What Are Your Privacy Rights Online Under US, UK, and Australian Law?

Privacy rights online are no longer a niche concern reserved for lawyers and compliance teams. Every time you sign up for an app, browse a website, or share a photo, you're handing over personal data — and the question of who controls that data, and what you can do about it, is one of the most pressing legal issues of our time.

The challenge is that the answer depends heavily on where you live. The United States, the United Kingdom, and Australia have each taken distinctly different approaches to online privacy law, and understanding your rights under each system can be genuinely difficult. The laws are fragmented, frequently updated, and full of exceptions that favor businesses over individuals.

This article breaks down the state of digital privacy rights in all three countries. It covers the key laws you need to know, the specific rights you hold as an individual, how those rights are enforced, and where the gaps still exist. Whether you're a consumer trying to understand what Google can do with your search history, a business trying to stay compliant, or just someone who values their personal information, this guide gives you a clear, honest picture of where things stand right now. No legal jargon, no fluff — just what you actually need to know.

Privacy Rights Online in the United States: A Fragmented Patchwork

The US takes a fundamentally different approach to data privacy than most other developed nations. Rather than one sweeping federal law, privacy in America is governed by a complicated mix of sector-specific federal laws and an ever-growing number of state-level statutes.

No Federal Privacy Law — Yet

At the federal level, there is no single, comprehensive law that covers online privacy rights for all Americans. What exists instead is a collection of narrow, industry-specific protections:

• HIPAA (Health Insurance Portability and Accountability Act) protects health-related data
• COPPA (Children's Online Privacy Protection Act) protects children under 13 online
• FERPA protects student education records
• GLBA (Gramm-Leach-Bliley Act) applies to financial institutions

The Federal Trade Commission (FTC) plays an important role in filling this gap by pursuing companies that engage in unfair or deceptive data practices. In recent years, the FTC has taken an increasingly aggressive stance on data security failures and misleading privacy disclosures. But FTC enforcement is reactive — it punishes bad behavior after the fact rather than creating affirmative rights for individuals.

Efforts to pass a federal law have repeatedly stalled. The American Privacy Rights Act of 2024 came closer than most, but it didn't make it across the finish line.

The Rise of State Privacy Laws

California led the charge as the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA), signed into law in June 2018 and effective from January 1, 2020. Since then, the movement has exploded. As of 2025, the growth of US state privacy law has developed exponentially, with new laws introduced, enacted, and coming into force each year.

At the time of publication, 20 US states have enacted comprehensive consumer data privacy laws. These vary in scope, but most share a common framework of rights.

What Rights Do Americans Actually Have?

Under the CCPA and the California Privacy Rights Act (CPRA), California residents have some of the strongest privacy protections in the country. Key rights include:

• Right to know what personal data is collected, used, and shared
• Right to delete personal data held by a business
• Right to opt out of the sale of personal data
• Right to correct inaccurate personal data
• Right to limit the use of sensitive personal information
• Right to non-discrimination for exercising privacy rights

Each US comprehensive state privacy law establishes various consumer rights, including the ability to access, correct and delete personal data held by companies. These laws also provide opt-out rights for targeted advertising, sale of personal data and profiling.

California alone has more than 25 state privacy and data security laws, including the comprehensive CCPA, which provides broad individual rights and imposes requirements on the collection, use, disclosure, and processing of personal information of California residents.

The Problem With the US Approach

The patchwork of state privacy laws creates real problems. Your rights depend on which state you live in. A resident of California has substantially more protection than someone in a state that hasn't passed any comprehensive privacy law. And even where laws exist, enforcement varies enormously. Privacy class actions continue to be a significant risk area in the United States, including in the context of biometric privacy under the Illinois Biometric Privacy Act, and online monitoring and targeting activities — including via cookies, pixels, and chat bots — continue to be an area of particular concern.

The bottom line for US residents: your online privacy protections are real but uneven, and the state you live in matters a lot.

Privacy Rights Online in the United Kingdom: Strong Rights, Clear Structure

The UK has a much more coherent framework for digital privacy rights. After Brexit, the country retained the core of the EU's General Data Protection Regulation while adapting it to domestic law.

The UK GDPR and Data Protection Act 2018

The UK currently operates under two interlocking laws:

1. UK GDPR — the retained version of the EU's General Data Protection Regulation, which became domestic law on January 1, 2021
2. Data Protection Act 2018 (DPA 2018) — the domestic statute that supplements the UK GDPR and handles areas like national security and law enforcement

The Data Protection Act 2018 is a UK law that sets out how personal data must be collected, handled and stored to protect people's privacy. It also gives individuals the right to know what personal data is held about them and to have that data erased in certain circumstances.

The UK GDPR establishes the key data protection principles — lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. It defines individuals' rights, including the right to access their data, have it corrected or deleted, and object to certain processing.

Your 8 Core Rights Under UK Law

The UK GDPR grants individuals eight specific rights over their personal data:

1. Right to be informed — organizations must tell you clearly what they're doing with your data, usually through a privacy notice
2. Right of access — you can request a copy of all personal data a company holds about you (a Subject Access Request, or SAR), and they must respond within one month
3. Right to rectification — if data about you is wrong, you can ask for it to be corrected
4. Right to erasure (the "right to be forgotten") — in certain circumstances, you can demand that your data be deleted
5. Right to restrict processing — you can ask an organization to pause how it uses your data while a dispute is resolved
6. Right to data portability — you can request your data in a machine-readable format to transfer it elsewhere
7. Right to object — you can object to your data being used for direct marketing at any time, with no exceptions
8. Rights related to automated decision-making and profiling — you have the right not to be subject to decisions made entirely by automated systems if those decisions significantly affect you

These are not suggestions — they are legally enforceable rights. The Information Commissioner's Office (ICO) is the UK's data protection regulator, and it has real teeth. If an organisation breaches the DPA 2018, the ICO can investigate, issue enforcement notices and impose fines of up to £17.5 million or 4% of annual global turnover.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 came into law on 19 June 2025, and has introduced some reforms to the UK framework, including changes to how organisations can respond to data subject access requests. The UK government has signaled it may gradually diverge from EU standards over time, though the core rights structure remains intact for now.

UK vs EU: What Changed After Brexit?

The UK GDPR is substantially similar to the EU GDPR, which means businesses that comply with one are generally in good shape for the other. The key difference is that non-UK businesses only need to comply with UK GDPR if they offer goods or services to UK residents or monitor the behavior of people in the UK. For UK residents, this is actually reassuring — any company targeting you is bound by these rules, regardless of where that company is based.

The practical takeaway for UK residents: you have clear, strong online privacy rights, and a well-resourced regulator to enforce them. The system is far from perfect, but it's among the most protective in the world. For more detail on your specific rights, the ICO's guidance at ico.org.uk is an excellent resource.

Privacy Rights Online in Australia: Major Reforms, Ongoing Gaps

Australia's approach to online privacy law has historically lagged behind the UK and EU. The Privacy Act 1988 was the foundation, but it went without significant reform for years while the digital landscape changed dramatically around it.

That's changing fast.

The Privacy Act 1988 and Australian Privacy Principles

The Privacy Act 1988 (Cth) is Australia's primary federal privacy legislation. It applies to organizations with an annual turnover above $3 million, as well as certain health service providers and government agencies. Central to the Act are the Australian Privacy Principles (APPs) — 13 principles that govern how personal information must be handled, used, and disclosed.

Under the existing framework, Australians have the right to:

• Access personal information an organization holds about them
• Ask for corrections to inaccurate or outdated data
• Complain to the organization, and escalate to the Office of the Australian Information Commissioner (OAIC)
• Opt out of direct marketing communications

The OAIC is the national regulator, but it has historically been underfunded relative to the scale of the task.

The Privacy and Other Legislation Amendment Act 2024: A Turning Point

The majority of the Privacy and Other Legislation Amendment Act (POLA) changes took effect upon receiving Royal Assent on 10 December 2024. The Act represents the most substantial change to Australia's privacy regime since its inception.

Key changes include:

1. A New Statutory Tort for Serious Invasion of Privacy From 10 June 2025, individuals can take action against someone who has seriously invaded their privacy — by either intruding upon their seclusion, or misusing private information relating to them. This is a landmark development. Unlike the US, where courts recognized a tort of privacy almost a century ago, and the UK, where the doctrine of breach of confidence was extended to cover invasion of privacy 20 years ago, Australian common law had never recognized a right of action for invasion of privacy.

2. Anti-Doxxing Laws New measures make it illegal to share someone's personal information with the intent to harm — a doxxing offence punishable by up to 7 years' imprisonment, effective 11 December 2024.

3. Transparency Around Automated Decisions The Amendment Act requires entities which use automated processes to make decisions that could reasonably be expected to significantly affect the rights or interests of individuals, to include details about their use of automated decision-making in their privacy policy.

4. Children's Online Privacy Code The Office of the Australian Information Commissioner is required to develop a code addressing online privacy for children, with a Children's Online Privacy Code to be registered by 10 December 2026.

5. Enhanced OAIC Powers The Act provides the OAIC with new enforcement and investigative powers, including the ability to request information about actual or suspected eligible data breaches and conduct assessments of compliance with the notifiable data breaches scheme.

Where Australia Still Lags

Despite these improvements, Australia's framework still has notable gaps compared to the UK. There is no general right to be forgotten, no data portability right, and the small business exemption (businesses under $3 million annual turnover) still leaves a significant portion of the economy outside the law's reach. The Privacy Act is designed to be principles-based, flexible and indirectly aligned with human rights law, whilst the GDPR, although also principles-based, is designed to be prescriptive, codified, and strongly aligned with human rights law.

A second tranche of reforms is anticipated, which may introduce expanded individual rights including a formal right to erasure and the controller/processor distinction familiar from GDPR. You can follow updates through the OAIC at oaic.gov.au.

Comparing the Three: Key Differences at a Glance

Feature	United States	United Kingdom	Australia
Governing Law	Sector laws + state laws	UK GDPR + DPA 2018	Privacy Act 1988 (as amended)
Right to Access Data	Varies by state	Yes (within 1 month)	Yes
Right to Delete Data	CCPA states only	Yes (right to erasure)	Limited
Right to Data Portability	Limited	Yes	No
Right to Object to Marketing	Limited	Yes (absolute right)	Opt-out available
Privacy Tort	Long established	Breach of confidence	New (from June 2025)
Regulator	FTC + state AGs	ICO	OAIC
Max Penalty	Varies	£17.5m or 4% turnover	Significant but lower

What These Laws Mean in Everyday Life

Understanding online privacy rights in abstract is one thing. Here's how these frameworks apply to common situations:

Social media platforms collecting your behavioral data must, in the UK and increasingly in Australia, provide you with a mechanism to access, correct, or delete that data. In the US, this depends on your state.

Data brokers — companies that collect and sell personal data — are regulated more tightly in California than anywhere else in the US. The UK's ICO has taken action against data broker practices. Australia's reforms are beginning to address this space.

Cookies and tracking technologies are regulated under the UK's Privacy and Electronic Communications Regulations (PECR), which require genuine, informed consent for non-essential cookies. The US has no federal equivalent, though some state laws are beginning to address tracking opt-outs.

Data breaches must be reported to regulators within 72 hours in the UK, and within 30 days (for eligible breaches) in Australia. The US has varying breach notification laws at state and federal levels.

Conclusion

Privacy rights online vary dramatically depending on where you live. The UK offers the most coherent and enforceable framework, built around eight clear individual rights and backed by a well-resourced regulator. Australia has made significant strides with its 2024 reforms, including a new tort for serious privacy invasions and stronger regulatory powers, but still has meaningful gaps to close. The United States remains the most fragmented, relying on a patchwork of state laws and sector-specific federal rules that leave many Americans without consistent protections — though states like California continue to push the bar higher. For individuals, the most important step is simply knowing what rights you have and exercising them: request your data, read privacy notices, opt out where you can, and hold organizations accountable when they fall short.