Multi-Regulation Engine

Per-tenant regulation resolution

Each tenant can operate under a different regulation. The resolver checks:

1. Per-tenant override in appsettings.json
2. Default regulation

{
  "Privacy": {
    "Regulations": {
      "DefaultRegulation": "EU_GDPR",
      "TenantRegulations": {
        "8f3c1d2a-0b44-4e7a-9c61-2f0a5b7d1e90": "BR_LGPD",
        "b1e9a7c4-5d22-4f08-8a13-6c4e9f2b0d77": "US_CCPA",
        "d4a2f018-3c91-4b6e-aa57-1e8b0c3d5f22": "CN_PIPL"
      }
    }
  }
}

Caution

TenantRegulations keys are tenant GUIDs (ICurrentTenant.Id is a Guid?), not friendly slugs. The resolver looks up tenantId.ToString(), so a non-GUID key never matches and the tenant silently falls back to DefaultRegulation.

Built-in profiles

Granit.Privacy.Regulations ships 14 built-in profiles across two tiers:

| Tier | Regulations | | ---- | ----------- | | Tier 1 (fully supported) | EU GDPR, UK GDPR, Brazil LGPD, USA CCPA/CPRA, Canada PIPEDA, Quebec Law 25, Switzerland nFADP | | Tier 2 (configurable) | China PIPL, India DPDPA, Japan APPI, South Korea PIPA, Australia Privacy Act, South Africa POPIA, Thailand PDPA | | Tier 3 (extensible) | Any custom regulation via IRegulationProfileProvider |

Regulation profile

Each profile is an immutable PrivacyRegulationProfile record containing:

• Consent model — OptIn (GDPR, LGPD), OptOut (CCPA), Hybrid, None
• Legal bases — 6 for GDPR, 10 for LGPD (adds credit protection, health, research, life protection)
• Response timelines — SAR deadline (30d GDPR, 15d LGPD, 45d CCPA), extensions, deletion, rectification
• Deletion grace period — default and maximum days for deferred deletion
• Breach notification — hours to notify authority (72h GDPR, 24h PIPL) and individuals
• Age verification — minimum consent age (16 GDPR, 18 LGPD/DPDPA, 13 UK GDPR)
• Cookie consent — opt-in (EU), opt-out (CCPA), GPC signal support
• Cross-border transfers — required assessment, mechanisms (SCC, BCR, Adequacy, CAC)
• Data localization — required for China PIPL (critical infrastructure)
• DPO requirements — whether a DPO or local representative is needed

Regulation comparison

| Feature | EU GDPR | Brazil LGPD | USA CCPA | China PIPL | India DPDPA | | ------- | ------- | ----------- | -------- | ---------- | ----------- | | Consent model | Opt-in | Opt-in | Opt-out | Opt-in | Opt-in | | Legal bases | 6 | 10 | N/A | 7 | 4 | | SAR deadline | 30 days | 15 days | 45 days | 30 days | 30 days | | Breach notify | 72h | Prompt | Unreasonable delay | 24h | TBD | | Min. consent age | 16 | 18 | 16 | 14 | 18 | | GPC required | No | No | Yes | No | No | | Data localization | No | No | No | Conditional | No |

Custom regulations (Tier 3)

public class SaudiPdplProfileProvider : IRegulationProfileProvider
{
    public void Define(IRegulationProfileContext context) =>
        context.Register(new PrivacyRegulationProfile
        {
            Regulation = PrivacyRegulation.Create("SA_PDPL"),
            DisplayName = "Saudi Arabia Personal Data Protection Law",
            JurisdictionCode = "SA",
            ConsentModel = ConsentModel.OptIn,
            // ... all fields explicitly set
        });
}

// Register at startup:
services.AddGranitPrivacyRegulations(configuration, regulations =>
{
    regulations.AddProvider<SaudiPdplProfileProvider>();
});

Composite profiles for multi-regulation tenants

When a tenant operates under multiple regulations simultaneously (e.g., EU SaaS serving California users), create an explicit composite profile rather than relying on automatic merging:

public class EuGdprUsCcpaCompositeProvider : IRegulationProfileProvider
{
    public void Define(IRegulationProfileContext context) =>
        context.Register(new PrivacyRegulationProfile
        {
            Regulation = PrivacyRegulation.Create("EU_GDPR+US_CCPA"),
            DisplayName = "EU GDPR + US CCPA Composite",
            JurisdictionCode = "EU",
            ConsentModel = ConsentModel.OptIn,  // GDPR wins
            HonorGlobalPrivacyControl = true,   // CCPA requirement added
            // ... all fields set by deliberate business decision
        });
}

Regulation endpoint

| Method | Route | Operation | | ------ | ----- | --------- | | GET | /regulation | GetApplicableRegulation |

Returns the full PrivacyRegulationProfile for the current tenant — consent model, response timelines, breach notification deadlines, age thresholds, cookie consent rules, cross-border transfer requirements, and more.

Response deadline tracking

IResponseDeadlineTracker calculates regulation-mandated response deadlines:

DateTimeOffset deadline = await deadlineTracker.CalculateDeadlineAsync(
    PrivacyRequestType.SubjectAccessRequest,
    profile,
    requestedAt);
// GDPR → requestedAt + 30 days
// LGPD → requestedAt + 15 days
// CCPA → requestedAt + 45 days

All Tier 1 and Tier 2 regulations use calendar days. Applications needing business day calculation can provide a custom IResponseDeadlineTracker implementation.

See also

• Privacy overview — module setup and data provider registry
• Data Export — deadline-driven export workflow
• Data Deletion — deletion deadlines per regulation
• Opt-Out (CCPA) — CCPA-specific sale/share opt-out
• Processing Purposes — legal basis tied to active profile
• Regulation Bridge — surfaces profile choices into cookie consent
• Multi-tenancy module — per-tenant IPrivacyRegulationResolver