Under the California Consumer Privacy Act (CCPA), California residents have the right to request deletion of their personal information. For businesses, deletion requests create some of the most complex operational obligations under the CCPA, involving identity verification, statutory exceptions, response timelines, and documentation. This article explains what the CCPA right to delete means in practice, when deletion is required, when a business may lawfully refuse or limit deletion, and how deletion requests should be handled within broader consumer rights workflows.
Handling Deletion Requests Under the CCPA: What Businesses Must Do
The right to delete is one of the most widely exercised consumer rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). It gives California residents the ability to ask businesses to remove personal information that has been collected from them.
In practice, deletion requests are rarely straightforward. Businesses must balance consumer rights with legal retention obligations, security needs, fraud prevention, and internal operational requirements. Many enforcement actions and complaints arise not because businesses ignore deletion requests, but because they misunderstand when deletion is required and when lawful exceptions apply.
What is the CCPA’s right to delete?
The CCPA right to delete allows a consumer to request that a business delete personal information it has collected from the consumer, subject to specific statutory exceptions.
This right applies when:
- The business is subject to the CCPA
- The requester is a California resident
- The personal information was collected from the consumer
However, deletion is not absolute. The CCPA does not require businesses to erase personal information in every circumstance. Instead, it establishes a default obligation to delete, followed by a defined list of situations where retention is permitted or required.
Is California a right to delete state?
Yes. California is commonly referred to as a "right to delete" state because the CCPA explicitly grants consumers the right to request deletion of their personal information.
However, this right exists within a structured legal framework. Businesses are expected to evaluate each deletion request against statutory exceptions and respond accordingly. Treating deletion as automatic can be just as risky as refusing deletion without justification.
Which deletion requests are subject to the 45-day response timeline?
Deletion requests are request-based consumer rights, often referred to as data subject requests, and follow the same response timing framework as access and correction requests.
In most cases, businesses must:
- Confirm receipt of the deletion request within 10 business days
- Provide information about the verification process and expected response timing
- Verify the identity of the requester
- Respond to the request within 45 days of receiving it, subject to a possible extension
For a detailed explanation of how the response clock works, see our guide on the CCPA 45-day response timeline.
Verifying identity for deletion requests
Before deleting personal information, businesses must take reasonable steps to verify that the requester is the consumer whose data would be affected.
Verification requirements vary based on the nature of the data and the risk of harm from unauthorized deletion. In practice, businesses often rely on:
- Email-based verification links sent to the address on file
- Re-authentication through an existing account
- Matching information provided in the request against data already maintained
If identity cannot be verified, the business may deny the deletion request but must explain the reason in its response. Verification obligations are explained in more detail in our article on verifying identity under the CCPA.
When must a business delete personal information?
Once a deletion request is verified, the business must delete the personal information unless a statutory exception applies.
In practice, deletion may involve:
- Removing personal information from active records and systems
- Applying permitted technical measures, such as de-identification or aggregation, where consistent with the CCPA and its regulations
- Instructing service providers or contractors to delete the data
Deletion obligations apply to personal information collected from the consumer and extend to downstream processors where applicable.
When can a business refuse to delete personal information?
The CCPA allows businesses to retain personal information when deletion would interfere with specific permitted purposes.
Common deletion exceptions include, but are not limited to, retaining information to:
- Complete a transaction or provide a service requested by the consumer
- Detect security incidents or protect against fraudulent activity
- Debug systems or fix errors
- Comply with legal obligations
- Exercise or defend legal claims
- Use the information internally in a lawful manner compatible with the original purpose
These exceptions are grounded in the CCPA statute and further clarified by CPPA regulations. Applying exceptions consistently and documenting the rationale is critical.
Deletion exceptions under the CCPA
Deletion exception | When it applies | Practical example |
|---|---|---|
Legal obligation | Retention required by law | Retaining transaction records for tax purposes |
Security and fraud prevention | Needed to detect or prevent wrongdoing | Keeping logs to investigate suspected fraud |
Contractual performance | Required to complete a transaction | Retaining shipping details for an active order |
Internal uses aligned with purpose | Compatible with original collection purpose | Maintaining account history for dispute resolution |
Legal claims | Necessary to establish or defend claims | Preserving records related to pending litigation |
What happens if a deletion request is denied?
If a business denies a deletion request in whole or in part, it must:
- Inform the consumer of the denial
- Explain the basis for the decision
- Identify the applicable exception
Blanket refusals or vague explanations can increase enforcement risk. Clear, request-specific responses are expected.
Do businesses have to notify service providers?
Yes. When a business deletes personal information in response to a valid request, it must also instruct its service providers and contractors to delete the information and notify any third parties to whom the business sold or shared the information to do the same, unless doing so proves impossible or involves disproportionate effort.
This requirement highlights the importance of data mapping and vendor coordination when handling deletion requests.
Practical example: handling a CCPA deletion request
A California resident submits a deletion request through a company’s privacy request form. The business acknowledges receipt and initiates identity verification by sending a verification link to the email address associated with the account.
After verification, the business reviews the personal information it collected from the consumer across internal systems. Certain data elements are deleted, while others are retained under a legal obligation to comply with tax and recordkeeping requirements.
Within the 45-day response period, the business confirms deletion and clearly explains which data was retained and why. All steps are documented internally as part of the business’s consumer rights records.
How deletion requests fit into broader CCPA consumer rights obligations
Deletion is one part of the broader consumer rights framework under the CCPA and CPRA. It interacts closely with:
- Identity verification requirements
- Response timelines
- Data minimization and retention practices
- Vendor and service provider management
For a broader overview, see our guides on consumer rights under the CCPA and CPRA and the CCPA compliance guide for businesses.
How Clym helps businesses manage CCPA deletion requests
Businesses install Clym on their website to allow consumers to submit deletion requests through the Clym widget or the Governance Portal.
Once submitted, requests appear in the Clym Control Center, where businesses can:
- View and track deletion requests in one place
- Monitor response deadlines
- Communicate with requesters
- Record verification steps and outcomes
- Maintain documentation for audits or regulatory inquiries
This structured approach helps businesses handle deletion requests consistently across domains.
Key takeaway
The CCPA right to delete is a powerful consumer right, but it is not absolute. Businesses must delete personal information when required, retain it when legally permitted, and clearly explain their decisions. Well-designed deletion workflows, supported by verification, exception analysis, and documentation, are central to managing this obligation effectively.
Frequently asked questions about the CCPA right to delete
The CCPA requires businesses to delete personal information collected from a consumer upon a verified request, unless a statutory exception applies. This obligation applies only after the business confirms the requester’s identity and evaluates whether retention is permitted under the law.
Privacy rights under the CCPA apply to California residents whose personal information is collected by a business subject to the law. These rights are consumer-specific and apply regardless of where the business is physically located.
In practice, the right to delete means businesses must evaluate what personal information can be deleted, what must be retained under an exception, and how to communicate those decisions clearly to the consumer. Deletion is not automatic and requires verification, exception analysis, and proper documentation.
The 45-day response period begins on the date the business receives the deletion request. The clock does not pause for identity verification. Businesses must complete verification, evaluate applicable exceptions, and respond within the response window. A single extension of up to 45 additional days is permitted when reasonably necessary, provided the consumer is informed.
Yes. A business may refuse to delete personal information when retention is permitted or required by law. Common reasons include complying with legal obligations, preventing fraud or security incidents, completing a transaction requested by the consumer, or exercising or defending legal claims.
Certain personal information may be exempt from deletion when retaining it is necessary for specific purposes defined by statute. These include legal compliance, security and fraud prevention, contractual performance, internal uses compatible with the original purpose of collection, and other legally protected activities. Businesses must apply these exemptions on a request-by-request basis and explain any retention clearly.
Yes. The CCPA permits partial deletion when only some personal information is eligible for deletion and other data must be retained under a statutory exception. In these cases, businesses should inform the consumer which information was deleted, which was retained, and the legal basis for retention.
The CCPA does not require businesses to immediately delete personal information from backup or archival systems if doing so is not reasonably feasible. However, businesses should ensure that deleted personal information is not restored into active systems and is not used for any purpose other than those permitted by law.
In most cases, no. Businesses may not charge a fee for processing a deletion request. A fee may only be charged, or a request refused, if it is manifestly unfounded or excessive, such as in cases of repetitive requests. Any such decision must be justified and communicated to the consumer.
Businesses are expected to maintain reasonable records demonstrating how deletion requests were handled. This typically includes documentation of the request, verification steps, response timing, deletion actions taken, and any exceptions applied, supporting audit readiness and regulatory inquiries.
Failing to respond to a valid deletion request within the required timeframe can expose a business to enforcement action by California regulators. This may include investigations, corrective action requirements, and administrative penalties, making timely and well-documented responses essential.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex