Deletion Request Differences: CCPA vs GDPR Response Requirements
How to respond differently to CCPA deletion requests and GDPR erasure requests. Side-by-side comparison of deadlines, verification, exceptions, and a unified process.
Last updated: 2026-02-08
Same Request, Different Rules
"Delete my data." If you serve both EU and California consumers, you need to know which rules to apply. This guide compares the response requirements side by side.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Requirements Compared
| Requirement | GDPR (Article 17) | CCPA/CPRA (§ 1798.105) |
|---|---|---|
| Acknowledgment | Not separately required | 10 business days |
| Response deadline | 30 calendar days | 45 calendar days |
| Extension | +60 days (2 months) | +45 days |
| Grounds required from requester | Yes (one of six) | No |
| Verification standard | Proportionate to risk | Prescriptive tiers (2 or 3 data points) |
| Number of exceptions | 5 | 9 |
| Third-party notification | Required (reasonable steps) | Required (CPRA) |
| Backup deletion | Where technically feasible | Where technically feasible |
Key Differences That Affect How You Respond
Deadline
GDPR gives you 30 days. CCPA gives you 45. If you build to GDPR's deadline, you automatically satisfy CCPA.
Requester Must Cite a Ground (GDPR Only)
Under GDPR, the requester must have a qualifying reason (data no longer necessary, consent withdrawn, objection to processing, etc.). Under CCPA, they just ask. No reason needed.
In practice, this rarely matters — most GDPR requests fall under at least one ground. But if a GDPR request does not fit any of the six grounds, you can refuse.
Verification
GDPR says "proportionate." CCPA prescribes specific tiers:
- Two data points for basic requests
- Three data points plus a signed declaration for deletion or specific-pieces requests
If you verify to CCPA's standard, you satisfy both.
Exceptions
CCPA provides broader exceptions, including "internal uses aligned with consumer expectations" and "compatible with the context." GDPR's exceptions are narrower: legal obligation, legal claims, free expression, public health, and research.
When you are subject to both, GDPR's narrower exceptions govern. If you cannot cite a GDPR exception, you must delete — even if a CCPA exception would have applied.
Building One Process for Both
Day 0: Receive and log the request. Determine which law applies based on the requester's residence. If uncertain, apply GDPR standards.
Days 1-5: Verify identity to CCPA's prescriptive standard (satisfies both).
Days 5-10: Search all systems. Assess exceptions under whichever framework applies — or under both if the requester could be subject to either.
Days 10-25: Execute deletion. Notify all third parties and service providers.
Days 25-30: Respond with: what was deleted, which parties were notified, any data retained with the specific exception cited, and complaint rights (GDPR requires this).
This hits GDPR's 30-day deadline and is well within CCPA's 45.
Related Guides
- Handling Right-to-Erasure Requests — GDPR Article 17 process
- Responding to US Deletion Requests — state-by-state US guide
- CCPA DSARs: The Four Request Types — CCPA overview
- DSAR Response Deadlines — all deadlines across all frameworks