Right to Delete vs Right to Erasure: GDPR vs CCPA/CPRA
The right to erasure under the GDPR (Article 17) and the right to delete under the CCPA/CPRA (California Civil Code §1798.100) represent distinct regulatory approaches to data subject control, despite their similar objectives. The GDPR's right to erasure is framed as an absolute right in certain circumstances, requiring organizations to delete personal data and notify third parties without undue delay. Conversely, the CCPA establishes a qualified right to deletion that permits businesses to retain data under specific exemptions, reflecting a more nuanced balance between consumer privacy and legitimate business interests. Understanding these differences is critical for multinational enterprises operating across jurisdictions.
Scope represents the first major distinction between these rights. GDPR Article 17 grants the right to erasure when: (1) data is no longer necessary for its original purpose, (2) the individual withdraws consent, (3) the individual objects to processing, (4) data has been unlawfully processed, (5) erasure is required by law, or (6) data concerns children collected under Article 8. The CCPA §1798.100 provides a simpler framework: consumers may request deletion of personal information collected from them, with limited exceptions. However, the CPRA (effective January 2023) narrows the CCPA's scope by excluding data that cannot reasonably be linked to the consumer, aligning somewhat closer to GDPR principles while maintaining California's business-friendly carve-outs.
Obligation timelines and enforcement mechanisms differ substantially. Under GDPR Article 12, organizations must respond to erasure requests within one month, extendable by two additional months for complex requests. Organizations must notify recipients of the erasure request unless impracticable (Article 17(2)). The CCPA §1798.100 and CPRA require response within 45 days, extendable by 45 additional days upon notification. Critically, the CCPA does not mandate notification to third parties unless specifically required. GDPR violations carry penalties up to €20 million or 4% of global annual revenue (whichever is higher) under Article 83(5), while CPRA penalties reach $7,500 per intentional violation, with significant aggregate exposure through California's private right of action (effective January 2023).
Business exemptions create substantial compliance complexity. GDPR Article 17(3) establishes narrow exceptions: exercise of freedom of expression, compliance with legal obligations, public health interests, and archival/research purposes. These exemptions are restrictively interpreted by regulators. Conversely, CCPA §1798.105(d) and CPRA §1798.105(d) enumerate broader exemptions, including retention for: legal obligations, fraud detection, security purposes, internal uses reasonably aligned with expectations, and scientific research. The CPRA adds exemptions for uses enabled by the California Consumer Privacy Act itself and compliance with other laws, granting businesses substantially greater retention rights.
For multinational enterprises, the practical implication is clear: GDPR's right to erasure demands more rigorous technical infrastructure for complete data deletion and third-party notification chains, while CCPA/CPRA compliance permits strategic retention through carve-outs. Organizations should implement jurisdiction-specific deletion workflows, maintain deletion audit trails to satisfy both regulations' documentation requirements (GDPR Article 5(2); CPRA §1798.100(d)(1)), and carefully map data retention necessities against each jurisdiction's exemption framework. Where GDPR applies, the higher standard should typically govern overall practice to ensure compliance across markets.