Own Your Data
Search for an organization using the search box above. If the organization you are looking for is not on the list, you can still send it a request by providing a contact email.
Fill in your name and any additional information which may help the organization to identify you in their information systems (we do not keep this information).
Click the Send button to generate a request email addressed to the relevant person at the organization you selected. The email will open up in your default email application where you can review, and then send it.
The General Data Protection Regulations (GDPR) and the California Consumer Privacy Act (CCPA) require organizations to erase or provide a copy of your personal data upon request. Organizations have a short time period to comply, otherwise they can face steep fines.
Which regulation protects me, GDPR or CCPA?
There are currently two main regulations protecting individual privacy online. The General Data Protection Regulations, or GDPR protects Europian Union residents, and the California Consumer Privacy Act, or CCPA protects California residents.
What is the GDPR?
The General Data Protection Regulations, or GDPR for short, is an EU regulation which protects the fundamental right of people to the protection of their personal data.
Who does the GDPR apply to?
The GDPR applies to:
Organizations established within the EU who collect or process personal data (even of people located outside the EU)
Organizations established outside the EU collecting or processing personal information while providing goods or services (paid or for free) to people located within the EU
Organizations established outside the EU collecting or processing personal information while engaged in the monitoring of the behavior of people while they are in the EU
The GDPR does not apply to certain activities including law enforcement, national security, and purely for personal / household activities.
What is the CCPA?
The California Consumer Privacy Act, or CCPA for short, is a new regulation introduced in California in January 2020. It protects the fundamental right of people to the protection of their personal data and privacy online.
Who does the CCPA apply to?
The CCPA applies to organizations that collect consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)
Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
Derives 50 percent or more of its annual revenues from selling consumers’ personal information
What constitutes personal data?
Under the GDPR:
Any information relating to a person which can be directly or indirectly used to identify them. A person can be identified in a wide range of ways including name, identification number, location data or other online identifiers.
Under the CCPA:
Personal information is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
When can I request erasure of my personal data?
Under the GDPR:
The right to erasure is not absolute, and concerns data processing where consent is the legal basis for the processing. For example, data needed due to a contract, or data which is in the public interest does not fall under this definition. More specifically, the right only applies in the following circumstances:
The organization no longer needs your data. Example: after you have cancelled your gym membership, it no longer needs to keep details of your name, address, age and health conditions.
You initially consented to the use of your data, but have now withdrawn your consent. Example: you agreed to take part in a market-research study and now no longer wish to do so.
You have objected to the use of your data, and your interests outweigh those of the organization using it.
The organization has collected or used your data unlawfully. Example: it hasn’t complied with the rules on data protection.
The organization has a legal obligation to erase your data.
The data was collected from you as a child for an online service. Example: social media or a gaming app. The law gives children special protection because they may be less aware of the risks and consequences of giving their data to organizations. Even if you are now an adult, you have a right to have your data erased if it was collected from you as a child.
When can the organization say no?
There are certain circumstances where an organization is legally permitted to refuse to erase your data.
Under the GDPR:
When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
When the organization is legally obliged to keep hold of your data.
When keeping hold of your data is necessary for reasons of public health.
When keeping your data is necessary for establishing, exercising or defending legal claims.
When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.
If, having considered your request, the organization decides it does not need to erase your data, it must still respond to you. It should explain to you why it believes it does not have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.
The organization can also refuse your request if it is, as the law states, “manifestly unfounded or excessive”.
Under the CCPA:
Free speech or another right provided by law.
Processing for research purposes, if the deletion of personal information would render impossible or seriously impair the achievement of such research.
Processing of that personal information is necessary to protect against illegal activity or prosecute those responsible for the activity.
For complying with a legal obligation.
To perform a contract between the business and the consumer.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.
Debug to identify and repair errors that impair existing intended functionality.
To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
How long does an organization have to comply with a request?
Under the GDPR:
faq.An organization has one month to comply with a request. The deadline can be extended to 2 additional months taking into account the complexity and number of requests. In any case, the organization must inform you of such extension within one month from the receipt of the request.
Under the CCPA:
The deadline to respond to a request is 45 days from the receipt of the consumer’s request. The deadline can be extended an additional 45 days when reasonably necessary, if the consumer is informed within the first 45 days.
What should I do if an organization did not comply, or did not fully comply with my request?
Under the GDPR:
If you are unhappy with how the organization has handled your request, you should first complain to it. Having done so, if you remain dissatisfied you can make a complaint to the local Data Protection Authorities (DPA). You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first. You can download a list of DPAs here (PDF).
Under the CCPA:
If you are unhappy with how an organization has handled your request, you should first complain to it. Having done so, if you remain dissatisfied you have two options. Complain to the Attorney General or take private action.
What are the penalties an organization that does not comply with a request may face?
Under the GDPR:
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or 20 Million Euro.
Under the CCPA:
The penalty for an intentional violation of the CCPA is $7,500 per incident, and for an unintentional violation $2,500 per incident. Consumers are entitled to between $100-$750 in compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach of sensitive personal information.
Who in an organization is responsible for handling the requests?
Under the GDPR:
The Data Protection Office (DPO), although the legislation states that organizations should train staff to recognize GDPR requests no matter who they reach or in which format.
Under the CCPA:
The CCPA does not define who specifically within an organization is responsible for this.
Do you want better control over who has access to your personal data? Our browser extension allows you to opt out of the websites you visit with a click of a button.
YourDigitalRights.org was created because we believe that privacy matters, and that exercising your right to privacy should be easy. That’s why we’ve made it free. Donations allow us to spend more time improving this service.