🆕  2025 U.S. State Privacy Laws: what you need to know

CCPA right to deletion: What businesses need to know

Understand the California Consumer Privacy Act (CCPA)'s right to delete and learn to handle data deletion requests, apply exceptions, and stay compliant with recent updates.
Read time
5 min read
Last updated
November 6, 2024
Ketch is simple,
automated and cost effective
Book a 30 min Demo

With the California Consumer Privacy Act (CCPA), and its amendment, the California Privacy Rights Act (CPRA), consumers have gained powerful rights over their data—including the right to delete. Let's walk through what this means for your business, how to handle deletion requests, and the latest legislative updates.

What is the right to delete, and why does it matter?

Under the CCPA, consumers have the right to request deletion of personal information your business collects. The CPRA strengthens this right by extending deletion requirements to third-party vendors with whom you’ve shared the consumer's information. This means businesses must ensure not only their own compliance but also the compliance of their service providers.

As a result, a business must comply with deletion by:

  • Completely and permanently erasing someone’s personal information on its active systems
  • De-identifying personal information
  • Aggregating personal information

Businesses that store personal information on archived or backup systems can delay deletion compliance requests until said systems are either restored or re-accessed or used for a disclosure, sale, or commercial purpose.

Read further: CCPA opt-out

What information needs to be deleted?

With some exceptions, the right to deletion applies to all CCPA personal information, which is defined as follows:

Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

Source: California Consumer Privacy Act (CCPA)

Types of data subject to deletion requests

The CCPA classifies personal information broadly, covering data that could identify or link to an individual, such as:

  • Customer names, contact details, and demographic info
  • Financial and employment records
  • Location data, browsing history, and purchase behaviors
  • Inferences from consumer data profiling

The CPRA expands the definition of personal information to include sensitive data, which includes:

  • Social security numbers, financial accounts, and government IDs
  • Precise geolocation data
  • Racial or ethnic origin, religious beliefs, and genetic data

Understanding these expanded data categories is essential for meeting CPRA compliance standards, as sensitive information is now treated with added care.

Go further: Understanding the CCPA data subject access request

Exceptions to the CCPA right to deletion

The CCPA and CPRA outline several situations where data deletion isn’t mandatory, allowing businesses to retain data when necessary for:

  • Transaction fulfillment and contractual obligations
  • Security, fraud detection, and debugging
  • Legal compliance and specific research purposes

By understanding these exceptions, your business can make informed decisions on when deletion requests may be denied and how to communicate these cases to consumers.

Can I deny a request to delete?

Apart from the exceptions, businesses and service providers can also deny deletion requests if the identity of the individual requesting deletion can’t be verified or if the personal information in question wasn’t collected from the consumer by the business.

Read more: Who does the CCPA apply to?

‍

Processing a deletion request: a quick guide for businesses

To stay compliant with both the CCPA and CPRA, it’s critical to have a smooth process for handling deletion requests. Here’s a streamlined approach:

  1. Designate accessible channels for receiving deletion requests, such as online forms or a customer service hotline.
  2. Verify the consumer’s identity to prevent unauthorized deletions.
  3. Notify third-party vendors who have received the consumer’s information, ensuring they also delete it.
  4. Acknowledge receipt within 10 days and process requests within the mandated 45-day period, keeping consumers informed of progress.

Read further: CCPA compliance software

How to comply with CCPA right to delete

In their regulation, the CCPA details what businesses must do to comply with consumers’ right to delete. These include updating your privacy policy, providing channels through which consumers can request that their data be deleted, and keeping a record of deletion requests.

Privacy Policy

Businesses must review and update their privacy policies to detail consumers’ data privacy rights, as well as explain how these rights can be exercised. A CCPA privacy policy, then, must disclose the right to deletion and describe the method to submit deletion requests.

Data deletion requests

Businesses are required to provide two methods to submit data deletion requests. These should fit the way your business interacts with your consumer.

For example, a clothing shop that has a website can provide both a toll-free number and an online form their customers can use to submit their requests. These avenues should be separate from other contact points such as helplines or customer service emails.

Data deletion process

Upon receiving a data deletion request, a business must confirm receipt within ten days and provide information about how the request will be processed. A business must also inform the consumer within forty-five days, regardless of the time required to verify the request, whether it has complied with the request or not.

If the business complies, it has to inform the consumer that a record of the request will be kept to ensure that the data remains deleted.

If the business denies the request under an exemption, it must inform the consumer that it won’t comply, that it won’t delete any information that is subject to the exemption, and that it won’t use the data for any purpose other than the exemption.

If the request is denied due to failed verification, a business must direct the consumer to proper processing.

Record-Keeping

Businesses must keep a record of CCPA-pursuant requests for at least twenty-four months. These should be maintained, and they can’t be used for any purpose other than those that comply with the law.

Recent updates: the California Delete Act and CPRA impacts

The 2023 California Delete Act (SB 362) further empowers consumers by allowing them to delete their information across all registered data brokers with a single request. Meanwhile, the CPRA has established a new regulatory agency, the California Privacy Protection Agency (CPPA), which oversees compliance and has the power to issue penalties for non-compliance.

For businesses, this means greater accountability and potential penalties if deletion requests are mishandled or if vendor compliance isn’t ensured. To streamline compliance, consider automated tools that manage both consumer requests and vendor communication.

For comprehensive compliance support or to explore tools that can help manage CCPA and CPRA requests, contact the privacy experts at Ketch. Protect consumer trust and stay ahead of California’s evolving privacy regulations.

CCPA/CPRA compliance is key

The right to delete is only one of four main rights afforded by the CCPA. Any business that does business in California or with California residents must comply with all of them.

So it’s good practice to stay informed and to review your business’s current data practices to see if they are in line with the law. Otherwise, you’re at risk of paying hefty fines or losing business in the state.

To learn more about CCPA compliance and consent management platform software, contact the privacy experts at Ketch today.

‍

Read time
5 min read
Published
November 10, 2021
Need an easy-to-use consent management solution?

Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.

Book a 30 min Demo

Continue reading

Product, Privacy tech, Top articles

Advertising on Google? You must use a Google certified CMP

Sam Alexander
3 min read
Marketing, Privacy tech

3 major privacy challenges for retail & ecommerce brands

Colleen Barry
7 min read
Marketing, Privacy tech, Strategy

Navigating a cookieless future with Google Privacy Sandbox

Colleen Barry
7 min read
Get started
with Ketch
Begin your journey to simplified privacy operations and granular data control across the enterprise.
Book a Demo
Ketch was named top consent management platform on G2