GDPR Rights You Can Use Even If You're Not in Europe: How American Privacy Law Borrows From Brussels

You're not in Europe. You've never lived in Europe. But you've heard that Europeans can demand their data from companies, force deletions, and opt out of tracking. You want to know if any of that applies to you.
The short answer: GDPR doesn't cover you. The longer answer: many companies extend the same rights to everyone because managing separate policies for different jurisdictions is a pain. Whether you can actually use those rights depends on where you live, which company you're dealing with, and how seriously they take compliance.
Here's what GDPR actually is, how American privacy law compares, and what you can request from companies even if you're not in Brussels.
What GDPR Actually Is
The General Data Protection Regulation is a European Union law that took effect in 2018. It applies to any company that processes personal data of EU residents, regardless of where the company is based. If you're in France and use an American app, that app has to follow GDPR when handling your data.
GDPR gives EU residents a set of enforceable rights. You can request a copy of everything a company holds about you. You can demand deletion. You can object to processing. You can move your data to a competitor. Companies face fines up to 4% of global revenue for violations, enough to make compliance non-negotiable.
The European Data Protection Board coordinates enforcement across member states, publishes guidance on how the law applies, and issues opinions when national authorities disagree. The result is a unified framework that companies can't ignore.
GDPR doesn't apply to Americans. If you live in Ohio and use Facebook, Facebook doesn't owe you GDPR compliance. But Facebook operates in Europe, which means it built systems to handle GDPR requests. Extending those systems to all users is often easier than maintaining separate processes.
How American Privacy Law Compares
The U.S. has no federal privacy law equivalent to GDPR. Instead, we have a patchwork of state laws, sector-specific regulations, and industry self-regulation that varies by what kind of data you're talking about and who's handling it.
California's Consumer Privacy Act (CCPA), which became the California Privacy Rights Act (CPRA) in 2023, is the closest American equivalent. It gives California residents the right to know what data companies collect, request deletion, and opt out of sale. Virginia, Colorado, Connecticut, Utah, and a handful of other states have passed similar laws with varying scopes and enforcement mechanisms.
If you live in a state with a privacy law, you have enforceable rights. If you don't, you're relying on the FTC's general authority to punish deceptive practices and whatever the company decides to offer voluntarily. The FTC can act when companies break their own privacy promises, but it can't force companies to offer rights they never promised in the first place.
The FTC's privacy and data security enforcement focuses on deception and unfairness. If a company says it won't sell your data and then does, the FTC can step in. If the company never made that promise, there's no violation. The agency has published guidance on best practices, but following that guidance is optional.
Some sectors have their own rules. Health data is covered by HIPAA. Financial data is covered by the Gramm-Leach-Bliley Act. Children's data is covered by COPPA. But general consumer data, your browsing history, your shopping habits, your location, has no federal protection unless you're in a state that passed its own law.
What You Can Request (And When It Actually Works)
The rights that GDPR and state privacy laws grant fall into a few categories. Here's what each one means and when you can actually use it.
Data access (also called data portability): You can request a copy of everything the company holds about you. This includes account information, activity logs, inferred data like interests or demographics, and sometimes communications with customer service. The company provides the data in a machine-readable format, usually JSON or CSV, so you can move it to a competitor or just see what they know.
Under GDPR, this right is absolute for EU residents. Under CCPA and similar state laws, it's available to residents of those states. If you're not covered by a law, the company can say no. Many don't, because building a system to handle requests from Californians and then blocking requests from Texans creates more work than just processing everything.
Deletion: You can ask the company to delete your data. The company has to remove it from active systems, but exceptions exist. They can keep data required by law (tax records, transaction logs for fraud investigations), data needed to complete a transaction you initiated, or data used internally for security and debugging. Aggregated or de-identified data usually doesn't count as "your data" anymore, so it stays.
Deletion requests work best for accounts you no longer use. If you're actively using a service, deletion might mean losing access. Some companies let you delete specific data (like location history) while keeping your account. Others make it all-or-nothing.
Opt-out of sale or sharing: Under CCPA and similar laws, you can tell companies not to sell your data to third parties or share it for cross-context behavioral advertising. This doesn't stop the company from using your data internally. It stops them from handing it to data brokers, ad networks, or analytics firms.
The definition of "sale" is broader than you'd think. Sharing data with an ad network in exchange for ad placement counts as a sale, even if no money changes hands. The opt-out applies to that exchange. Companies are required to honor these requests within 15 days and not ask again for 12 months.
Correction: Some laws let you request corrections to inaccurate data. This works better for factual information (your address, your birthdate) than for inferred data (your interests, your demographics). If the company guessed wrong about your age based on your browsing habits, correction requests rarely fix the underlying model.
Objection to processing: GDPR lets you object to processing based on legitimate interest. This is narrower than it sounds. If the company processes your data because you gave consent or because they need it to fulfill a contract, objection doesn't apply. If they're processing it because they claim a legitimate business interest (like fraud prevention or direct marketing), you can object and they have to stop unless they can demonstrate a compelling reason.
This right doesn't exist in most U.S. state laws. You get deletion and opt-out, but not a general objection mechanism.
How to Actually Submit a Request
Most companies that operate in multiple jurisdictions have a centralized privacy request portal. You fill out a form, verify your identity, and wait. Response times vary by law, GDPR requires a response within 30 days, CCPA within 45 days, but companies often respond faster to avoid the administrative burden of tracking deadlines.
Start with the company's privacy policy. Look for a section labeled "Your Privacy Rights," "Data Subject Requests," or "How to Contact Us." That section usually includes a link to the request form or an email address for privacy inquiries.
If there's no obvious portal, email privacy@[company].com or dpo@[company].com (DPO stands for Data Protection Officer, a role required under GDPR). State what you want clearly: "I am requesting a copy of all personal data you hold about me under CCPA" or "I am requesting deletion of my account and all associated data."
The company will ask you to verify your identity. This usually means confirming the email address associated with your account, answering security questions, or uploading a government ID. They're required to verify that you're actually the person whose data you're requesting. Without verification, they can refuse.
Once verified, the company processes your request. For data access, they'll send you a download link or email you a file. For deletion, they'll confirm removal and close your account. For opt-out, they'll update your preferences and stop sharing data going forward (but can't recall data already shared).
If the company refuses, they have to explain why. Common reasons: you're not covered by a privacy law, the request is too broad, or an exception applies (like legal retention requirements). You can appeal within the company's process, file a complaint with your state attorney general if you're in a state with a privacy law, or contact the FTC if the company violated its own policy.
The Cultural Reference That Fits
In The Good Place, Eleanor discovers she's in the Bad Place because the points system is rigged. Every action in the modern world has unintended consequences, buying a tomato supports exploitative labor, using a phone funds conflict minerals, and the system punishes you for things you can't control. The reveal is that the game was unwinnable from the start.
Privacy law works the same way. You're told you have rights, but the exercise of those rights depends on variables you didn't choose: which state you live in, which services you use, whether the company decides to extend rights voluntarily. The framework exists, but access is conditional. You can request your data, but only if the law covers you. You can opt out of sale, but only if the company defines "sale" the way the law does. The system is designed to look fair while remaining fundamentally unequal.
The difference is that Eleanor got a second chance. You don't. You work within the system as it exists, filing requests when you can and accepting refusals when you can't. The law protects some people and ignores others, and which group you're in depends on geography and luck.
What Companies Actually Do With Requests
When you submit a privacy request, the company routes it to a compliance team that handles these all day. For large platforms, this is an automated process. Your request hits a queue, gets categorized, and triggers workflows in their data systems. For smaller companies, it's manual, someone reads your email, checks the policy, and decides whether to honor it.
Companies track metrics on request volume, response time, and denial rates. Regulators audit these metrics during investigations. A company that denies 90% of deletion requests or takes 60 days to respond when the law requires 30 is exposing itself to enforcement action.
Most companies err on the side of honoring requests, even from users not covered by law. The cost of processing a request is low compared to the cost of a regulatory investigation. If you're asking for data access and you're in Montana, the company might just give it to you rather than spend time determining whether Montana law requires it.
But some companies draw hard lines. If you're not in California or the EU, they'll tell you the request doesn't apply. If you ask for deletion but keep using the service, they'll explain that deletion means account closure. If you object to processing and the company's business model depends on that processing, they'll refuse and cite their legitimate interest.
The FTC has documented cases where companies ignored requests, delayed responses, or made the process so difficult that users gave up. Enforcement is inconsistent. Large platforms with European operations take requests seriously because GDPR fines are real. Smaller companies with no international presence often don't bother.
When Requests Fail (And Why)
Privacy requests fail for predictable reasons. Here's what goes wrong and what you can do about it.
You're not covered by a law. If you live in a state without a privacy law and you're requesting rights from a U.S.-only company, they can refuse. No law compels them to respond. You can ask nicely, but you have no leverage.
The request is too broad. "Send me everything you have about me" is valid under GDPR and CCPA, but some companies push back on vague requests. Be specific: "I am requesting a copy of all personal data as defined under CCPA, including account information, activity logs, and inferred attributes."
Verification fails. If you can't prove you're the account holder, the company won't process the request. Use the email address associated with the account. If you've lost access to that email, account recovery comes first.
An exception applies. Deletion requests often hit exceptions. The company has to keep transaction records for tax purposes. They have to retain data for ongoing litigation. They have to preserve logs for fraud investigations. These exceptions are legitimate, but companies sometimes claim them too broadly. If the refusal doesn't make sense, ask for specifics.
The company is slow. GDPR allows 30 days, extendable to 90 for complex requests. CCPA allows 45 days, extendable to 90. If the company blows past the deadline without explanation, file a complaint. In California, that's the state attorney general. In the EU, it's your national data protection authority. In states without privacy laws, it's the FTC.
The company ghosts you. You send a request, get an automated confirmation, and then nothing. Follow up after two weeks. If you still get no response, escalate. Tag the company on social media (public pressure works), file a complaint with regulators, or contact a consumer protection organization like EPIC.
What Stays Even After Deletion
Deletion doesn't mean your data vanishes from every server. Companies are required to remove data from active systems, but backups, archives, and aggregated datasets often persist.
Backups: Most companies run nightly backups for disaster recovery. When you request deletion, they remove your data from the live database. But the backup from last night still contains it. Those backups eventually age out, 30 days, 90 days, a year, but until then, your data exists in cold storage.
Aggregated data: If the company combined your data with thousands of others to generate statistics, that aggregated data doesn't count as "your data" anymore. Deletion requests don't apply. The company can keep using those statistics even after your account is gone.
Legal holds: If your data is subject to a legal hold (because of a lawsuit, a subpoena, or a regulatory investigation), the company can't delete it even if you ask. The hold overrides your deletion rights. Once the hold lifts, deletion proceeds.
Transaction records: Financial institutions have to keep transaction records for years to comply with anti-money-laundering laws. You can close your account, but the records of what you did while the account was open stay.
De-identified data: Some companies de-identify data by stripping out names, email addresses, and other direct identifiers. The remaining data, behavioral patterns, device fingerprints, approximate locations, doesn't count as personal data under most laws. Deletion requests don't touch it.
This is why privacy advocates say deletion is incomplete. The law requires companies to stop using your data going forward, but it doesn't rewind the clock. What's already been processed, shared, or aggregated stays in the system.
Privacy Law Is Uneven (And That's the Point)
The reason Americans ask "Can I use GDPR rights?" is that GDPR is the only privacy law most people have heard of. It's comprehensive, enforceable, and applies to everyone in the EU. The U.S. has no equivalent. We have California's law, Virginia's law, Colorado's law, and a dozen others with different scopes, different rights, and different enforcement mechanisms.
This unevenness is deliberate. The U.S. has consistently rejected federal privacy legislation in favor of state-level experimentation and industry self-regulation. The result is that your rights depend on where you live, not on any universal principle.
If you're in California, you can request deletion and opt out of sale. If you're in Texas, you can't, unless the company extends those rights voluntarily. If you're in Montana, you're relying entirely on the company's goodwill and the FTC's ability to punish deceptive practices after the fact.
The FTC has advocated for stronger federal privacy protections, but legislation stalls every session. Industry groups argue that state laws create compliance burdens and federal preemption would simplify things. Privacy advocates argue that federal preemption would weaken strong state laws like CCPA. The stalemate continues.
In the meantime, you work with what you have. If your state passed a privacy law, use it. If it didn't, submit requests anyway and see what happens. Many companies honor requests from all users because the alternative is managing different policies for different jurisdictions, a headache they'd rather avoid.
The Practical Reality of Privacy Requests
Privacy requests are not magic. They don't undo years of data collection. They don't force companies to forget you existed. They give you a narrow set of tools to control what happens going forward.
If you're closing an account you no longer use, deletion requests work well. The company removes your data, you stop getting emails, and the relationship ends. If you're trying to erase your digital footprint while continuing to use the same services, deletion requests won't help. The company needs your data to provide the service. Deleting it means losing access.
Data access requests are useful for understanding what a company knows. You download the file, open it, and see your activity logs, inferred demographics, and ad targeting categories. Sometimes the data is mundane. Sometimes it's unsettling, they know more than you expected. Either way, you have the information. What you do with it is up to you.
Opt-out requests reduce tracking but don't eliminate it. The company stops sharing your data with third parties, but it keeps using your data internally. You still see ads. The ads are just less targeted. For some people, that's enough. For others, it's not.
The law gives you rights. Whether those rights are useful depends on what you're trying to accomplish. If you want to close old accounts, delete unused data, and reduce tracking, privacy requests are effective. If you want to disappear from the internet while staying online, they won't do that. No law can.
What You Should Actually Do
Start with the services you no longer use. Find the old forum accounts, the shopping sites you visited once, the apps you installed and forgot. Submit deletion requests for all of them. This reduces your exposure without affecting your current digital life.
For services you actively use, decide whether you want to exercise opt-out rights. If you're in California or another state with a privacy law, opt out of data sale and sharing. If you're not, check whether the company offers the same rights voluntarily. Many do.
If you want to see what a company knows, submit a data access request. Review the file. Look for inferred data that's wrong and submit correction requests if the law allows. Look for data you didn't expect and decide whether it's worth staying on the platform.
If you're moving to a competitor, use data portability to take your information with you. Download your posts, your contacts, your activity history. Upload it to the new service. Some platforms make this easy. Others make it deliberately difficult.
If a company refuses a request without a valid reason, escalate. File a complaint with your state attorney general if you're covered by a privacy law. Contact the FTC if the company violated its own policy. Tag them on social media if public pressure might work. Don't assume refusal is final.
And if you're not covered by any privacy law, advocate for one. Contact your state legislators. Support organizations like EPIC and the Electronic Frontier Foundation that push for stronger protections. The law won't change unless people demand it.
Privacy rights exist, but access is conditional. You use what you have, push for more, and accept that the system is uneven by design. GDPR protects Europeans. State laws protect some Americans. The rest of us work with what companies offer voluntarily and hope federal law eventually catches up.



