Introduction
Two major privacy regulations have reshaped how companies handle personal data: the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) — along with its amendment, the CPRA — in California.
Both laws give you rights over your personal information, including your email address. But what do these rights actually mean in practice? And do they eliminate the need for self-help tools like disposable email?
The short answer: regulation helps, but it's not sufficient. Here's what the law actually says and why disposable email remains essential.
What GDPR Says About Your Email
GDPR (effective May 2018) applies to any organization processing the data of EU residents, regardless of where the company is based. Key provisions relevant to email:
Consent must be explicit. Pre-ticked boxes are invalid. Consent must be "freely given, specific, informed, and unambiguous." Silence or inactivity is not consent.
You have the right to withdraw consent. It must be as easy to withdraw as it was to give.
You have the right to be forgotten. You can request deletion of your personal data, including your email, under certain conditions.
You have the right to data portability. You can request a copy of your data in a machine-readable format.
You must be informed of data sharing. If a company sells or shares your email with third parties, they must disclose this.
What CCPA/CPRA Says About Your Email
CCPA (effective 2020) and CPRA (effective 2023) apply to for-profit businesses that collect California residents' data and meet certain thresholds.
You have the right to know. Businesses must disclose what personal information they collect, including email addresses, and how it's used.
You have the right to delete. You can request deletion of your personal information, subject to certain exceptions.
You have the right to opt out. You can direct a business to stop selling your personal information. Businesses must provide a clear "Do Not Sell My Personal Information" link.
You have the right to non-discrimination. Businesses cannot deny service or charge different prices to users who exercise their privacy rights.
Why Regulation Alone Isn't Enough
Enforcement is inconsistent. Despite GDPR's fines (up to 4% of global revenue), enforcement varies widely by country. The ICO in the UK, for example, has issued significant fines, but many violations go unpunished.
Compliance is not universal. Many companies, especially smaller ones, remain non-compliant. Your rights exist on paper, but exercising them requires effort — submitting requests, tracking responses, and escalating if ignored.
Data broker loopholes. Data brokers often operate in regulatory gray zones. Some claim exemptions under "legitimate interest" provisions. The EDPB's 2024 guidelines on legitimate interest aim to clarify this, but enforcement is ongoing.
Once data is out, you can't pull it back. Even if you exercise your deletion rights, your email may have already been sold, shared, or breached. Regulation can't undo past exposure.
The Self-Help Complement
This is where disposable email comes in. Regulation gives you the right to remedy privacy violations after they happen. Disposable email gives you the ability to prevent them from happening in the first place.
By using a disposable address for new sign-ups, you ensure that:
- No consent is needed (you haven't given any personal data)
- No deletion request is required (the data self-destructs)
- No opt-out is necessary (there's nothing to sell)
- No breach can expose your real email (it was never collected)
The Expira Connection
Expira operates on the principle that the best data protection is not having the data at all. We don't collect personal information, we don't track usage, and we don't retain messages. There's nothing for a regulator to enforce and nothing for an attacker to steal.
Conclusion & CTA
GDPR, CCPA, and similar laws are important steps forward for privacy rights. But they're not a substitute for proactive self-protection. The most effective privacy strategy combines legal rights with practical tools.
Know your rights. Use your tools. Keep Expira ready for interactions where regulation alone isn't enough.
Sources: GDPR Articles 6, 7, 17, 20; CCPA/CPRA (Cal. Civ. Code §§ 1798.100–1798.199); EDPB Guidelines 1/2024 on Legitimate Interest