Global privacy regulations — LGPD (Brazil), GDPR (Europe), CCPA (California, USA), and guidance from the CNIL (France) — guarantee that data subjects have the right to request access, deletion, or other actions related to their personal data.
In this process, AdOpt and the Controller (client company) play complementary roles.
⚖️ What the LGPD says
Art. 19, II –
“by means of a clear and complete declaration, indicating the origin of the data, the absence of records, the criteria used, and the purpose of the processing, within 15 (fifteen) days from the date of the request by the data subject.”
Art. 19, §3º –
“The controller shall immediately provide, in a simplified format, confirmation of the existence or nonexistence of processing of personal data.”
📌 Summary (Brazil):
Immediate simplified confirmation (receipt).
Complete response within 15 days.
⚖️ What the GDPR says
Art. 12(3) –
“The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request.”
📌 Summary (Europe):
Response within 30 days (1 month).
Can be extended by 2 additional months for complex cases, with justification.
⚖️ What the CNIL (France) says
The CNIL, the French data protection authority, reinforces that:
The data subject should receive an immediate acknowledgment of receipt.
The response must be provided within 30 days (following the GDPR).
The communication must be simple, clear, and accessible, avoiding legal jargon.
📌 Summary (France):
30 days for the full response.
Strong emphasis on clarity and accessibility of the message.
⚖️ What the CCPA (California, USA) says
CCPA Sec. 1798.130 (a)(2) –
“A business shall respond to a verifiable consumer request within 45 days of receiving the request.”
📌 Summary (USA):
Response within 45 days.
May be extended for an additional 45 days (maximum 90 days).
The business must provide a free and clear channel for consumer requests.
🔧 How it works in AdOpt
Whenever a data subject makes a request for access or deletion:
Automatic response to the data subject
AdOpt immediately sends a receipt of the request.
This fulfills the obligation of simplified confirmation (LGPD §3º, GDPR/CNIL best practices).
At the same time, AdOpt acts on the cookies linked to the requester, ensuring immediate technical compliance.
Notification to the DPO/Controller
AdOpt sends a notification to the site’s Data Protection Officer (or designated contact).
From this point on, it is the controller’s responsibility to:
Check and handle data in internal systems.
Prepare the full response to the data subject.
Meet the legal deadlines:
15 days (LGPD)
30 days (GDPR / CNIL)
45 days (CCPA)
✅ Conclusion – Practical comparison for DPOs
Regulation | Immediate response | Deadline for full response | Notes |
LGPD (Brazil) | Mandatory (simplified confirmation) | 15 days | Must include origin, criteria, and purpose of processing |
GDPR (Europe) | Recommended (acknowledgment of receipt) | 30 days (up to 90 in complex cases) | Transparency and justification required for extensions |
CNIL (France) | Mandatory (receipt) | 30 days | Strong emphasis on clarity and accessible language |
CCPA (California) | Not mandatory, but recommended | 45 days (up to 90 in complex cases) | Free, verifiable, and user-friendly channel required |
📌 AdOpt’s practice:
Automates the immediate receipt (fulfilling LGPD §3º, GDPR/CNIL best practices).
Acts on cookies linked to the data subject at the time of the request.
Notifies the DPO/controller, who must complement the response within the deadlines established by each regulation.