DPDP, GDPR, CCPA/CPRA, US state laws, and LGPD all point in the same direction: people should be able to find, access, correct, delete, and control personal data without needing a lawyer to decode the process.
Coverage
India, EU/UK, California, US states, and Brazil
Core rights
Access, deletion, correction, consent control, opt-out, portability, grievance
Product angle
Turn legal rights into request letters, response clocks, evidence, and follow-up workflows
Every privacy law has two sides: what a person can ask for, and what a company must do to answer properly. This page breaks each law into coverage, rights, deadlines, business obligations, limits, and the practical benefit for the customer.
A privacy right is only useful when the company can locate the person across product, billing, marketing, support, and HR systems.
Modern privacy laws care about safeguards, access control, retention, and auditability. The operational goal is not just sending a letter; it is keeping the evidence clean.
Deadlines, identity checks, exceptions, deletion outcomes, and opt-outs all need a record. That is where request tracking becomes more valuable than plain legal text.
Deadlines and rights vary. The practical pattern is consistent: identify the person, locate their data, honour the right, and keep proof.
Law
DPDP ActWho it protects
India and offshore processing tied to people in India
Response clock
Privacy Conduit uses a 30-day operational target from the shared jurisdiction pack; statutory rights mechanics depend on the phased commencement and Rules.
Most useful for
Gives Indian users a direct route to ask what is stored, why it is used, and who it is shared with
Law
GDPRWho it protects
European Economic Area and United Kingdom, with extraterritorial reach
Response clock
Without undue delay and generally within 1 month; complex requests can be extended by 2 more months with notice.
Most useful for
Lets individuals see the full picture: data held, purposes, recipients, retention, and sources
Who it protects
California plus a growing patchwork of US states
Response clock
Most consumer requests: 45 calendar days, with a possible 45-day extension after notice.
Most useful for
Turns ad-tech and data broker opacity into an actionable opt-out right
Law
LGPDWho it protects
Brazil, Brazilian residents, and services aimed at people in Brazil
Response clock
Confirmation can be simplified immediately; a clear and complete access statement is due within 15 days under Article 19.
Most useful for
Gives Brazilian users both access and explanation: origin, purpose, criteria, and sharing
India's digital personal data framework for consent, safeguards, and Data Principal rights.
Who and where
India and offshore processing tied to people in India
Response clock
Privacy Conduit uses a 30-day operational target from the shared jurisdiction pack; statutory rights mechanics depend on the phased commencement and Rules.
Enforcement
Data Protection Board of India; penalties can reach INR 250 crore for specified failures.
What it covers
Digital personal data processed in India, and processing outside India when connected with offering goods or services to Data Principals in India.
Status
Enacted in 2023. The 2025 commencement notification brings provisions online in phases; Data Principal rights sections 11-17 are scheduled for May 13, 2027.
The benchmark privacy law for access, erasure, portability, accountability, and data protection by design.
Who and where
European Economic Area and United Kingdom, with extraterritorial reach
Response clock
Without undue delay and generally within 1 month; complex requests can be extended by 2 more months with notice.
Enforcement
EU supervisory authorities and the UK ICO; serious infringements can reach EUR 20 million or 4% of global annual turnover.
What it covers
Controllers and processors established in the EU/UK, plus organisations outside the region that offer goods or services to people there or monitor their behaviour.
Status
EU GDPR has applied since May 25, 2018. UK GDPR remains the UK framework after Brexit, with the ICO as the UK regulator.
A state-by-state privacy system built around knowing, deleting, correcting, opting out, and appealing.
Who and where
California plus a growing patchwork of US states
Response clock
Most consumer requests: 45 calendar days, with a possible 45-day extension after notice.
Enforcement
California Privacy Protection Agency, state attorneys general, and state-specific enforcement schemes.
What it covers
California residents under CCPA/CPRA when a covered for-profit business meets statutory thresholds; other states apply their own thresholds, exemptions, and covered-rights models.
Status
California CCPA took effect in 2020 and was expanded by CPRA in 2023. As of May 2026, comprehensive state privacy laws have been enacted in roughly 20 states.
Brazil's GDPR-inspired privacy law with a broad rights catalogue and a fast access deadline.
Who and where
Brazil, Brazilian residents, and services aimed at people in Brazil
Response clock
Confirmation can be simplified immediately; a clear and complete access statement is due within 15 days under Article 19.
Enforcement
ANPD; administrative fines can reach 2% of Brazilian revenue, capped at R$50 million per infraction.
What it covers
Processing carried out in Brazil, processing for offering goods or services to people in Brazil, or processing of personal data collected in Brazil.
Status
Effective since 2020/2021, enforced by Brazil's Autoridade Nacional de Protecao de Dados (ANPD).
Learn the rights you can exercise. Privacy Conduit for individuals is opening early access soon.
Join early accessAssess which laws apply, intake requests, approve fulfillment workflows, and keep an audit trail for every decision.
Review business workflow