Right to Delete Under CCPA vs Right to Be Forgotten Under GDPR

"Delete my data." Three words, two regulatory frameworks, and a lot of confusion.

If your business serves both European and California consumers, you are dealing with two different deletion rights that look similar on the surface but differ in important ways. GDPR calls it the "right to erasure" (or the right to be forgotten). CCPA/CPRA calls it the "right to delete." Both let people request that a business remove their personal data. But the rules around who can ask, what has to be deleted, when you can refuse, and how you verify the request are different enough to matter.

This guide compares the two frameworks head to head, then shows you how to build a single process that satisfies both.

The Quick Comparison

Before we dig into the details, here is the overview:

Now let us unpack each of these differences.

Who the Laws Apply To

GDPR

GDPR applies to any organization that processes personal data of individuals in the EU/EEA, regardless of the organization's size, revenue, or location. A one-person business in Idaho processing EU personal data is subject to GDPR. There are no thresholds. For a detailed breakdown, see our guide on whether GDPR applies to small businesses.

CCPA/CPRA

CCPA applies only to for-profit businesses that do business in California and meet at least one of three thresholds:

• Annual gross revenue over $25 million
• Buy, receive, sell, or share the personal information of 100,000 or more California consumers, households, or devices annually
• Derive 50% or more of annual revenue from selling or sharing consumers' personal information

This means many small businesses are not subject to CCPA at all. If you are a 20-person company with $3 million in revenue that does not sell data, CCPA does not apply to you. GDPR, if you have EU customers, does.

What Personal Data Means

GDPR

"Personal data" under GDPR means any information relating to an identified or identifiable natural person. This is extremely broad: names, email addresses, IP addresses, cookie identifiers, location data, behavioral data, physical descriptions, online identifiers -- essentially anything that can be linked back to a real person, directly or indirectly.

GDPR covers all personal data held by the controller, regardless of how it was obtained. This includes data collected directly from the individual, data obtained from third parties, data generated through observation (behavioral analytics), and data inferred or derived from other data.

CCPA/CPRA

"Personal information" under CCPA is similarly broad in its definition, covering information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household.

A key distinction: CCPA's original right to delete was limited to personal information "collected from the consumer." If you obtained someone's data from a third-party data broker rather than directly from them, the original CCPA right to delete technically did not cover it.

CPRA expanded this significantly. Under CPRA, the right to delete applies more broadly, and businesses must also direct service providers, contractors, and third parties to delete the data.

Grounds for Deletion: The Fundamental Difference

This is one of the most important practical differences between the two frameworks.

GDPR: You Need a Qualifying Ground

Under GDPR Article 17 (right to erasure), the individual must have a reason to request erasure. One of six grounds must apply:

1. The data is no longer necessary for its original purpose
2. The individual withdraws consent (and consent was the only lawful basis)
3. The individual objects to the processing (and you cannot demonstrate overriding legitimate grounds)
4. The data was unlawfully processed
5. Deletion is required by EU or member state law
6. The data was collected from a child for online services

If none of these grounds apply, the controller can refuse the erasure request even without citing a specific exception. In practice, though, at least one ground usually applies.

For a detailed walkthrough of each ground and how they work in practice, see our guide on the right to erasure under GDPR Article 17.

CCPA: No Ground Required

Under CCPA (Cal. Civ. Code § 1798.105), a consumer can request deletion without providing a reason. They do not need to cite a legal ground or explain why they want their data deleted. They just ask, and the business must comply unless an exception applies.

This makes CCPA's right to delete simpler to invoke but shifts more burden to the business to determine whether an exception justifies refusal.

Exceptions: Where Businesses Can Refuse

Both frameworks provide exceptions that allow businesses to refuse deletion requests. CCPA's exceptions are broader and more business-friendly.

GDPR Exceptions (GDPR Article 17(3))

You can refuse erasure if the processing is necessary for:

1. Freedom of expression and information (primarily protects journalism and academic work)
2. Compliance with a legal obligation under EU or member state law
3. Public health purposes in the public interest
4. Archiving, scientific research, historical research, or statistical purposes where erasure would seriously impair those objectives
5. Establishment, exercise, or defense of legal claims

CCPA Exceptions (Cal. Civ. Code § 1798.105)

A business can refuse deletion if the information is necessary to:

1. Complete a transaction or provide a good/service requested by the consumer
2. Detect security incidents, protect against malicious or illegal activity, or prosecute those responsible
3. Debug to identify and repair errors
4. Exercise free speech or another right provided by law
5. Comply with the California Electronic Communications Privacy Act
6. Engage in research in the public interest (with consumer opt-in)
7. Enable solely internal uses reasonably aligned with consumer expectations
8. Comply with a legal obligation
9. Otherwise use the information internally in a lawful manner compatible with the context in which it was provided

Exception 9 is notably broad. The "internal use compatible with the context" exception gives CCPA businesses significantly more room to retain data than GDPR controllers have.

What This Means in Practice

If someone asks you to delete their data:

• Under GDPR: You need to delete unless you have a specific, narrow exception (legal obligation, legal claims, free expression, public health, or research).
• Under CCPA: You have a broader set of reasons to retain data, including ongoing service provision, internal use compatible with the original context, and debugging.

For businesses subject to both, GDPR's stricter standard typically governs. If you can meet GDPR's erasure requirements, you will automatically satisfy CCPA's.

Verification Requirements

Both laws require you to verify the identity of the person making the deletion request before acting on it. But they approach it differently.

GDPR

GDPR does not prescribe specific verification methods. The standard is "proportionate" -- meaning the level of verification should match the sensitivity of the data and the risk of unauthorized deletion.

For a logged-in user requesting deletion through their account, the authentication is sufficient. For an email request from a known email address, matching the email to an account record is usually adequate. For requests involving sensitive data or where identity is uncertain, you may ask for additional verification.

The key principle: do not use verification as a barrier. Do not ask for more information than necessary. And do not use verification to delay the response beyond the 30-day deadline.

CCPA

CCPA is more prescriptive. The regulations require businesses to establish and describe verification processes, and the level of verification must be "reasonable."

For account-based requests (the consumer has an account with you), you can verify through the account authentication. For non-account-based requests, you must verify to a "reasonable degree of certainty" (match at least two data points) or a "reasonably high degree of certainty" (match at least three data points plus a signed declaration) depending on the sensitivity of the data.

CCPA also requires you to describe your verification process in your privacy policy.

Practical Approach for Both

If you are subject to both laws, build a verification process that satisfies both:

• Authenticated account requests: account authentication is sufficient
• Email requests from a known email: verify against at least two data points
• Requests involving sensitive data: verify against three data points or require additional proof of identity
• Document your process and include it in your privacy policy

Response Timelines

GDPR

• Acknowledgment: Not separately required, but best practice is to acknowledge receipt promptly.
• Response deadline: 30 calendar days from receipt of the request (GDPR Article 12(3)).
• Extension: Can be extended by an additional 60 days (two months) if the request is complex or if you have received a large number of requests. You must notify the individual of the extension within the first 30 days, including the reason for the delay.

CCPA

• Acknowledgment: You must confirm receipt of the request within 10 business days.
• Response deadline: 45 calendar days from receipt of the request (Cal. Civ. Code § 1798.130(a)(2)).
• Extension: Can be extended by an additional 45 calendar days if reasonably necessary. You must notify the consumer of the extension within the first 45 days, including the reason.

Practical Approach

The GDPR timeline is shorter (30 days vs. 45 days). If you build your process around the 30-day GDPR deadline, you will automatically be within CCPA's timeline.

Our recommendation: Aim to fulfill all deletion requests within 30 calendar days regardless of which law applies. This keeps it simple and ensures compliance with both frameworks.

Third-Party Notification

GDPR

GDPR Article 17(2) requires that when a controller has made personal data public and must erase it, the controller shall take "reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested erasure."

GDPR Article 19 separately requires that when you erase data, you must communicate the erasure to each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort.

CCPA/CPRA

Under CPRA, when you receive a verified deletion request, you must:

• Delete the personal information from your records
• Notify all service providers and contractors to delete it
• Notify all third parties to whom you sold or shared the information to delete it

Practical Approach

Both laws require you to push deletion downstream to third parties. Maintain a list of every third party you share personal data with. When you fulfill a deletion request, send deletion notifications to each relevant party and document that you did so.

Handling Both Laws Simultaneously

If your business is subject to both GDPR and CCPA, here is how to build a unified process:

Step 1: Determine Which Law Applies

When you receive a deletion request, determine:

• Is the requester an EU/EEA resident? GDPR applies.
• Is the requester a California resident? CCPA applies.
• Could they be both? (e.g., dual citizen, recent move) Apply the stricter standard.
• Are they neither? You may still have obligations under other state laws. Check your obligations.

If you cannot determine the individual's location, apply the stricter standard (GDPR).

Step 2: Apply the Stricter Standard

In most cases, GDPR is the stricter standard:

• Shorter timeline (30 days vs. 45 days)
• Fewer exceptions (5 vs. 9)
• Broader scope of data covered
• More stringent third-party notification requirements

Building your process to GDPR standards means you automatically comply with CCPA.

Step 3: Document Under Both Frameworks

Your documentation should note:

• Which law(s) apply to this request
• The verification method used (satisfying both GDPR and CCPA requirements)
• The legal assessment (grounds for erasure under GDPR, if applicable)
• Any exceptions applied (citing the relevant framework)
• Third-party notifications sent
• The response sent to the individual

Step 4: Respond Clearly

Your response to the individual should:

• Confirm what was deleted
• Explain any data retained and the legal basis for retention
• Note which law your response is based on (if relevant)
• Provide information about their right to complain (GDPR requires this; CCPA does not, but it is good practice)

Building a Unified Deletion Process

Here is a process that works for both frameworks:

Day 0 -- Request received

• Log the request with date, requester details, and what they are asking for
• Begin identity verification

Day 1-5 -- Verification

• Verify the requester's identity using proportionate methods
• If additional information is needed, request it immediately (the clock is running)

Day 5-10 -- Assessment

• Identify all personal data held about the individual
• Determine which law(s) apply
• Assess whether any exceptions apply
• Document your assessment

Day 10-25 -- Execution

• Delete data from all active systems
• Send deletion notifications to third parties and service providers
• Verify deletion was successful
• Document all actions taken

Day 25-30 -- Response

• Send a clear response to the individual confirming deletion (or explaining any refusal)
• File all documentation

This timeline gives you a buffer before the 30-day GDPR deadline and is well within CCPA's 45-day window.

Special Scenarios

The Individual Is Subject to Both Laws

If someone is both an EU citizen and a California resident (it happens), apply the stricter standard for each element of the process. In most cases, this means applying GDPR standards throughout.

You Are Not Sure Which Law Applies

If you cannot determine the individual's residence or citizenship, treat the request as if the stricter standard (usually GDPR) applies. This is conservative but safe.

The Request Comes via a Third Party

Both GDPR and CCPA allow requests to be made through authorized agents. Under CCPA, the consumer must provide the agent with written permission, or the agent must have power of attorney. Under GDPR, you can accept requests from authorized representatives but should verify both the representative's authority and the identity of the data subject.

The Data Is in Backups

Neither GDPR nor CCPA explicitly address backups in their deletion requirements. The widely accepted practice is:

• Delete from all active, accessible systems
• Document that encrypted backups may retain the data until they cycle out
• Ensure backup retention periods are reasonable
• Do not restore deleted data from backups (or delete it again immediately if restoration is necessary for another reason)

Most regulators on both sides of the Atlantic accept this approach.

The Big Picture

The right to delete and the right to erasure are converging. More US states are adopting deletion rights, and the practical requirements are becoming increasingly similar to GDPR's. Building a GDPR-compliant erasure process today positions your business well for wherever US privacy law goes next.

The key takeaway: build one process, apply the stricter standard, and document everything. You will satisfy both frameworks and be prepared for whatever comes next.

For more on the US landscape specifically, including the growing patchwork of state privacy laws, see our guide on the right to be forgotten in the US.

References

• General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
• GDPR Article 17 — Right to Erasure: Article 17 text
• UK GDPR: The UK General Data Protection Regulation, as retained under the Data Protection Act 2018. ICO guidance
• European Data Protection Board (EDPB): Official EDPB website
• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• California Privacy Protection Agency (CPPA): Official CPPA website

---

Get the Free DSAR Compliance Guide

Whether you are handling deletion requests under CCPA, GDPR, or both, our free DSAR Compliance Guide gives you a unified process with templates, timelines, and checklists that work across both frameworks.

Download the free DSAR Compliance Guide