How to Submit a Data Deletion Request (2026)
If a company holds your personal data, you have the right to ask it to delete that data. Under California's CCPA, the EU's GDPR, and more than a dozen other US state laws, the company must comply within a set deadline or explain exactly why it cannot. This guide walks you through every step, from confirming that a law covers you all the way to filing a regulator complaint if the company refuses.
Step 1: Find Out Which Law (If Any) Covers You
Your right to request deletion is only as strong as the law behind it. Before drafting anything, spend two minutes confirming that a statute actually applies to your situation.
US residents. California residents get the broadest protection. The CCPA covers for-profit businesses doing business in California that meet at least one of three thresholds: annual gross revenue above $25 million; buying, selling, receiving, or sharing the personal information of 100,000 or more consumers or households per year; or deriving 50 percent or more of annual revenue from selling personal information (Cal. Civ. Code § 1798.140(d)). If you live in California and the company clears any one of those bars, the deletion right in Cal. Civ. Code § 1798.105(a) applies.
Virginia, Colorado, Connecticut, Texas, and several additional states have passed comprehensive consumer privacy laws with similar deletion rights. The US state privacy laws comparison breaks down which law applies to you by state and explains each law's business-size thresholds. If your state is not yet on the list, no statutory right may exist, though many companies honor deletion requests voluntarily regardless of legal obligation.
EU and UK residents. GDPR Article 17 applies to any data controller processing your personal data, regardless of the company's size or location. If the company offers goods or services to people in the EU, or monitors the behavior of people in the EU, GDPR applies. You do not need to have an account with the company; the right attaches to the processing of your data.
If no law covers you. You can still submit a polite deletion request in plain language. Many large companies extend CCPA-equivalent rights globally as a matter of policy. The answer may be yes even without a legal mandate behind it.
Step 2: Find the Business's Deletion Request Portal or Email
Under CCPA, covered businesses must provide at least two designated methods for receiving deletion requests. If the company has a website, one of those methods must be a web-based form or portal. The other must be a toll-free telephone number. Online-only businesses may substitute an email address (Cal. Civ. Code § 1798.130(a)(1)).
The fastest way to find the portal is to scroll to the footer of the company's main website. Look for links labeled any of the following: "Privacy Rights," "Consumer Privacy Request," "Do Not Sell or Share My Personal Information," "Data Subject Rights," or "Privacy Choices." The company's privacy policy is also required to identify the submission method and is usually linked from the footer. Under GDPR Article 12 and Recital 59, controllers must also provide electronic means for requests made electronically.
California residents dealing with data brokers have an even faster option. The California Privacy Protection Agency launched the Delete Request and Opt-Out Platform (DROP) on January 1, 2026. DROP lets you authenticate once through the California Identity Gateway or Login.gov and submit a single deletion request that automatically reaches all 500-plus registered data brokers. Data brokers are required to begin processing DROP deletion requests starting August 1, 2026, and must complete each deletion within 90 days of receipt. Access DROP at privacy.ca.gov/drop/.
One important rule: a business may not require you to create a new account with it solely to submit a deletion request. If a portal blocks you with a mandatory signup wall, that practice itself may violate CCPA regulations.
Step 3: What to Include in Your Request
A well-drafted deletion request gives the company everything it needs to locate your records and process the request in the first cycle, with nothing left ambiguous that could delay or redirect you.
Include the following in every request.
Your full legal name. Use the name on file with the company, especially if you have an account under a maiden name or preferred name different from your current legal name.
Your email address or account username. This is how the company will match your request to its database. If you have multiple accounts, list them all.
Your mailing address if you had an offline relationship with the company (store purchases, physical deliveries, in-person services).
A clear, direct invocation of your deletion right and the specific statute. A sentence like the following works: "I am requesting the deletion of all personal information you hold about me pursuant to Cal. Civ. Code § 1798.105(a) (CCPA/CPRA)" or, for EU requests, "I am submitting a request for erasure of my personal data under GDPR Article 17." Naming the statute signals that you know your rights and makes it harder for a company to deflect.
Any account or order reference numbers that help the company locate your records quickly. The easier you make the search, the faster the response.
Keep the rest of your request factual and brief. Do not include your Social Security Number, financial account numbers, or other high-sensitivity identifiers unless the company specifically requires them. Under CCPA regulations, businesses may only use your verification data for the verification itself, not to update your profile, trigger outreach, or share with third parties.
Step 4: Identity Verification
Once you submit, the company will likely ask you to verify your identity before processing the request. This step is legitimate and required by CCPA regulations (Cal. Code Regs. tit. 11, §§ 7060-7061).
For moderate-sensitivity requests (the typical deletion request covering marketing data, browsing history, and purchase records), businesses use a "two-data-point match" standard. That means you confirm two pieces of information you would reasonably have provided to the company, for example, the email address on file plus a billing ZIP code, or an order confirmation number plus a delivery address.
For high-sensitivity data (such as financial account details, health information, or Social Security Numbers), the business may require three matching data points or a signed declaration under penalty of perjury.
A business cannot require you to create a new account to complete verification. It can only use the verification information for that single purpose. If a company uses your email address (collected solely for verification) to add you to a marketing list, that practice violates CCPA regulations.
Under GDPR Article 12(6), a controller may request additional information necessary to confirm your identity when there is reasonable doubt about who is making the request. That is a proportionate step, not a barrier. If the controller cannot verify your identity despite your cooperation, it should tell you within the standard response window rather than allowing the deadline to lapse silently.
Step 5: Using an Authorized Agent
You do not have to submit the deletion request yourself. Under CCPA, you may designate another person or a business entity registered with the California Secretary of State as an authorized agent to act on your behalf (Cal. Civ. Code § 1798.140(ak); Cal. Code Regs. tit. 11, § 7022). The company may require two things: written proof that you authorized the agent, and direct identity verification from you (the consumer) rather than through the agent.
This path matters most for people who cannot easily navigate online forms. A family member helping an elderly parent, a caregiver acting for someone with a disability, or a privacy attorney filing on a client's behalf can all use the authorized agent framework.
Virginia's VCDPA, Colorado's CPA, and Connecticut's CTDPA all contain similar authorized-agent provisions. If you are using an agent in a non-California state, check whether the business may require a notarized authorization form rather than a simple written statement. Some companies apply the stricter standard nationally.
Step 6: Response Timelines by Law
Knowing the deadline keeps you from waiting indefinitely and tells you exactly when a company has crossed into a violation.
CCPA (California). 45 calendar days from receipt of the verifiable request. The business may extend the period once by an additional 45 days (90 days total) but must notify you of the extension within the initial 45-day window and explain why extra time is needed (Cal. Civ. Code § 1798.130(a)(2)).
Virginia VCDPA. 45 calendar days, with a 45-day extension available for complex requests. The controller must notify you before extending (Va. Code Ann. § 59.1-577(B)).
Colorado CPA. Same 45-plus-45-day schedule as California and Virginia (Colo. Rev. Stat. § 6-1-1306(1)(a)(III)).
GDPR (EU/UK). One calendar month from receipt, extendable by a further two months for requests that are complex or numerous. The controller must notify you within the first month if it is using the extension and explain the reasons for the delay (GDPR Art. 12(3)).
All of these frameworks require businesses to respond free of charge. A company that demands a fee before processing your deletion request is not following the law. If the deadline passes without a response or an extension notice, the company is in violation.
What the Business Must Actually Do When It Deletes Your Data
Deletion under CCPA is not a matter of removing your name from one table in a marketing database. Under Cal. Civ. Code § 1798.105(c), once a covered business receives a valid deletion request, it must take three distinct actions.
First, it must delete your personal information from its own records. Second, it must direct all service providers and contractors (the cloud platforms, analytics vendors, and fulfillment partners it works with) to delete your information from their records as well. Third, it must notify any third parties that received your data to also delete it, unless doing so is impossible or involves disproportionate effort.
That third-party cascade is significant. If the company sold your email address to an advertising data cooperative two years ago, it must tell that cooperative to delete your record as well.
Under GDPR Article 17(2), the obligation goes one step further for data that was made public. If the controller published your personal data (a user profile, a social post, a photograph), it must take reasonable steps to inform all other controllers processing that data of your erasure request, including removal of links, copies, or replications of that data.
Common Exceptions: When a Business May Keep Your Data
Neither CCPA nor GDPR requires deletion in every circumstance. If a company cites an exception, it must identify which one applies and why.
CCPA exceptions (Cal. Civ. Code § 1798.105(d)). A business may retain your data to: complete the transaction or fulfill a warranty for which it was collected; detect, prevent, or investigate security incidents; debug errors; exercise free speech or other legal rights; comply with California's Electronic Communications Privacy Act; conduct lawful public, peer-reviewed scientific, historical, or statistical research in the public interest; use the data internally in ways that are reasonably aligned with your expectations based on your relationship with the business; or comply with a legal obligation.
GDPR exceptions (Art. 17(3)). The right to erasure does not apply to the extent that processing is necessary for: exercising the right to freedom of expression and information; compliance with a legal obligation or performance of a task in the public interest; public health interests under Article 9(2)(h) and (i); archiving, scientific or historical research, or statistical purposes under Article 89(1); or the establishment, exercise, or defense of legal claims.
If a company claims an exception that does not fit your situation (for example, citing "legal obligation" when you are simply a newsletter subscriber), that denial is worth appealing and, if necessary, escalating to a regulator.
Step 7: If the Company Refuses, Appeal and Escalate
A denial is not necessarily the end of the road. The process depends on which law applies to your situation.
California (CCPA/CPRA). First, review the denial to confirm whether the company cited a valid exception from Cal. Civ. Code § 1798.105(d). If the denial does not cite a specific exception, or if the cited exception does not appear to fit, file a complaint with the California Privacy Protection Agency at cppa.ca.gov or with the California Attorney General at oag.ca.gov. The CPPA may impose administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. The AG holds concurrent enforcement authority and has previously reached multimillion-dollar settlements in consumer privacy cases.
It is important to understand that CCPA's private right of action is limited to data breach cases under § 1798.150. For a refused or ignored deletion request, your remedy is a regulator complaint rather than a personal lawsuit. You cannot sue the company directly over a deletion refusal.
Virginia (VCDPA). Virginia Code § 59.1-577(C) requires covered controllers to maintain a written appeal process. After a denial, submit a formal appeal through the company's appeals mechanism. The controller must respond in writing within 60 days with a reasoned explanation. If the appeal is also denied, the company must provide you with a direct path to contact the Virginia Attorney General to file a complaint. Virginia's law also has no private right of action.
Colorado (CPA). The Colorado Privacy Act requires an appeal process as well. After exhausting the internal appeal, you can contact the Colorado Attorney General's office, which has enforcement authority over CPA violations.
GDPR (EU/UK). Lodge a complaint with the data protection authority (DPA) in the EU member state where you live or work. If the controller is based in another country, file with the lead supervisory authority for that controller. France's CNIL, Germany's state-level DPAs, and Ireland's Data Protection Commission (DPC) are among the most active. GDPR fines can reach EUR 20 million or 4 percent of global annual revenue, whichever is higher. UK residents file with the Information Commissioner's Office (ICO). The right to lodge a complaint with a supervisory authority is guaranteed by GDPR Article 77 and costs you nothing.
For related consumer privacy steps, see our guides on how to opt out of data brokers and how to file a data privacy complaint.
GDPR Erasure: Special Considerations for EU Residents
If you are in the EU or UK, your right to erasure under GDPR Article 17 is separate from US state privacy rights and in several ways broader.
GDPR applies to any controller processing your personal data regardless of the company's size. There is no revenue threshold and no data-volume threshold. A small online retailer that shipped you a package once is still subject to the regulation if it is targeting EU consumers.
Your six grounds for requesting erasure are: (a) the personal data are no longer necessary for the purpose they were collected; (b) you withdraw the consent on which the processing was based and no other legal basis exists; (c) you object to the processing under Article 21 and no overriding legitimate grounds exist; (d) the personal data were processed unlawfully; (e) erasure is required by EU or Member State law; and (f) the personal data were collected in relation to a child's information society services (GDPR Art. 17(1)).
Ground (b), withdrawal of consent, is frequently overlooked. If a company has been emailing you under a "consent" legal basis and you withdraw that consent, you can pair the withdrawal with an erasure request and have the combined effect of stopping both the processing and removing your historical data.
Ground (c), objection under Article 21, works even when the controller relies on legitimate interests rather than consent. Once you object, the controller can only continue processing if it can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
GDPR Recital 65 specifically highlights children's data as a priority erasure use case. If data about your child was collected online, the erasure grounds are especially strong.
The response window is one month, extendable to three months for requests the controller characterizes as complex or numerous. All responses are free of charge. For search result erasure (the classic "right to be forgotten" scenario), your request goes to the search engine itself, not just the originating site.
For a deeper look at GDPR Art. 17 including the landmark Google Spain ruling and how to make requests to search engines, see our GDPR right to be forgotten guide. To understand how GDPR deletion rights compare to CCPA's approach in detail, see our CCPA opt-out rights guide.
Related guides
- How to Opt Out of Data Brokers (2026)
- How to File a Data Privacy Complaint (2026)
- US State Privacy Laws Comparison Chart (2026)
- CCPA Opt-Out Rights: Do Not Sell or Share My Personal Information (2026)