When does data privacy rights apply?

Your data privacy rights kick in when:A company collects, stores, or sells your personal data — name, email, phone, location, browsing history, purchase history.You want to know what they have on you.You want them to delete it.You want to opt out of the sale or sharing.You're notified of a data breach that exposed your information.The state-by-state landscape, as of 2026:California (CCPA/CPRA): Still the strongest. Rights to know, delete, opt out of sale and sharing, correct, and limit use of sensitive personal information. Enforced by the California Privacy Protection Agency, the only standalone state privacy regulator. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from selling data.Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, and several more — comprehensive privacy laws, varying effective dates through 2026. Most cover access, deletion, correction, and opt-out.States without comprehensive laws: Your main backstop is the FTC's general authority to chase "unfair or deceptive" data practices under Section 5 of the FTC Act, plus the federal sector-specific laws (HIPAA, COPPA, GLBA, FERPA).Three myths:"No federal law means no rights." The state laws now cover roughly half of all Americans, and the federal sectoral laws cover health, financial, education, and kids' data nationwide."Free service means they can do anything." They still owe you a privacy policy disclosure and, in CCPA-and-similar states, opt-out rights regardless of whether you paid."Deleting my account deletes my data." Not automatically. Companies retain data for legal, business, and analytics reasons. To force deletion, you generally have to submit a specific deletion request under your state law.

You're reading the Alaska version.Change state →

Choose your state

Data Privacy Rights in Alaska

Q: What should I do if a company is misusing my personal data or had a data breach?

Step 1: Figure out which law covers you. Your residence usually controls. If you're in California, Colorado, Connecticut, Virginia, Texas, Oregon, or one of the newer states, you have specific statutory rights you can exercise.Step 2: Submit access requests. Most companies have a "Privacy" or "Do Not Sell My Information" link in the footer. California residents can use the phrase "right to know"; the company has 45 days to respond (extendable to 90).Step 3: Opt out of sale and sharing. Under CCPA-style laws, companies have to give you a clear opt-out mechanism. Look for "Do Not Sell or Share My Personal Information" links, and turn on Global Privacy Control in your browser — California-style laws now treat that signal as a binding opt-out.Step 4: After a breach, take the steps. Most states require notification and many require offered credit monitoring. Use it. Change passwords, enable two-factor authentication, freeze your credit.Step 5: Complain. State attorneys general enforce most state privacy laws. California has its dedicated CPPA. The FTC takes federal complaints at reportfraud.ftc.gov.

Q: What should you NOT do about data privacy rights?

Don't toss the breach notice. If a company tells you your data was compromised, the clock has already started. Change passwords, enable 2FA on the affected accounts and any account that reuses the password, and freeze your credit.Don't auto-accept cookie banners. Most are designed to look like accepting all is the easy path — and "Reject All" is hidden behind two clicks. Take the two clicks.Don't read privacy policies as protection. They're disclosures, not commitments. The interesting sections are usually "how we share your data with third parties," "data retention," and "your rights" — the rest is boilerplate.Don't pay data-removal services upfront without comparison. Many of them charge $10–$30 a month to send the same opt-out requests you can send yourself for free. Try DIY first; the requests for the major data brokers are mostly automated forms.

Researched by Ahmed Alsaedi, Lead Engineer

Primary sources cited; not legal advice.

Source: Federal: FTC Act § 5 (15 U.S.C. § 45), HIPAA (42 U.S.C. § 1320d), COPPA (15 U.S.C. §§ 6501–6506), FERPA (20 U.S.C. § 1232g), GLBA (15 U.S.C. §§ 6801–6809). State: California Consumer Privacy Act/CPRA (Cal. Civ. Code § 1798.100 et seq.), Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541).

About this article

Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Alaska Law

How Alaska differs from federal law

Alaska has notable privacy protections rooted in its state constitution, though it lacks a comprehensive consumer data privacy law:

Constitutional right to privacy (Art. I, § 22): Alaska's Constitution explicitly protects the right to privacy — one of the strongest state constitutional privacy provisions in the nation. This broad right has been interpreted by Alaska courts to provide protections beyond those in the federal Constitution.
Data breach notification (AS § 45.48.010): Businesses must notify Alaska residents when a security breach compromises their personal information. Notification must be made in the most expedient time possible.
No comprehensive consumer privacy law: Alaska has not enacted a comprehensive consumer data privacy law like California's CCPA. There is no general right to request deletion of personal data or opt out of data sales.
Personal information protection: Alaska law requires businesses that collect personal information to implement and maintain reasonable security measures (AS § 45.48.090).
Federal protections apply: Federal laws including HIPAA (health data), GLBA (financial data), COPPA (children's data), and FERPA (education records) provide baseline protections for Alaska residents.

Additional Steps in Alaska

Report data breaches to the Alaska Attorney General at (907) 269-5200 or law.alaska.gov. File identity theft reports with the FTC at identitytheft.gov. Monitor your credit reports at annualcreditreport.com.

Relevant Law: Alaska Constitution, Art. I, § 22 (right to privacy). Alaska Stat. § 45.48.010 (data breach notification). Alaska Stat. § 45.48.090 (security measures).

Federal baseline: Data Privacy Rights nationwide

What is this right?

The United States is one of the only major economies without a single comprehensive federal data privacy law. Congress has come close several times — the American Data Privacy and Protection Act died in committee in 2022, and APRA stalled in 2024 — but never gotten over the line. The result is a patchwork: federal sector-specific laws (HIPAA for health data, FERPA for education records, COPPA for kids under 13, GLBA for financial data) plus a fast-growing list of state laws that look more like the EU's GDPR.

California led with the CCPA in 2018 (strengthened by the CPRA in 2020). Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and a dozen other states have followed with their own comprehensive privacy laws, all with rolling effective dates through 2026. The rights vary, but the core is consistent: you can ask what data a company has, ask them to delete it, and opt out of the sale or sharing of it. Where you live decides what you can demand.

When does it apply?

Your data privacy rights kick in when:

A company collects, stores, or sells your personal data — name, email, phone, location, browsing history, purchase history.
You want to know what they have on you.
You want them to delete it.
You want to opt out of the sale or sharing.
You're notified of a data breach that exposed your information.

The state-by-state landscape, as of 2026:

California (CCPA/CPRA): Still the strongest. Rights to know, delete, opt out of sale and sharing, correct, and limit use of sensitive personal information. Enforced by the California Privacy Protection Agency, the only standalone state privacy regulator. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from selling data.
Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, and several more — comprehensive privacy laws, varying effective dates through 2026. Most cover access, deletion, correction, and opt-out.
States without comprehensive laws: Your main backstop is the FTC's general authority to chase "unfair or deceptive" data practices under Section 5 of the FTC Act, plus the federal sector-specific laws (HIPAA, COPPA, GLBA, FERPA).

Three myths:

"No federal law means no rights." The state laws now cover roughly half of all Americans, and the federal sectoral laws cover health, financial, education, and kids' data nationwide.
"Free service means they can do anything." They still owe you a privacy policy disclosure and, in CCPA-and-similar states, opt-out rights regardless of whether you paid.
"Deleting my account deletes my data." Not automatically. Companies retain data for legal, business, and analytics reasons. To force deletion, you generally have to submit a specific deletion request under your state law.

What to Do If a Company Is Collecting or Selling Your Personal Data

Step 1: Figure out which law covers you. Your residence usually controls. If you're in California, Colorado, Connecticut, Virginia, Texas, Oregon, or one of the newer states, you have specific statutory rights you can exercise.

Step 2: Submit access requests. Most companies have a "Privacy" or "Do Not Sell My Information" link in the footer. California residents can use the phrase "right to know"; the company has 45 days to respond (extendable to 90).

Step 3: Opt out of sale and sharing. Under CCPA-style laws, companies have to give you a clear opt-out mechanism. Look for "Do Not Sell or Share My Personal Information" links, and turn on Global Privacy Control in your browser — California-style laws now treat that signal as a binding opt-out.

Step 4: After a breach, take the steps. Most states require notification and many require offered credit monitoring. Use it. Change passwords, enable two-factor authentication, freeze your credit.

Step 5: Complain. State attorneys general enforce most state privacy laws. California has its dedicated CPPA. The FTC takes federal complaints at reportfraud.ftc.gov.

What should you NOT do?

Don't toss the breach notice. If a company tells you your data was compromised, the clock has already started. Change passwords, enable 2FA on the affected accounts and any account that reuses the password, and freeze your credit.

Don't auto-accept cookie banners. Most are designed to look like accepting all is the easy path — and "Reject All" is hidden behind two clicks. Take the two clicks.

Don't read privacy policies as protection. They're disclosures, not commitments. The interesting sections are usually "how we share your data with third parties," "data retention," and "your rights" — the rest is boilerplate.

Don't pay data-removal services upfront without comparison. Many of them charge $10–$30 a month to send the same opt-out requests you can send yourself for free. Try DIY first; the requests for the major data brokers are mostly automated forms.

You shouldn't have to hire a lawyer to assert your rights.

Answer a few questions. We generate a personalized letter citing your state's exact statutes, deadlines, and penalties — ready to print and send in minutes.

Lawyers charge $350+. Your letter: $19.

Privacy Deletion$19 Debt Collector C&D$19 Debt Validation$19 Credit Dispute$19

See all 20 letter types →

Data Privacy Rights in other states

Same topic, different jurisdiction. Pick the one that applies to you.

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

Credit KarmaFree credit monitoring, dispute tools, and alerts. Know when your credit report changes.Check Your Credit Free →IdentityGuardIdentity theft protection and monitoring. Get notified if your personal information is misused.Protect Your Identity →

Every reference below links to its primary source — the statute book, regulator, or court — and carries a verification date. See our citation methodology for how this works.

Alaska

StatuteAlaska Data Breach Notification — Alaska Stat. § 45.48.010
Agency guidanceAlaska Attorney General — Privacy and Consumer Data
Agency guidanceFTC Privacy and Data Security Guidance

Federal

StatuteGramm-Leach-Bliley Act, 15 U.S.C. § 6801
Imposes privacy and safeguarding duties on financial institutions handling consumer data.
StatuteChildren's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.
Federal consent and disclosure rules for online services collecting data from children under 13.
StatuteFTC Act § 5, 15 U.S.C. § 45
Bars unfair or deceptive practices — the FTC's core authority over consumer privacy enforcement.
Agency guidanceFTC — Privacy and Security Enforcement
FTC portal collecting consent decrees, data-breach guidance, and enforcement actions.