Data portability is the right to receive your personal data from a company in a structured, commonly used, machine-readable format and, in some cases, to have that data transferred directly to another service. It is one of the most powerful yet underused privacy rights available to consumers today. Here is what data portability means in practice, which laws protect it, and how you can exercise this right in 2026.
What Is Data Portability?
At its core, data portability is about making sure you are not locked into a single service because a company holds all your data hostage. If you want to switch email providers, move to a new social media platform, or simply understand what a company knows about you, data portability gives you the legal right to request your information in a format you can actually use — like a CSV, JSON, or XML file.
Unlike the right to access, which simply requires a company to tell you what data they hold, data portability goes a step further. It requires the data to be provided in a portable, machine-readable format that you or another service can process. This distinction matters because a PDF printout of your data is not the same as a structured file you can import into a competing service.
Data Portability Under the GDPR
The strongest data portability protections exist under the European Union's General Data Protection Regulation (GDPR), specifically Article 20. Under the GDPR, you have the right to:
- Receive your personal data in a structured, commonly used, machine-readable format.
- Transmit that data to another controller — meaning you can ask one company to send your data directly to a competing service, where technically feasible.
The GDPR's portability right applies to data you have provided to a controller, either actively (like filling out a profile) or through your use of a service (like your activity history). It applies when processing is based on consent or a contract and is carried out by automated means.
Organizations must respond to portability requests within 30 days. The data must be provided free of charge in most cases.
What Counts as "Data You Provided"?
Under the GDPR, data you provided includes both information you actively submitted (name, email, profile details) and data generated by your activity (purchase history, location logs, browsing behavior on the platform). However, it generally does not include data the company has derived or inferred about you, such as a credit score they calculated or a customer segment they assigned you to. This is an important limitation to understand when making a portability request.
Data Portability Under US State Laws
The United States does not have a single federal data portability law, but a growing number of state privacy statutes include portability provisions. The scope and strength of these rights vary by state.
California (CCPA/CPRA)
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, consumers have the right to receive their personal information in a portable and readily useable format. However, California's portability right has a key limitation compared to the GDPR: it requires businesses to disclose data to you, but it does not require them to transfer your data directly to another company.
California businesses must respond to portability requests within 45 days, with a possible 45-day extension for complex requests. The data must be delivered in a format that is easily understandable to a "reasonable consumer" and, when provided electronically, in a portable, machine-readable format.
It is also worth noting that California's DROP platform, launched on January 1, 2026, allows residents to submit a single deletion request to 500+ registered data brokers. While DROP focuses on deletion rather than portability, it reflects California's broader push to give consumers practical control over their personal information.
Virginia, Colorado, Connecticut, and Others
Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, and most of the 20-plus state privacy laws enacted through 2026 include a right to data portability. These laws generally follow the same pattern:
- You can request a copy of personal data a business holds about you.
- The data must be provided in a portable, readily usable format.
- Businesses must respond within 45 days.
- There is no requirement for direct controller-to-controller transfers (unlike the GDPR).
This means US portability rights are primarily about getting your data into your own hands, rather than seamlessly migrating it between services.
Not All States Have Portability Rights
If you live in a state without a comprehensive consumer privacy law, you may not have a legal right to data portability at all. As of mid-2026, roughly half of US states still lack comprehensive privacy legislation. Even in states with these laws, significant exemptions exist for nonprofits, government agencies, and data covered by federal regulations like HIPAA and GLBA. Check your state's specific laws to understand what rights you have.
How to Exercise Your Right to Data Portability
Whether you are covered by the GDPR, the CCPA, or another state law, the process for requesting your data is broadly similar:
- Identify the company and the applicable law. Determine which privacy law applies based on where you live and where the company operates. If the company does business in the EU, GDPR likely applies. If you are a California resident, you can use the CCPA.
- Submit a formal request. This is called a Data Subject Access Request (DSAR) under the GDPR or a verifiable consumer request under US state laws. Look for a "Privacy" or "Your Privacy Rights" link in the company's website footer.
- Verify your identity. Companies will ask you to confirm your identity before releasing data, typically by verifying your email address or answering security questions.
- Specify the format you want. If you have a preference for how you receive your data (CSV, JSON, XML), state it in your request. Companies are required to provide data in a machine-readable format, but specifying your preference can help ensure you receive something usable.
- Wait for the response. Companies have 30 days under the GDPR or 45 days under US state laws. If a company fails to respond or refuses without valid justification, file a complaint with the relevant regulatory authority.
Practical Uses for Data Portability
Data portability is not just an abstract legal right. There are real, practical reasons to exercise it:
- Switching services: Moving from one email provider, cloud storage service, or social media platform to another is much easier when you can export your data in a structured format and import it elsewhere.
- Comparing what companies know: Requesting your data from multiple companies can reveal how much personal information has been collected about you, often far more than you expect.
- Building a personal data inventory: Having copies of your data from various services gives you a comprehensive picture of your digital footprint, which is the first step toward managing it.
- Detecting inaccuracies: Reviewing the data companies hold about you may reveal errors in your records, which you can then correct using your right to rectification.
Limitations You Should Know About
Data portability rights, while valuable, have meaningful limitations:
- Derived and inferred data is often excluded. Companies may not be required to provide data they have generated about you, such as algorithmic scores, internal classifications, or predictive profiles.
- No direct transfer requirement in the US. Unlike the GDPR, US state laws do not require companies to send your data directly to a competitor. You have to download it yourself and re-upload it.
- Format inconsistencies. Even when data is provided in a "machine-readable" format, there is no universal standard. A CSV export from one platform may not be directly importable into another without manual reformatting.
- Exemptions apply. Data covered by sector-specific federal laws (HIPAA, GLBA, FCRA) is typically excluded from state portability requirements.
Data Portability and Data Brokers
Data portability also matters in the data broker ecosystem. Requesting your data from a broker can reveal exactly what personal information they hold — your addresses, phone numbers, relatives, estimated income, and more.
However, exercising portability rights against hundreds of data brokers one by one is a massive undertaking. This is where PrivacyOn helps. Rather than submitting individual requests to each broker, PrivacyOn removes your personal information from over 100 data broker sites, monitors for reappearances, and alerts you through dark web monitoring if your data surfaces in places you cannot reach on your own.
Looking Ahead
Data portability is likely to become even more important in the coming years as the EU's Data Act extends portability principles to connected devices and more US states add portability provisions to their privacy laws.
Understanding and exercising your right to data portability is a key part of taking control of your digital life. Combined with deletion rights and opt-out mechanisms, it gives you a practical toolkit for managing your personal information. And for the parts that are too time-consuming to handle manually, services like PrivacyOn fill the gap by doing the heavy lifting across the data broker landscape on your behalf.