Who is protected
GDPR protects data subjects in the EU/EEA regardless of the individual's citizenship. CCPA/CPRA protects California residents. Many companies are subject to both at once.
Both GDPR and California's CCPA/CPRA give people the right to have their personal data deleted. The mechanics differ — scope, exceptions, timelines, and who is covered — but the engineering burden they land on your data team is nearly identical.
Who is protected
GDPR protects data subjects in the EU/EEA regardless of the individual's citizenship. CCPA/CPRA protects California residents. Many companies are subject to both at once.
What triggers it
GDPR Article 17 lists specific grounds (data no longer needed, consent withdrawn, unlawful processing, and more). CCPA gives consumers a broad right to request deletion of personal information a business collected from them.
Timelines
GDPR: without undue delay, within one month (extendable to three). CCPA: respond within 45 days, extendable by another 45 with notice.
Downstream reach
GDPR Article 17(2) requires informing other recipients of the data. CCPA requires directing your service providers and contractors to delete the information too.
Neither right is absolute. Both GDPR and CCPA carve out exceptions where you may retain personal data despite a deletion request — to comply with a legal obligation, to complete a transaction the consumer asked for, to detect security incidents, or to exercise or defend legal claims, among others.
The practical consequence is the same under either law: you must be able to delete precisely the data that is in scope while retaining, and justifying, the specific data an exception covers. That demands granular control over which fields for which person get erased — not an all-or-nothing wipe.
Strip away the legal wording and both rights ask your systems the same three questions: where does this person's data live, how do you delete every copy of it, and how do you prove you did. A team that can answer those three questions reliably is compliant with the deletion right under either regime — and any future one that resembles them.
This is why it rarely makes sense to build CCPA deletion and GDPR erasure as separate workflows. Build one capability — accurate discovery, complete deletion across warehouse and downstream systems, and a signed proof record — and point both legal obligations at it. Crypto-shredding is well suited here because a single key destruction covers every copy and emits the evidence both laws' accountability expectations want to see.
What is the difference between CCPA and GDPR deletion rights?
GDPR's right to erasure (Article 17) applies to people in the EU/EEA and lists specific grounds for deletion, with a one-month response window. CCPA/CPRA gives California residents a broad right to request deletion of personal information a business collected, with a 45-day window. Both include exceptions and both require directing downstream processors to delete the data too.
If I comply with GDPR, am I automatically CCPA compliant?
Not automatically — the laws have different definitions, disclosure duties, and exceptions. But the core deletion capability is shared: if you can locate every copy of a person's data, delete it completely, and prove it, you have the technical foundation both laws require. The remaining differences are largely process and documentation.
How long do you have to respond to a deletion request?
Under GDPR, without undue delay and within one calendar month, extendable to three for complex requests. Under CCPA/CPRA, within 45 days, extendable by a further 45 days with notice to the consumer.
A deep dive on Article 17: what it requires and what auditors actually check.
The access counterpart to deletion, and how both depend on knowing where data lives.
One deletion-and-proof capability that satisfies the right to delete under either law.