Privacy Laws Explained: GDPR, CCPA, and Your Email Rights

Why your email address counts as personal data

The reason you have rights over your email is that the law classifies an email address as personal data. That is not a technicality; it is the trigger for everything else.

Under the GDPR, Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person," and an identifiable person is one who can be identified "directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier." An email address is precisely such an online identifier. Recital 30 reinforces the point, explaining that online identifiers "may leave traces which... may be used to create profiles of the natural persons and identify them." The UK regulator puts it without ambiguity: "A name and a corporate email address clearly relates to a particular individual and is therefore personal data," per the ICO's guidance on what is personal data.

California is even more explicit. The CCPA lists "email address" by name in its definition of personal information at Civil Code section 1798.140, alongside real name, postal address, IP address, and account name.

That classification matters because an email address is rarely just a contact field. It is a stable key that lets companies join your activity across sites, attach you to advertising profiles, and trade your data downstream. Spam volume shows the pressure on every address that leaks: Kaspersky found that 47.27% of all email sent worldwide in 2024 was spam (kaspersky-spam-phishing-2024), and breach-tracker Have I Been Pwned has catalogued over 17.5 billion compromised accounts (haveibeenpwned-stats). The rights below exist to give you a lever back.

GDPR: the European baseline

The GDPR is the most influential privacy law in the world, and most other modern regimes borrow from it. Its full title is Regulation (EU) 2016/679. It was enacted on 27 April 2016 and, per Article 99, applied across all EU Member States from 25 May 2018 (gdpr-official).

Who it covers

The GDPR protects people in the EU and European Economic Area. Crucially, it follows the data, not the company: a business anywhere in the world that offers goods or services to people in the EU, or monitors their behaviour, generally has to comply. So a US service with EU customers is on the hook.

The lawful basis a company needs

A company cannot process your email "just because." Article 6(1) requires one of six lawful bases: your consent, performance of a contract, a legal obligation, vital interests, a public task, or the company's legitimate interests. Which basis applies changes what you can demand. For example, the right to data portability only attaches when processing rests on consent or contract.

Your rights at a glance

The marketing right deserves emphasis. Article 21 states that "where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes." There is no balancing test and no exception. If you tell a company to stop emailing you marketing, it must stop.

The deadlines and the cost

Under Article 12, a controller must respond "without undue delay and in any event within one month of receipt of the request," extendable by two further months for complex requests. The response is free of charge. Separately, if a company suffers a breach, Article 33 requires it to notify the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it."

UK GDPR, the ePrivacy rules, and email marketing consent

After Brexit, the UK kept the GDPR almost verbatim as the "UK GDPR," implemented through the Data Protection Act 2018. The individual rights are the same set: the ICO's guide to individual rights lists the right to be informed, the right of access, rectification, erasure, restriction, portability, the right to object, and rights around automated decision-making. An email request you would send under EU GDPR works, in substance, under UK GDPR too.

There is a second European layer that governs marketing email specifically. The ePrivacy Directive (2002/58/EC) sits alongside the GDPR. Article 13(1) requires prior opt-in consent before sending commercial email for direct marketing. Article 13(2) carves out a narrow "soft opt-in": an existing customer can be marketed similar products from the same company, provided they were given a clear chance to object when their address was collected and in every message after. In the UK this is implemented through the Privacy and Electronic Communications Regulations, with the ICO supplying the day-to-day guidance.

The practical upshot for your inbox: in Europe and the UK, an unsolicited marketing email to a private individual who never opted in is usually unlawful at the point of sending, not merely something you can unsubscribe from after the fact.

CCPA and CPRA: the California model

California's law is the most consequential in the United States, partly because so many companies are based there. The CCPA took effect in 2020 and was substantially strengthened by Proposition 24, the California Privacy Rights Act (CPRA), whose main provisions became operative on 1 January 2023 (ccpa-official).

Who it covers

The CCPA does not apply to every business. Per the statute's threshold definitions, it covers a for-profit business doing business in California that meets at least one of three tests: annual gross revenue over $25,000,000; buying, selling, or sharing the personal information of 100,000 or more consumers a year; or deriving 50% or more of its annual revenue from selling or sharing personal information. A small local business below all three thresholds is generally outside it.

Six consumer rights

The CCPA, as amended, gives California consumers six rights:

1. Right to know what a business has collected, where it came from, and who it was shared with (section 1798.110).
2. Right to delete personal information the business collected from you.
3. Right to correct inaccurate personal information.
4. Right to opt out of the sale or sharing of your personal information, the basis for the "Do Not Sell or Share My Personal Information" link.
5. Right to limit the use of sensitive personal information.
6. Right to non-discrimination for exercising any of the above.

A structural difference from the GDPR is worth understanding. The GDPR is consent-first: a company often needs your permission before it processes your data. California is opt-out-first for sales and sharing: a business may sell or share your data unless you tell it to stop. The end goal is similar; the default differs.

Enforcement and penalties

Two bodies enforce the CCPA: the California Privacy Protection Agency (CPPA) and the California Attorney General. The base statutory penalties are up to $2,500 per unintentional violation and $7,500 per intentional violation. The CPPA adjusts these for inflation; effective 1 January 2025 they rose to $2,663 and $7,988, per the CPPA's 2025 penalty announcement. Individuals generally cannot sue under the CCPA except for one situation: a data breach of certain unencrypted information, where the private right of action carries statutory damages of $100 to $750 per consumer per incident, inflation-adjusted to $107 to $799 as of January 2025. For the full California walkthrough, see our California privacy laws guide.

The wider US patchwork: state laws and federal email rules

The United States has no single federal privacy law. Instead, a patchwork of state statutes and narrower federal rules applies, and the relevant one depends on where you live and what kind of email is involved.

Comprehensive state privacy laws

A growing list of states have passed GDPR-style consumer privacy laws. Texas is a good marker for the trend: the Texas Data Privacy and Security Act became effective 1 July 2024. It gives Texas residents rights to know, correct, delete, and opt out of processing for targeted advertising, sale, or profiling. The Texas Attorney General has exclusive enforcement authority and must give a business written notice and a 30-day window to cure before suing.

Breach-notification laws

Some state laws focus on what happens after a leak. New York's SHIELD Act, signed into law on 25 July 2019, expanded breach-notification duties to cover "biometric information, username or email address, and password credentials." It applies to any person or business that maintains private information about New York residents. Penalties run up to $5,000 per violation for failing to maintain reasonable safeguards, and up to $20 per failed notification capped at $250,000 for untimely notice.

Federal email-marketing rules

For commercial email specifically, the relevant federal law is the CAN-SPAM Act, formally the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003. Unlike the GDPR, CAN-SPAM is opt-out, not opt-in: a sender can email you commercial messages until you object, but must then honour an unsubscribe request within 10 business days. The FTC's compliance guide requires the opt-out to be easy to use; a sender "can't charge a fee, require the recipient to give any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website." Each violating email is subject to penalties of up to $53,088 as of January 2024.

How other major jurisdictions compare

If you deal with companies in Canada or Australia, two more regimes are worth knowing.

Canada: PIPEDA and CASL

Canada's federal private-sector privacy law is PIPEDA, the Personal Information Protection and Electronic Documents Act, which received Royal Assent on 13 April 2000 and came fully into force on 1 January 2004. It governs how organisations collect, use, and disclose personal information in commercial activities and is enforced mainly through complaints to the Office of the Privacy Commissioner, which investigates and reports rather than levying GDPR-style fines.

Canada's anti-spam law, CASL, is one of the strictest email regimes in the world. Most of its commercial-email provisions came into force on 1 July 2014. It requires consent, sender identification, and an unsubscribe mechanism before a commercial electronic message is sent, and the CRTC confirms that "the onus is on the person who claims that they have obtained consent to prove it." Maximum penalties are steep: up to $1,000,000 per violation for an individual and $10,000,000 for a business. CASL is enforced jointly by three agencies: the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner.

Australia: the Privacy Act 1988

Australia's Privacy Act 1988 applies to government agencies and to organisations with annual turnover above $3 million, and it sets out 13 Australian Privacy Principles enforced by the OAIC. Email addresses fall within its broad definition of personal information about a "reasonably identifiable" individual. Under the Australian Privacy Principles, APP 12 gives you a right of access on request, and APP 13 obliges entities to take reasonable steps to correct inaccurate or out-of-date information. Penalties were sharply increased by an amendment that took effect on 13 December 2022: for serious or repeated interference with privacy, a body corporate now faces the greater of $50,000,000, three times the benefit obtained, or 30% of adjusted turnover, while an individual faces up to $2,500,000.

Exercising your rights, and minimising what you ever have to ask for

Knowing the rights is half of it. Using them is a short, repeatable process.

1. Identify the law that applies to you. EU or EEA residence points to the GDPR; the UK points to UK GDPR; California to the CCPA; and so on. Remember that the GDPR follows you, so it can apply to a company on another continent that serves EU customers.
2. Find the privacy contact. Look in the footer for a privacy policy, a "Do Not Sell or Share My Personal Information" link, or a dedicated privacy request portal.
3. State the right and cite the article. Name the specific right (for example, erasure under GDPR Article 17, or deletion under the CCPA) and ask for written confirmation of the action taken.
4. Note the deadline and follow up. The GDPR clock is one month under Article 12; California allows businesses 45 days. If the deadline passes, send a follow-up that references the missed statutory deadline.
5. Escalate to the regulator. GDPR Article 77 gives you the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or where the infringement occurred. In California, complain to the CPPA or the Attorney General.

If a company stalls, two tiers of GDPR fines sit behind these rights. Article 83 sets a lower tier of up to EUR 10,000,000 or 2% of worldwide turnover for procedural failures, and a higher tier of up to EUR 20,000,000 or 4% of worldwide turnover for breaching basic principles, ignoring data-subject rights, or violating transfer rules.

The quiet alternative: do not hand over the address in the first place

Every right above is a remedy you invoke after a company already has your data. The cheaper move is to limit what it gets. A right to erasure you never need to file is the strongest version of the right to erasure.

This is where a disposable address earns its place, as one privacy tactic among your legal rights rather than a replacement for them. For a newsletter you want to read once, a free trial, a forum sign-up, or any site you do not yet trust, a temporary inbox keeps your real address out of the database entirely. TempMailSpot is a free, no-registration tool built for exactly this: open the page and an address is ready, incoming mail appears automatically within seconds, and the inbox expires on a 10-minute timer you can extend as needed. Unlike most receive-only rivals it can also send a reply behind a CAPTCHA, and it can export messages as PDF, JSON, or EML for your records. We run that service, and the volume of automated spam we watch hit fresh addresses is a fair argument for keeping your primary email off most forms.

To be precise about scope: using a temporary email does not make you anonymous, does not exempt anyone from privacy law, and does not by itself guarantee compliance with anything. It simply reduces the surface area, so you have fewer copies of your address out there to chase down later. Reserve your real inbox for banking, healthcare, government, and your employer; route the rest through an address that disappears. Our guide to protecting your privacy online puts this in the context of a broader routine, and the GDPR temporary email guide walks through how the two approaches fit together.