> For the complete documentation index, see [llms.txt](https://docs.assenteo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.assenteo.com/key-legislation/user-rights-cheat-sheet.md).
# User Rights Cheat Sheet
User rights (both Data Subject and Consumer rights) vary across jurisdictions and how you can think about effective ways to ensure compliance.
A more specific comparison of the GDPR and the CCPA can be found [here](/key-legislation/gdpr-vs.-ccpa.md).
### 1. Key legislation/ frameworks to know
Although by no means an exhaustive list of the legislation and frameworks governing user rights, below you can find a useful overview of some of the most likely to crop up when considering your business’s data protection regimes.
#### If your users are in Europe:
| Jurisdiction(s) | Regulation | This regulation applies to you if you are … | Core data subject rights |
| --------------- | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **EU and EEA** | **General Data Protection Regulation (GDPR)** | An organisation or individual established in the EEA/ EU processing any personal data; or
An organisation or individual established outside the EEA/ EU that
(a) offers goods or services to individuals in the EEA/ EU; or
(b) monitors the behaviour of individuals in the EEA/EU.
| - the right to be informed \[Art. 13, 14&19]
- the right of access \[Art. 15]
- the right to rectification \[Art. 16]
- the right to erasure (‘right to be forgotten’) \[Art. 17]
- the right to restriction of processing \[Art. 18]
- the right to data portability \[Art. 20]
- the right to object \[Art. 21]
- Rights in automated decision making (ADM) \[Art. 22]
|
| **UK** | **UK GDPR** | An organisation or individual established in the UK processing any personal data; Or
An organisation or individual established outside the UK that
(a) offers goods or services to individuals in the UK; or
(b) monitors the behaviour of individuals in the UK.
| The core data subject rights in the UK GDPR are very similar to those of the EU GDPR.
A notable difference is the amendment made to rights in automated decision making in art. 22 UK GDPR, in comparison to GDPR, permitting automated decisions except if on sensitive data.
|
| | **The Data Protection Act 2018** | The same as above. | Allows certain exemptions to
- the right of access for law enforcement purposes
- the right of rectification for law enforcement purposes and research integrity purposes
- the right to erasure for purposes including freedom of expression, research, law enforcement and legal claims
|
#### If your customers are in the US:
It is a misconception that there is almost no data protection framework in the US. A patchwork of state laws lies across the US. Since state laws vary across the US, as a business, it is important to be aware of which states you are operating in and the various demands of specific states’ legislation.
Three particularly relevant state regulations are those in **California**, **Virginia** and **New York State**.
| Jurisdiction(s) | Regulation | This regulation applies to you if you are … | Core data subject rights |
| ------------------ | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **California** | **California Consumer Privacy Act (CCPA)** | A for-profit business that:
- collects the personal information (PI) of California residents
AND
- meets certain thresholds (e.g. revenue over $25 million; or data on 100K+ consumers; or 50%+ revenue from selling data.)
| - the right to delete personal information (PI)
- the right to correct inaccurate PI
- the right to know what PI is being collected, sold, shared and to whom
- the right to access PI
- the right to opt out of sale or sharing of PI
- the right to limit use and disclosure of sensitive PI
- the right to no retaliation following opt out or exercise of other rights
|
| **Virginia** | **Virginia Consumer Data Protection Act (VCDPA)** | A for-profit business that:
- conducts business in Virginia; Or
- targets Virginia residents
AND
- controls or processes personal information of at least 100,000 consumers in a calendar year; Or
- controls or processes personal information of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
| Similar to the CCPA.
With the addition of a more explicit:
- right to data portability
|
| **New York State** | SHIELD Act
Proposed NY Privacy Act
| A person or business that owns or licences the personal information of New York residents. | No formal data subject rights as there are in the GDPR, CCPA and VCDPA. The act focuses on data security and breach notification
- Requires businesses to implement reasonable safeguards for personal information
- Mandates breach notification procedures
- More data subject rights, similar to the CCPA, are proposed in the pending NY Privacy Act.
|
#### If your customers are in the Asia-Pacific Region:
| Scope | Framework | This framework applies to you if you are … | Core data subject rights |
| --------------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| APEC member economies | APEC Privacy Framework | A business operating in the Asia-Pacific region.
The framework is not legally binding, but many countries (including Australia, Japan, China) have incorporated its principles into their national privacy laws, which are enforceable.
| Non binding principles promoting:
- the right to be informed
- the right of access
- the right to rectification
- the right to limit use and disclosure
|
### 2. GDPR as the standard?
Whilst national laws vary in scope and enforcement, many take inspiration from the data subject rights set out in the GDPR. Since the GDPR is currently the strictest data protection regulation in the world, complying with its provisions can be a straightforward way to facilitate international compliance. With secure GDPR compliance, your personal data processing is likely to be compliant wherever your data subjects reside.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.assenteo.com/key-legislation/user-rights-cheat-sheet.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.