making

If a decision affecting you is made purely by an algorithm — credit scoring, insurance pricing, job screening — you have the right to human review, to an explanation, and to contest the decision.

How to exercise them

Most companies publish a privacy email or form. Use it. Be specific about which right you are invoking. Keep a paper trail.

A simple template works for most requests:

Under Article 15 of the GDPR, I am requesting access to all personal data you hold about me, including the sources it was obtained from, the purposes of processing, and the categories of recipients. Please respond within 30 days.

Save the response. If the company ignores you or drags its feet, you can escalate to the data protection authority in your country. In the UK that is the ICO. In Ireland, where most US tech giants are headquartered in Europe, it is the Data Protection Commission.

Why this matters for US residents

Three reasons:

  1. Spillover compliance. Large companies often honor GDPR-style requests globally rather than build separate pipelines.
  2. Dual citizenship and relocation. Anyone with EU residency or citizenship can invoke GDPR directly, no matter where they live now.
  3. Leverage. Even if a company does not legally owe you a GDPR response, a polite, well-cited request often gets action because the legal team does not want to have the "are they or are they not a covered data subject" argument.

How CCPA compares

The California Consumer Privacy Act, and its successor the CPRA, gives Californians a meaningful but narrower set of rights:

  • Right to know what is collected
  • Right to delete
  • Right to correct
  • Right to opt out of sale and sharing
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising the above

The biggest gap compared to GDPR is the affirmative consent model. GDPR assumes you have to opt in. CCPA assumes you are opted in until you say otherwise.

The bottom line

Privacy law is slow and uneven, but the direction of travel is clear: individuals have, and will keep gaining, more control over their data. Knowing which right to invoke, in which jurisdiction, turns that abstract progress into something you can actually use.

If the idea of filing access and deletion requests across dozens of companies sounds exhausting, that is fair. GoStealth automates it for US data brokers, and we publish plain-language guides like this one because we think a privacy-literate public is the whole point.

This post is a template and is not legal advice. Review for your jurisdiction before relying on specific legal claims.

Ready to take back your privacy?

GoStealth scans data brokers for your personal information, files removal requests on your behalf, and keeps watch so you do not end up back on their lists. Start with a free scan — it takes less than two minutes.

Run my free scanSee pricing

This post is a template. Review for your jurisdiction before relying on any specific legal claim.