The Right You Don’t Have

In August 2020, a Brazilian judge ordered Facebook to pay 20 million reais — roughly $4 million — for sharing user data without consent. The case wasn't novel. It wasn't even particularly dramatic by Brazilian legal standards. What made it remarkable was the law behind it: the Lei Geral de Proteção de Dados, or LGPD, which had gone into effect just weeks earlier. Brazil had a comprehensive federal privacy law. The United States, which invented the internet, still does not.[1]

The Map Has Flipped

For decades, the assumption in tech policy circles was that digital rights would radiate outward from Silicon Valley and Washington. The US and the EU would set the standards; the rest of the world would follow. Europe delivered on its end — the General Data Protection Regulation became the global gold standard in 2018. But the United States never showed up. Congress has introduced and abandoned federal privacy legislation in every session since 2012. The American Data Privacy and Protection Act came tantalizingly close in 2022, passing the House Energy and Commerce Committee with bipartisan support, then dying quietly in the Senate.[2]

Meanwhile, Latin America moved. Not tentatively. Not as an afterthought. Country after country enacted privacy frameworks that, in many cases, are more protective than anything Americans have ever had. As of 2025, at least 15 Latin American countries have comprehensive data protection laws on the books.[3]

Brazil: The LGPD

Brazil's LGPD, signed into law in 2018 and fully enforced by 2021, is modeled on the GDPR but adapted for Brazilian legal traditions. It applies to any company that processes the data of people in Brazil — regardless of where the company is based. It requires explicit consent for data collection, grants citizens the right to access, correct, and delete their data, and mandates that companies appoint a Data Protection Officer. Violations carry fines of up to 2% of a company's revenue in Brazil, capped at 50 million reais per infraction.[4]

The law created its own enforcement body — the Autoridade Nacional de Proteção de Dados, or ANPD — which began issuing fines and regulations in 2023. In its first major enforcement action, the ANPD sanctioned a telecommunications company for failing to appoint a data protection officer and for processing data without a lawful basis. It wasn't a wrist slap. It was a signal: Brazil was serious.[5]

“The LGPD represents one of the most significant legal developments in Latin America in a generation. It doesn't just regulate companies — it creates a culture of data rights that didn't previously exist.”
— Bruno Bioni, founder of Data Privacy Brasil

Argentina: Privacy as a Constitutional Right

Argentina didn't wait for the digital age to protect privacy. The country's constitution, amended in 1994, includes habeas data — a legal mechanism that gives every person the right to access, correct, or delete any personal information held in public or private databases. This is not a statute. It is a constitutional guarantee, sitting alongside the rights to free speech and due process.[6]

Argentina's Personal Data Protection Act, Law 25.326, was enacted in 2000 — five years before Facebook existed, eight years before the iPhone. It established a national data protection authority and imposed strict requirements on cross-border data transfers. In 2003, the European Commission recognized Argentina as providing an “adequate” level of data protection — one of only a handful of non-European countries to receive that designation. As of 2024, Argentina was working on a major update to align more closely with the GDPR while preserving its constitutional foundations.[7]

Mexico: INAI and the Fight for Transparency

Mexico's approach to privacy is inseparable from its fight for government transparency. The country's Federal Law on Protection of Personal Data Held by Private Parties, enacted in 2010, gave Mexicans the right to access, rectify, cancel, and oppose the processing of their personal data — known as ARCO rights. Enforcement fell to INAI, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, an autonomous constitutional body with the power to investigate complaints, issue binding resolutions, and levy fines.[8]

INAI became one of the most assertive privacy regulators in the hemisphere. It investigated complaints against banks, telecom companies, hospitals, and political parties. It fined companies for selling customer databases without consent. It published detailed guidance on biometric data, cloud computing, and children's privacy. Then, in 2023, President Andrés Manuel López Obrador proposed abolishing it — calling it expensive, corrupt, and unnecessary. The Senate approved the dissolution in late 2024, folding INAI's functions into the Secretaría de la Función Pública, a body under direct executive control.[9]

“Eliminating INAI doesn't eliminate the right to privacy. It eliminates the institution that enforced it.”
— Article 19, international freedom of expression organization

The dismantling of INAI is a cautionary tale: privacy rights are only as durable as the institutions that defend them. But even in its diminished state, Mexico's legal framework still provides more explicit data protection rights than anything that exists at the federal level in the United States.

The American Patchwork

The US has no comprehensive federal privacy law. What it has instead is a patchwork: HIPAA covers health data. FERPA covers student records. COPPA covers children under 13. The Gramm-Leach-Bliley Act covers some financial data. Everything else — your browsing history, your location data, your purchase records, your face — is largely unregulated at the federal level.[10]

Individual states have tried to fill the gap. California passed the CCPA in 2018 and strengthened it with the CPRA in 2020. Virginia, Colorado, Connecticut, and a handful of other states followed with their own laws. But these laws vary wildly in scope, enforcement mechanisms, and definitions of personal data. A company operating in all 50 states faces a maze of conflicting requirements — or, more commonly, follows whichever state's law is weakest and hopes for the best.[11]

The result is that an American living in Mississippi has essentially no statutory privacy rights over their personal data, while a Brazilian in São Paulo, a Mexican in Guadalajara, and an Argentine in Buenos Aires are protected by comprehensive national frameworks — and in Argentina's case, by the constitution itself.

Why It Matters

This is not an abstract policy gap. It is a daily reality. American data brokers collect and sell detailed profiles — health conditions, sexual orientation, political affiliations, real-time location data — to anyone willing to pay. In 2023, a Durham, North Carolina company called Near Intelligence was caught selling the location data of visitors to Planned Parenthood clinics, domestic violence shelters, and places of worship. There was no federal law that clearly prohibited it.[12]

In Brazil, that sale would violate the LGPD's prohibition on processing sensitive data without explicit consent. In Argentina, the data subject could invoke habeas data and demand judicial relief. In the United States, the most powerful response available was an FTC enforcement action under Section 5 of the Federal Trade Commission Act — a statute written in 1914 to address unfair business practices, not data privacy.

The standard American excuse — that privacy regulation would stifle innovation — rings hollow when Brazil's tech sector is booming, Argentina's startup ecosystem is thriving, and the EU, operating under the world's strictest data protection regime, has not collapsed into economic irrelevance. Privacy law does not kill innovation. The absence of privacy law kills trust.

The right to control your own data is not a luxury. In most of Latin America, it is the law. In the United States, it is a wish. That gap is not closing. It is widening. And every year Congress fails to act, the comparison gets harder to explain away.