I am not a lawyer, this topic just interests me so I did some research and made a short index of a summary. A summary of the HIPPA, COPPA, and FTC Act in the same style can be found here.

CCPA

Protects personal data

Personal information is information that identifies, relates to, or could reasonably be linked with you or your household:
Examples:
- name
- SSN
- email address
- e-commerce history
- browsing history
- anything else that could uniquely profile you
- NOT to anonymized data

of California residents

Rights

Under CCPA, citizens have rights to

• have personal information collected from them deleted (except that which is necessary for business operations)
• opt-out of having your data sold
• know how your data is being processed (and how it is intended to be processed)
  • processing -> collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data
• and of course, to know what the collected data is

You cannot be discriminated against for exercising your CCPA rights (you cannot be denied serives or provided inferior services)

Who must comply

CCPA applies to businesses that

• have a gross annual revenue of 25M+, OR
• Process the data of more than 50k Californian entitities (devices, individuals or households), OR
• derive 50+% of their profit from selling personal data It does not apply to non-profits or researchers, and service providers do not have to comply; the business itself is responsible.

Filing Requests

• Online form is not required, but email, toll-free number, or other free digital method to make requests must be provided
• Only an Attorney General can investigate->sue a company for violation of CCPA

Other Notes

• cannot collect data from those under 13-16 without personal/parental opt-in
• penalty of up to 2.5k for each national violation, jumping to 7k in international cases
• to sue for data breaches, the adversary must have access to: cleartext first inital and last name, alongside
  • SSN/other government ID OR
  • access to financial account OR
  • medical/health information OR
  • biometric data

GDPR

Protects “personal data” (as broadly interpreted as possible)

The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as:
- a name
- location data
- online identifier
- telephone
- account data
- appearance
or one of several special characteristics, which expresses the 
physical/physiological/genetic/mental/commercial/cultural/social identity of these individuals

of EU citizens. This only applies to EU citizens in EU countries, unless an international data processor is knowingly/intentionally (targetting them with their design/marketing) processing data of EU citizens regularly, at which point it may be held liable under the regulation. US surveillance practices have been specifically discussed recently, concluding that only necessary and proportionate data collection is allowed, and creating an independent court for review to redress violations.

Rights

• Right of access to data [in a “precise, transparent, comprehensible, and easily accessible” form]
• Right to be informed about your personal data, specifically including
  • Processing purpose
  • Interests pursued in processing
  • Source of information gathered
  • Any other entities the data was transferred to
  • Duration of storage
  • Was it used in automated decision-making (ie profiling)
  • Intention to transfer data to “third countries” (Non-EU countries)
• Right to be forgotten
  • Data must be removed once its original purpose is complete

Complaints and Penalities

• If sensitive data processing is a core activity of the company or data-processing is particularly invasive to rights of the subjects, the processor must appoint a Data Protection Officer to whom GDPR-related complaints can be made
• Process to complain must be accessible
• Process looks like: Go to Insitution/Data Protection Officer -> Try to settle complaint with them, if not sufficient -> European Data Protection Supervisor (government entity, may sue)
• Fines!
  • The fines must be “effective, proportionate and dissuasive for each individual case”
  • Maximum fine is 20M euros or, in the case of an undertaking (every entity engaged in related economic activity), up to 4% of the combined global turnover for the preceding fiscal year
  • European Union member states may also define additional national penalities for infringement of GDPR

Other Notes

• All processing must be consented to by the subject (opt-in, not implied), after being explained by the controller. The subject has the right to opt-out at any time, and the controller may not use the data for anything beyond the purposes explicitly consented to
• Data can be tranferred without explicit consent of the data subject (otherwise consent must be specifically acquired) to countries which have data laws of the same or better quality as the GDPR. These countries are Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, the United Kingdom and South Korea. When transferring to non-secure countries, the controller has the obligation to ensure the data is properly protected, through legal clauses or certification of the data processing procedure
• The GDPR requires the difficult-to-define notion of “Privacy By Default”, or appropriate (“state of the art while having reasonable implementation costs”) data safeguards by design or default
• When data is transferred between a controller and processer, the controller defines the allowed processing and is responsible (makes a contract) for ensuring GDPR is complied with
• A data protection impact assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons
• Encryption of data at rest is not strictly required but recommended to avoid fines associated with publicized data breaches

Sources

CCPA: leginfo.ca.gov | oag.ca.gov

GDPR: gpdr-info.eu | edps.europa.eu | ec.europa.eu