The right to delete personal data—sometimes called the right to erasure or right to be forgotten—allows you to request that businesses remove your personal information from their systems. This powerful privacy right exists in California, Virginia, Colorado, Texas, and other states with comprehensive privacy laws. Understanding how deletion rights work helps you take control of your digital footprint.
What the Right to Delete Covers
The right to delete applies to personal data businesses have collected about you, including information you provided directly (such as account registration data, purchase history, and form submissions) and information collected from other sources (such as data purchased from brokers, public records, or tracking across websites).
Personal data subject to deletion includes names, addresses, email addresses, phone numbers, browsing history, purchase records, search queries, location data, and other information that identifies or relates to you. The specific categories vary by state law but generally cover any data linked to an identified or identifiable individual.
When you submit a valid deletion request, businesses must delete your data from their own systems and instruct any service providers or processors who have received your data to delete it as well. This ensures your information is removed throughout the business data ecosystem.
States Where Deletion Rights Apply
Comprehensive privacy laws in multiple states provide deletion rights. California CCPA was first, followed by Virginia, Colorado, Connecticut, Utah, and others. Texas, Oregon, Montana, and additional states have enacted laws that take effect in 2024 and 2025.
Your right to delete depends on where you live, not where the business is located. California residents can request deletion from any covered business regardless of the business location. The same applies to residents of other states with privacy laws.
Some states have additional deletion provisions in sector-specific laws. Illinois biometric privacy law includes deletion requirements for biometric data. Other states have laws requiring deletion of specific data types even without comprehensive privacy legislation.
How to Submit a Deletion Request
Start by locating the business privacy policy or privacy rights page. Most businesses with privacy obligations provide a dedicated method for submitting requests, such as an online form, email address, or toll-free number. Look for links labeled Privacy, Do Not Sell My Info, or Consumer Rights.
When submitting your request, provide enough information for the business to verify your identity and locate your data. This typically includes your name, email address, and any account information you have with the business. Some businesses may ask you to verify through your existing account or by responding to a verification email.
Be specific about what you are requesting. State that you are exercising your right to delete personal data under the applicable state law (CCPA, VCDPA, CPA, etc.). You can request deletion of all personal data or specific categories if you only want certain information removed.
What to Expect After Submitting
Businesses must acknowledge your request and respond within the timeframe specified by law—typically 45 days, with a possible 45-day extension. The acknowledgment should confirm receipt and explain the verification process if additional steps are needed.
The business may contact you to verify your identity. This protects against fraudulent deletion requests that could harm the actual consumer. Verification methods include confirming account credentials, matching personal information, or responding to emails sent to addresses on file.
Once your identity is verified and the request is processed, the business should confirm that your data has been deleted. Some businesses provide detailed confirmation of what was deleted; others provide general confirmation that the request was completed.
Exceptions to Deletion Rights
Businesses can retain data in certain circumstances even after receiving valid deletion requests. Common exceptions include data necessary to complete transactions you initiated, provide products or services you requested, perform under a contract with you, comply with legal obligations (such as tax records or litigation holds), detect security incidents or fraud, exercise free speech or other legal rights, and conduct research in the public interest.
The legal obligation exception is particularly significant. Businesses may need to retain certain records for tax purposes, regulatory compliance, or pending litigation. They cannot delete data they are legally required to maintain.
Service provider and processor relationships may also affect deletion. If data has been shared with third parties for processing on the business behalf, the business must instruct those parties to delete. However, if data was sold to third parties who now control it independently, deletion from the original business does not automatically delete it from purchasers.
When Businesses Deny Deletion Requests
If a business denies your request, they must explain why. Common reasons include inability to verify your identity, an applicable exception to deletion rights, or the business determination that it is not covered by the applicable privacy law.
You have the right to appeal denied requests under most state laws. The appeal process requires the business to review the denial and respond within a specified timeframe. If the appeal is denied, you should be informed of how to file a complaint with the state Attorney General.
Document all communications related to your request. Keep copies of your initial request, any verification you provided, the business responses, and any appeal you submit. This documentation supports complaints to regulators if the business fails to comply with its legal obligations.
Tips for Effective Deletion Requests
Submit requests through the specific methods businesses provide rather than general customer service channels. Privacy request systems are designed to route requests appropriately and track response deadlines.
Include your state of residence in the request. This helps the business determine which law applies and ensures they process your request under the correct legal framework.
Follow up if you do not receive a response within the required timeframe. Businesses occasionally miss deadlines or lose requests. A follow-up referencing your original submission date puts them on notice of the potential violation.
Consider using authorized agents or services that submit deletion requests on your behalf. Several companies offer to submit requests to multiple businesses at once, helping you clear your data from many sources efficiently.
Limitations of Deletion Rights
Deletion removes data from the specific business you contact but does not remove data from other businesses that may have the same information. To comprehensively reduce your digital footprint, you may need to submit requests to multiple businesses including data brokers.
Deleted data may persist in backups for some time. Businesses typically do not immediately purge backup systems but should exclude deleted data from restoration. Some state laws specify that data must be deleted from backups within a reasonable timeframe.
Deletion does not prevent future data collection. If you continue interacting with a business, they may collect new data about you. To prevent future collection, you may need to close accounts, opt out of tracking, or stop using the service entirely.
Conclusion
The right to delete personal data is one of the most powerful tools available under state privacy laws. By understanding how to submit effective deletion requests and what to expect from the process, you can systematically reduce the amount of personal information businesses hold about you. While exceptions and limitations exist, deletion rights provide meaningful control over your digital footprint.