Affiliated with:

Consumer Privacy Rights: What You Need to Know

Consumer Privacy Rights: What You Need to Know

All consumers need to know their privacy rights to be able to exercise them effectively

Privacy policies, cookie consent pop-ups, and “do not sell my personal information” links are becoming a regular feature of many business websites. However, even as more privacy laws are proposed and enacted, consumers are still unsure as to what these tools are, what they do, and how they protect their personal data privacy. For example, a Consumer Reports study showed that over 500 California residents submitted requests to exercise their privacy rights under the California Consumer Privacy Act (CCPA) to over 214 businesses. In 62% of the cases, participants either did not know whether their request was successful or could not figure out how to make the request in the first place.

While passing laws that provide consumer data privacy rights is crucial, those laws become essentially useless if consumers do not understand what privacy rights they have or how to exercise those rights and pursue violations. All consumers can gain more control over their online data privacy through some simple steps:

  1. Determine what privacy rights you have;
  2. Easily locate how to exercise those rights; and
  3. Find whom to contact if a business has violated your privacy rights.

The overwhelming majority of American consumers prefer to buy from companies that guarantee them access to their personal information and offer a strong approach to their data management.  Most people who responded to a survey indicated that data privacy is a human right.  All consumers should care about privacy rights and learn how to exercise those rights.

Do you have privacy rights?

Before one can exercise privacy rights, it is essential to determine whether one actually has any right to data privacy. Some states, such as California, provide robust privacy rights to individuals, while others such as Nevada, have provided some privacy rights. Lastly, other states such as Florida, provide almost no rights for protecting personal information typically collected by business websites.

So, instead of spending hours reading privacy laws, how can a consumer determine what privacy rights they have? The following resources list the privacy laws by state and the rights provided by those laws:

  1. National Conference of State Legislatures – list of state laws related to Internet privacy;
  2. Varonis guide to privacy laws in the United States;
  3. International Association of Privacy Professionals – state privacy law comparison.

Simply search a state and see if a state has passed a privacy law and what rights that law provides to residents. It is important to note that privacy laws do not necessarily apply to all companies – some privacy laws have exceptions based on revenue or the amount of personal information collected. Therefore, the next step is to view the Privacy Policy of the target company. A Privacy Policy is a document that outlines the company’s privacy practices, lists any privacy rights, and explains how to exercise those rights.

To find the Privacy Policy, simply go to the company’s website and search for the words “Privacy Policy”, “Privacy Notice”, “Privacy”, or “Legal”. Then, search for the word “rights”. A list of the privacy rights that the company honors and to whom those rights are provided should appear. Note that some companies will provide privacy rights to individuals who reside in specific countries only (e.g., residents of Canada), while others will provide privacy rights to everyone, regardless of their location. The Privacy Policy will detail who those privacy rights are provided to.

An Explanation of Privacy Rights

Having found the Privacy Policy and the list of privacy rights, what do they mean? The following privacy rights are often provided to consumers:

  1. The right to access: gives individuals the right to access their personal information. This right indicates what personal information a business holds about someone, how it uses that information, and why personal information has been collected by that business. This is a great way to determine whether personal information is collected for expected uses such as processing an order or for potentially unexpected uses such as the sale of personal information;
  2. The right to portability: gives individuals the right to obtain and reuse their personal information for their own purposes across different services. Exercising this right allows a consumer to receive their personal information in a structured, commonly used, and machine-readable format. Obtaining this personal information means a person can easily switch vendors or maintain their created content across different platforms;
  3. The right to rectification: gives individuals the right to have inaccurate personal information corrected, or completed if it’s not complete. This right allows ensures that the business holds accurate and up to date information about each of their contacts;
  4. The right to erasure: also called the “right to deletion”, or “the right to be forgotten”, this right allows a person to have their personal information erased. Exercising this right helps keep personal information safe from breaches by having companies erase that information once there is no longer a business reason to maintain it;
  5. The right to restrict processing: gives individuals the ability to allow companies to process their personal information for some purposes but not for others. For example, a person can direct the business to use their personal information to process an order but not to send marketing emails;
  6. The right to withdraw consent: if the processing of personal information is based on consent, a person may have the right to withdraw their consent, thereby stopping the processing or maintaining of their personal information;
  7. The right to opt-out: gives individuals the ability to opt-out of the processing of their personal information for certain purposes such as direct marketing or to opt-out of the sale of their personal information. A person may also have the right to opt-out of automated decision-making or profiling.

It is important to note that these rights are not absolute and that a business may decline a request to exercise data privacy rights in certain circumstances, such as when requests are manifestly unfounded or excessive.

How Can You Exercise Your Rights?

After learning how various privacy rights help protect personal data, put it into practice by exercising these rights. Go back into the Privacy Policy of the company and search for “rights” or the contact information for the company. Then, simply contact the company as prescribed in the Privacy Policy with a request.

Some companies will require an email, while others have a specific web page or portal for privacy requests. It is very important to follow the directions very carefully since a request may be denied if the directions are not followed properly.  Most requesters will be required to verify their identity to exercise data privacy rights. While it may seem counterintuitive to provide more personal information for a privacy request, this extra step is intended to prevent fraudulent access to personal information.

After submitting a request, expect a response within 30 to 45 days, depending on the privacy laws that apply to the company. While some companies respond much sooner than that, do not be alarmed if the company requests an extension of the response time.

Did Not Receive a Response or Not Satisfied with the Response?

Occasionally, a company will not respond to a privacy rights request or improperly deny such a request. Doing so may mean that the company is breaking the law and a consumer can report a violation to the proper authorities. Contacting the appropriate authorities depends on residence location:

  1. In the United States, contact your State’s Attorney General’s office or the Federal Trade Commission;
  2. In the European Union, contact the country’s Data Protection Authority;
  3. In the United Kingdom, contact the UK Information Commissioner’s Office; or
  4. In Canada, contact the Office of the Privacy Commissioner of Canada.

Otherwise, simply search Google for “(country name) privacy enforcement government entity” to find the right governmental body with which to file a complaint.


Exercising data privacy rights is not a complex process. Find the company’s Privacy Policy, what privacy rights they provide, and contact the company to submit the request. This information should help any consumer learn how to protect and exercise personal data privacy rights.


Donata Stroink-Skillrud

Donata Stroink-Skillrud is an attorney licensed in Illinois and a Certified Information Privacy Professional (CIPP). Donata is the President and legal engineer of Termageddon, LLC, a software as a service company that generates and updates privacy policies. Donata is also the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

© Since 1997 to the present – Enterprise Warehousing Solutions, Inc. (EWSolutions). All Rights Reserved

Subscribe To DMU

Be the first to hear about articles, tips, and opportunities for improving your data management career.