How to Send a CCPA Deletion Request (With Free Template)
The short version: if you are a California resident, the California Consumer Privacy Act (CCPA, as amended by the CPRA) gives you the legal right to demand that a covered business delete the personal information it has collected about you. You submit the request through the business's designated method (usually a web form or a privacy email address), the business must confirm receipt within 10 business days, and it must comply within 45 calendar days — extendable once by another 45 days with notice. Data brokers must honor verified deletion requests; refusal is enforceable by the California Privacy Protection Agency (CalPrivacy) and the Attorney General. A free copy-paste template is below.
You do not need a lawyer, a notary, or a fee. You need the right wording, the right recipient, and a paper trail.
Who has to comply
The CCPA applies to for-profit businesses that collect Californians' personal information and meet at least one of these thresholds (Cal. Civ. Code § 1798.140):
- Roughly $25 million or more in annual gross revenue (the figure is CPI-adjusted), or
- Buys, sells, or shares the personal information of 100,000 or more consumers or households per year, or
- Derives 50% or more of annual revenue from selling or sharing personal information.
Every data broker registered with California meets these tests — that is what makes the CCPA the single most useful removal tool in the country. As of mid-2026 there are more than 600 data brokers registered with CalPrivacy, a record high (privacy.ca.gov).
Not a California resident? Nineteen other states have their own deletion rights — see our state-by-state privacy law guide and our comparison of which rights you actually have under CCPA, CPRA, and your state's law. In practice, many brokers process deletion requests from any state because maintaining state-by-state logic costs more than complying.
Step 1: Find the designated request method
Businesses must publish at least two request methods, typically in the privacy policy under a heading like "Your California Privacy Rights." Look for:
- A "Do Not Sell or Share My Personal Information" or "Privacy Request" link in the site footer
- A dedicated web form (most large brokers use one)
- A privacy email address (privacy@..., legal@...)
Use the designated method. A request sent to the designated channel starts the legal clock; a tweet or a support-chat message may not.
Step 2: Send the request (free template)
Copy, fill in the brackets, and send:
Subject: CCPA Request to Delete Personal Information
To whom it may concern:
I am a California resident. Under the California Consumer Privacy Act, Cal. Civ. Code § 1798.105, I request that you delete all personal information you have collected about me, and that you direct your service providers and contractors to do the same.
To help you locate my records:
- Full name: [YOUR NAME, plus common variants]
- Current address: [ADDRESS]
- Prior addresses (last 10 years): [ADDRESSES]
- Email address(es): [EMAILS]
- Phone number(s): [PHONES]
- Profile URL(s) on your site, if applicable: [URLS]
Please also confirm, per § 1798.130, that you have:
- Deleted my personal information from your records;
- Notified any service providers, contractors, and third parties to whom you sold or shared my personal information;
- Ensured my information will not be re-added from the same sources ("suppressed"), where required.
I understand you must confirm receipt of this request within 10 business days and respond substantively within 45 calendar days. If you extend the deadline, please provide notice with the reason for the delay.
If you do not act on this request, please explain the specific statutory exception you are relying on.
[NAME] [DATE]
Only provide the identity details the broker already trades in — the point is to help them find the records, not to hand over new data. Never send a Social Security number or a photo of your ID unless the business's verification process lawfully requires it for sensitive records.
Step 3: Pass verification
Businesses must verify that you are who you say you are before deleting (11 CCR § 7060–7062). For people-search brokers this is usually an email confirmation link or matching the details you supplied against the profile. If a business demands documentation wildly out of proportion to the data at stake, that itself is a compliance red flag worth noting in a complaint.
Step 4: Calendar the deadlines
- 10 business days: the business must confirm it received your request.
- 45 calendar days: the business must comply or deny with a stated statutory reason.
- +45 days: one extension is allowed, but only with notice to you explaining why.
Record the date sent, the channel, and every response. If the deadline passes silently, follow up once in writing referencing your original request date.
Step 5: Escalate if ignored
If a broker blows the deadline or refuses without citing a valid exception:
- File a complaint with CalPrivacy at privacy.ca.gov — the agency has active enforcement authority over data brokers.
- File with the California Attorney General at oag.ca.gov/contact/consumer-complaint-against-business-or-company.
- Your paper trail (dates, channel, non-response) is what makes the complaint actionable.
The one-request-to-all-brokers alternative: DROP
Since January 1, 2026, California residents can skip the broker-by-broker loop for registered data brokers entirely: the state's DROP platform (Delete Request and Opt-out Platform) sends a single verified deletion request to every registered data broker, with mandatory processing starting August 1, 2026. More than 300,000 Californians signed up in the first five months (privacy.ca.gov). We wrote a full explainer: California Delete Act & DROP, explained.
DROP covers registered California data brokers. It does not cover businesses that are not data brokers, out-of-registry people-search sites, or data that has already propagated into breach dumps — for those, individual CCPA requests (this guide) and ongoing monitoring still matter.
Frequently asked questions
How long does a CCPA deletion request take?
The business must confirm receipt within 10 business days and substantively respond within 45 calendar days of receiving your request. One 45-day extension is permitted, but only if the business notifies you with the reason. In practice, most large data brokers process web-form deletion requests in days, not weeks.
Can a business refuse to delete my data?
Only by citing a statutory exception — for example, completing a transaction you requested, security and fraud prevention, legal compliance, or certain internal uses compatible with your expectations (Cal. Civ. Code § 1798.105(d)). A refusal must tell you which exception applies. "We don't do that" is not an exception; it is a complaint waiting to be filed.
Do I have to be a California resident to send one?
The legal right belongs to California residents. But many brokers apply one process nationwide because segmenting by state costs more than complying. If you live elsewhere, check whether your state grants deletion rights — 20 states have comprehensive privacy laws as of 2026 — and send the request anyway, citing your own state's statute where one exists.
Is a CCPA deletion request the same as a DROP request?
No. A CCPA deletion request goes to one business at a time and works on any covered business. A DROP request is a single state-run request that all registered California data brokers must honor, with processing mandatory from August 1, 2026. Use DROP for registry brokers; use direct CCPA requests for everything else.
What if my data comes back after deletion?
Reappearance is common across the industry — brokers continuously re-ingest public records. Deletion requests submitted through DROP carry an ongoing suppression obligation for registered brokers. For everything else, re-check quarterly and re-submit. This maintenance loop is the main reason people use monitoring services.
If you would rather not run this loop by hand: Sirveil scans 200+ data brokers, people-search sites, and breach databases for your exposed profile, shows you each finding for a quick "is this me?" check, and prepares legally-cited removal requests — you review and initiate every takedown, and monthly re-scans put relisted records one tap from the next removal. $7.99/month or $79.99/year, on Google Play and the App Store.
Sources cited: Cal. Civ. Code §§ 1798.105, 1798.130, 1798.140; CalPrivacy regulations (11 CCR §§ 7060–7062); privacy.ca.gov DROP announcements (June 2026). Last verified July 2026. This article is general information, not legal advice.