Under California's CCPA (as amended by CPRA, effective January 1, 2023), California residents have the right to request that covered businesses delete their personal information, subject to statutory requirements and exceptions. This applies to for-profit businesses meeting specific thresholds, such as annual revenue over $25 million or handling personal information of 100,000 or more consumers or households. Businesses must comply with express statutory requirements under CCPA. To act, contact the business through its designated method, such as a privacy policy page or email, and provide verification as needed for a verifiable consumer request. This does not cover employee or applicant data, which had exemptions until at least January 1, 2023. CCPA is separate from other privacy laws like GDPR or Colombia data protection rules.
What Controls a CCPA Delete My Data Request
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) effective January 1, 2023, governs deletion requests. It grants California consumers rights over personal information collected by covered businesses. Businesses must comply with express statutory requirements outlined in the law.
CCPA regulations were issued on August 14, 2020, and amended on March 15, 2021. These set the framework for how businesses handle consumer requests, including deletion. Official guidance from the California Attorney General confirms these elements as the controlling rules.
Who Qualifies and What Counts as Covered
CCPA applies to California residents making requests to covered businesses. A business qualifies if it does business in California and meets thresholds like annual gross revenues over $25 million, or buys/sells/shares personal information of 100,000 or more consumers or households annually, or derives 50% or more of revenue from selling consumers' personal information.
Rights focus on personal information collected from the consumer. Employee or applicant data falls outside consumer rights under CCPA, with exemptions noted until at least January 1, 2023. Check the business's privacy policy for any CCPA compliance notice to confirm coverage.
How to Submit a CCPA Deletion Request
Locate the business's privacy policy or "Do Not Sell or Share My Personal Information" page, often linked in the website footer. Submit the request via their specified method, such as an online form, email to a privacy address, toll-free number, or mail.
Prepare verification for a "verifiable consumer request," such as account details, prior emails, or purchase records showing data collection. Keep records of your submission, including date, method, and any confirmation received. Official CCPA guidance emphasizes using the business's process.
| Step | Action | Evidence to Gather |
|---|---|---|
| 1 | Find privacy policy | Screenshot |
| 2 | Submit request | Copy of submission form/email/ticket number |
| 3 | Verify identity | Account login, transaction IDs, prior correspondence |
| 4 | Track response | All business replies and dates |
What Does Not Control CCPA Deletion Requests
CCPA deletion requests follow California-specific rules and differ from EU GDPR "right to be forgotten" processes or Colombia data protection laws like Ley 1581. A domain like consumoteca.com.co does not shift jurisdiction to Colombia; CCPA applies based on the consumer's residency and business coverage.
These are not general merchant refunds, subscription cancellations, or purchase disputes. Federal FTC privacy guidance does not substitute for CCPA rights or procedures.
Escalation If a Business Does Not Comply
Before pursuing legal action under CCPA, provide the business with written notice identifying the specific CCPA sections violated. Allow 30 days for the business to respond in writing that the violations have been cured and no further violations will occur.
Contact the California Attorney General or California Privacy Protection Agency (CPPA) to report non-compliance. No additional fees or deadlines apply beyond this confirmed 30-day cure period.
FAQ
Does CCPA apply outside California?
No, CCPA covers California residents, regardless of their location when making the request.
What if the business ignores my request?
Send written pre-suit notice specifying violated CCPA sections and allow 30 days to cure, per official guidance.
How do I know if a business is covered by CCPA?
Review their privacy policy for CCPA mentions or check if they meet revenue or data-handling thresholds.
Are there exceptions to deletion?
Official sources confirm exceptions exist, such as for legal obligations; review the business policy for details.
Next, review the target business's privacy policy and submit your verifiable request with supporting evidence. Retain all records for potential escalation.