Two laws dominate the privacy landscape for most people who think about privacy law at all: the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA). Both have been in force for years. Both have been used as shorthand for "strong privacy protection."
Both have significant gaps that most people — including many developers and compliance officers — don't fully understand.
This piece examines what each law actually does, what it doesn't do, and why "we're GDPR/CCPA compliant" often means less than it sounds.
GDPR: The Architecture
GDPR came into force May 2018. It applies to any organization processing personal data of EU residents, regardless of where the organization is located. A US startup with EU customers is subject to GDPR.
What GDPR requires:
Lawful basis for processing: You can't just collect and process personal data. You need a lawful basis — consent, legitimate interest, contractual necessity, legal obligation, vital interest, or public task. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don't count. Consent must be as easy to withdraw as to give.
Data minimization: You can only collect what you actually need for the specified purpose. Collecting "just in case we find a use for it later" is not compliant.
Purpose limitation: Data collected for one purpose can't be repurposed without new lawful basis. Data you collected for order fulfillment can't be quietly used for marketing profiling.
Storage limitation: Data can't be kept longer than necessary. You need data retention policies and mechanisms to enforce them.
Rights: EU residents have the right to access their data, correct inaccuracies, request deletion ("right to be forgotten"), restrict processing, port their data to another service (data portability), and object to automated decision-making.
Data breach notification: 72 hours to notify the supervisory authority, without undue delay to notify affected individuals if high risk.
Data Protection Officers: Required for organizations processing large-scale sensitive data or systematic monitoring.
Privacy by Design: Data protection must be built into systems from the ground up, not bolted on.
International transfers: Data can't leave the EU to countries without "adequate" data protection unless using specific mechanisms (Standard Contractual Clauses, Binding Corporate Rules, etc.). The US-EU data transfer framework has been invalidated twice (Schrems I and Schrems II) and the third iteration (Data Privacy Framework) is under challenge.
GDPR enforcement reality:
GDPR's maximum penalty is 4% of global annual turnover or €20 million, whichever is higher. These numbers are real — Meta received a €1.2 billion fine in 2023 for illegal data transfers to the US. Amazon received a €746 million fine in 2021. Google received a €50 million fine in 2019.
But enforcement is uneven. The Irish Data Protection Commission (DPC) is the lead supervisory authority for most Big Tech companies (because they're all headquartered there for tax reasons). The Irish DPC has been criticized by other European DPAs for slow, inadequate enforcement. Noyb (Max Schrems' organization) has filed hundreds of complaints specifically because they believed the Irish DPC was not enforcing against its revenue-generating tech tenants.
GDPR Gaps
The legitimate interest loophole
"Legitimate interest" is the most abused GDPR lawful basis. Rather than getting consent, companies claim they have a "legitimate interest" in processing your data. This requires a balancing test — the company's interest vs. your rights — but it's largely self-assessed. AdTech has broadly used legitimate interest to justify behavioral tracking without consent.
In practice, "legitimate interest" has become a blanket justification for data processing that can't get consent. Some DPAs are pushing back, but the loophole remains extensively used.
Consent theater
Cookie consent banners are GDPR theater. Compliant consent requires free choice — but most cookie banners use dark patterns to make "reject all" harder than "accept all." Multiple clicks to reject, buried reject options, confusing language. Studies show consent rates change dramatically based on banner design.
The German, French, and Spanish DPAs have taken action against some of the worst offenders. But the ecosystem of consent manipulation persists.
B2B exemption confusion
GDPR technically applies to personal data of individuals. B2B marketing — targeting business contacts — is in a gray zone. Business email addresses can identify individuals. Enforcement on B2B marketing has been inconsistent.
AI training data
The legality of using scraped web data for AI training under GDPR is largely unresolved. Scraped web data includes personal data — social media posts, forum discussions, articles containing personal information. Training AI on this data arguably processes personal data without consent, with potentially no legitimate interest justification.
Several European regulators are investigating AI companies' training data practices. This space is evolving rapidly and the regulatory outcome is genuinely uncertain.
The real-time bidding problem
GDPR's most significant unresolved enforcement failure: the real-time bidding (RTB) ecosystem for digital advertising. RTB involves broadcasting personal data (location, browsing history, device ID, inferred characteristics) to hundreds of bidders simultaneously in milliseconds. This data is broadcast without meaningful contractual protections to thousands of ad tech companies globally.
The Irish DPC's investigation of RTB under GDPR has been pending for years. Multiple complaints have been filed. The mechanism appears clearly incompatible with GDPR — data is shared with entities that have no lawful basis — but the economic stakes have prevented decisive enforcement.
CCPA: The California Framework
CCPA went into effect January 2020. The California Privacy Rights Act (CPRA) expanded it significantly from January 2023. For clarity, "CCPA" here refers to the current CCPA/CPRA framework.
CCPA applies to for-profit businesses that do business in California and meet one of:
- $25 million+ annual gross revenue
- Buy, sell, or share personal information of 100,000+ consumers or households
- Derive 50%+ of revenue from selling or sharing personal information
This covers most medium-to-large businesses that have California customers.
What CCPA/CPRA requires:
Right to know: Consumers can request disclosure of what personal information a business collects, what purposes it's used for, who it's shared with, and how long it's retained.
Right to delete: Consumers can request deletion of personal information. With some exceptions.
Right to opt-out of sale/sharing: Businesses must honor opt-out requests for selling personal information. "Do Not Sell or Share My Personal Information" must be a clear option. Sharing personal information for cross-context behavioral advertising counts as "sharing" even if no money changes hands.
Right to correct: Consumers can request correction of inaccurate information.
Right to limit use of sensitive personal information: Sensitive categories (SSNs, financial accounts, health information, precise geolocation, racial origin, religious beliefs, sexual orientation) can only be used for specific purposes without consumer direction.
Non-discrimination: Businesses can't discriminate against consumers who exercise their privacy rights. You can't charge a higher price or provide a lower-quality service for opting out.
Data minimization and purpose limitation: Similar to GDPR — collect only what's necessary, use only for disclosed purposes.
Contracts for third parties: Businesses must have contracts with third parties they share data with, requiring equivalent privacy protections.
Risk assessments: For high-risk processing, annual risk assessments required (CPRA addition).
CCPA enforcement:
The California Privacy Protection Agency (CPPA) was created by CPRA to enforce CCPA/CPRA. Previously enforcement was by the California AG.
Maximum penalty: $7,500 per intentional violation, $2,500 per unintentional violation. There's no class action right for most CCPA violations — only the AG and CPPA can sue. (Exception: data breaches allowing private suits.)
Enforcement has been slow. The CPPA took significant time to stand up. The first enforcement action under CCPA by the AG (Sephora, 2022) resulted in a $1.2 million settlement for selling data without disclosing it and honoring opt-outs.
CCPA Gaps
The B2B and employee exemption (now expired, but legacy)
CCPA originally exempted B2B personal information (data about individuals acting in a business capacity) and employment-related personal information. CPRA removed these exemptions, but the prior carve-out meant years of non-coverage for large categories of data.
Federal preemption risk
If the US passes a federal privacy law (the American Privacy Rights Act, APRA, has been under discussion), it could preempt state laws like CCPA. How preemption would affect California's stronger protections is a live legislative question.
The "sale" definition problem
CCPA's core right is to opt out of the "sale" of personal information. For years, companies argued that sharing data with advertising partners wasn't a "sale" because no money changed hands — it was an exchange for services. CPRA closed this by adding "sharing" for cross-context behavioral advertising.
But the definitional cat-and-mouse continues. Companies structure data arrangements to avoid the technical definition while achieving the same practical result.
Service provider loophole
Companies can share data with "service providers" (vendors that process data on the company's behalf under contract) without it being a "sale." Service providers must be contractually restricted from using the data for their own purposes.
In practice, the service provider designation is used broadly. Google Analytics is claimed as a service provider. Facebook Pixel is claimed as a service provider. Whether these relationships meet the legal definition when the service providers can use aggregate data for their own model training or product improvement is contested.
Deletion implementation
Deletion requests are honored to varying degrees. Companies frequently exclude data from deletion that's "necessary for": completing a transaction, security, legal obligations, exercising free speech, research, internal uses aligned with consumer expectations. The exceptions can swallow the rule.
Data shared with third parties must be deleted from those third parties too — but getting the third parties to actually delete it is difficult to verify.
What "GDPR/CCPA Compliant" Actually Means
When a company says they're GDPR or CCPA compliant, it means they have:
- Added cookie consent banners (GDPR)
- Added privacy policy disclosures
- Added a "Do Not Sell" link (CCPA)
- Responded to the data rights requests they've received
It does not mean:
- They actually collect minimal data
- Their consent was freely given rather than designed to maximize acceptance
- Their service providers actually protect the data
- They'll actually delete everything when you request it
- Their advertising stack is compliant (probably isn't)
- AI systems trained on your data comply with these laws (unclear)
The AI Privacy Law Gap
GDPR and CCPA were written before large language models existed as a commercial product. They apply in principle — LLMs are trained on personal data — but the implementation is deeply unclear.
Key open questions:
Is training data processing lawful under GDPR? Scraped web data used for AI training contains personal data. The lawful basis for processing it is unclear. "Legitimate interest" is possible but requires a balancing test. Consent was never obtained. This is the core of multiple pending EU regulatory investigations.
What does deletion mean for AI? If you request deletion of your data under GDPR or CCPA, and your data was used in AI training, what does the company delete? They can delete the training data from their storage. But the model weights are mathematically influenced by that data. You can't "unlearn" training data from a model without retraining. Does "deletion" require retraining? No regulator has definitively answered this.
Who is the data controller for AI-generated content? If an AI generates content based on patterns learned from personal data, and that content includes personal information about real people, who is responsible?
Does automated decision-making in AI trigger GDPR protections? GDPR gives rights with respect to automated decision-making with significant effects. AI-based hiring screening, credit scoring, insurance pricing — these clearly implicate GDPR's automated decision-making provisions. But most companies haven't implemented meaningful compliance.
The Practical Gap: What You Can Do
Privacy law provides rights, not protection. Your rights only protect you if:
- You know you have them
- You exercise them
- The company complies
- There's enforcement if they don't
All four conditions frequently fail.
For most people, the practical protections are:
Minimize what you share: Don't volunteer information that isn't required. Don't fill in optional fields. Use aliases for low-trust services. Use separate email addresses by trust tier.
Use services with structural privacy incentives: A company that doesn't make money from your data has no incentive to collect it. Choose services where the business model doesn't require knowing things about you.
For AI specifically: The law hasn't caught up to the technology. The practical protection is architectural: use services that minimize data exposure rather than relying on legal protections that don't clearly apply. A privacy proxy that scrubs PII before your query reaches the AI provider does more for your AI privacy today than GDPR or CCPA.
Exercise your rights: Request access to your data from major data brokers and delete it. Use optout.global for US data broker opt-outs. Submit GDPR deletion requests to companies you've dealt with but no longer use. It's tedious, but it works.
Support stronger regulation: The gaps in GDPR and CCPA aren't primarily technical, they're political. Weak enforcement, definitional loopholes, and industry lobbying create the gaps. Better enforcement and stronger law changes the calculus.
The Trajectory
GDPR has changed behavior. More companies have privacy teams than before 2018. Data breach notification is faster. Consent requirements have made some tracking less invisible.
But the AdTech ecosystem, real-time bidding, and behavioral surveillance at scale continue largely intact. AI training on scraped personal data is a new frontier that existing law doesn't clearly address. Enforcement resources are limited relative to the scale of violation.
The gap between what privacy law promises and what it delivers is real. Understanding that gap is the prerequisite for making meaningful choices — choices that don't rely on regulatory protections that may not actually protect.
TIAMAT's privacy proxy (tiamat.live/api/proxy) operates in the gap that current privacy law doesn't cover: AI query privacy. GDPR and CCPA don't clearly govern what AI providers do with your prompts. The practical answer is architectural — strip PII before it reaches the provider, proxy through infrastructure that doesn't log, and don't rely on legal promises that haven't been tested. POST /api/scrub is free. POST /api/proxy routes through TIAMAT's servers — your IP and identity never touch OpenAI, Anthropic, or Groq.
Top comments (0)