Data Deletion Requests in 2026: Your Rights Under GDPR, California Delete Act, and Removal Services
Individuals can submit data deletion requests to erase personal data from companies and brokers under laws like GDPR Article 17, known as the right to erasure, and California's Delete Act via the DROP platform. These requests apply in specific circumstances, such as when data is no longer needed or consent is withdrawn. For GDPR, controllers must delete data and notify third parties under Article 19. California's Delete Act, signed in 2023, introduces DROP, where consumers submit requests starting January 1, 2026, and brokers process them from August 1, 2026, checking the platform every 45 days.
Consumers benefit from centralized options like DROP for California brokers or paid services covering hundreds of sites. Businesses face obligations to process requests promptly, with GDPR fines up to €20 million or 4% of global annual turnover, and Delete Act penalties of $200 per day for late registration. DROP was approved by the California Office of Administrative Law on November 13, 2025, and went live in early 2026. This guide covers submission processes, timelines, and service comparisons to help you exercise these rights or achieve compliance.
What Are Data Deletion Requests?
Data deletion requests allow individuals to demand the removal of their personal data from organizations holding it. Under GDPR Article 17, this right to erasure applies in circumstances like when data is no longer necessary for the original purpose, consent is withdrawn, or processing lacks a legal basis usercentrics.com. Even informal phrases like "delete my data" count as a valid Article 17 request.
GDPR Article 19 adds that controllers must notify any third-party recipients or processors to erase copies of the data. California's Delete Act creates a centralized DROP mechanism managed by the California Privacy Protection Agency (CPPA) didomi.io. Data brokers must register annually with the CPPA, disclose collected identifiers, and honor deletion requests through DROP beneschlaw.com. These frameworks empower consumers while imposing clear duties on businesses to act without undue delay.
GDPR Right to Erasure: How It Works in Practice
Consumers start by submitting a deletion request to the data controller, often via email, a privacy portal, or a "delete my account" feature. The controller assesses if conditions under Article 17 apply, such as withdrawn consent or inaccurate data. If approved, they erase the data and, per Article 19, inform third parties who received it to do the same.
Businesses must handle these requests without undue delay and at the latest within one month, extendable under certain conditions. Failure to comply risks fines up to €20 million or 4% of global annual turnover under Article 83(5) GDPR. Companies processing EU data should integrate automated tools to track and fulfill these obligations efficiently, ensuring third-party notifications are completed to mitigate enforcement risks.
California Delete Act and DROP Platform: 2026 Timelines
The Delete Act requires data brokers to register annually with the CPPA by January 31, facing $200 per day penalties for delays. DROP enables consumers to authenticate once and submit deletion requests to all registered brokers starting January 1, 2026 bytebacklaw.com.
Brokers access DROP every 45 days to retrieve and process requests, beginning August 1, 2026 onetrust.com. They must delete data, including inferences, and report status updates. DROP was approved by the California Office of Administrative Law on November 13, 2025, and went live in early 2026. Consumers gain a streamlined tool for California-focused removals, while brokers prepare systems for regular compliance checks every 45 days.
Data Removal Services: Features, Coverage, and Pricing Comparison
Data removal services scan and request deletions from numerous brokers and people-search sites, offering reports, ongoing monitoring, custom removals, and compliance tracking up to 45 days. They cover 120 to 2000+ sites, depending on the plan, providing broader reach than single-law requests. Pricing varies by plan and number of users; check providers for current details.
| Service | Coverage Sites | Pricing Examples | Key Features |
|---|---|---|---|
| Optery | 120-645+ | $3.25/mo (Core) | Reports, monitoring, custom removals, 45-day compliance |
| DeleteMe | 750+ | ~$130/yr | Reports, monitoring, custom removals, 45-day compliance |
| Incogni | Varies (brokers) | $99.48/yr | Reports, monitoring, recurring scans |
| IDX Complete | Varies | $355.32/yr (5 adults) | Reports, monitoring, family plans |
| Kanary | Hundreds | Plan-specific | Reports, monitoring, custom support |
| PrivacyHawk | Brokers-focused | Plan-specific | Reports, monitoring, app-based scans |
These services complement legal portals by targeting a wide range of sites with recurring scans and status reports cnbc.com pcmag.com.
Choosing the Right Approach: Consumers vs. Businesses
Consumers and businesses approach data deletion differently based on their roles.
For consumers: Use DROP for California-registered brokers starting January 2026, submitting one authenticated request for all. For wider coverage across national or international sites, opt for removal services scanning 120-2000+ locations with monitoring. Combine both for comprehensive privacy.
For businesses: If handling EU data, process GDPR Article 17 requests, notify third parties per Article 19, and prepare for fines up to €20 million or 4% turnover. Data brokers under California's Delete Act must register by January 31, access DROP every 45 days from August 2026, and delete including inferences. Employers and non-brokers monitor if activities qualify as data brokering.
| Role | Primary Tool | Key Steps |
|---|---|---|
| Consumers | DROP (CA brokers), Services | Authenticate once; review reports |
| Businesses | Internal compliance systems | Check DROP 45 days; notify parties |
This framework aligns actions with legal duties and practical needs.
FAQ
How do I submit a data deletion request under GDPR?
Contact the data controller via email, form, or account settings with a clear request like "delete my data." They assess Article 17 conditions and notify third parties if approved.
When does California's DROP platform start accepting requests?
Consumers can submit via DROP starting January 1, 2026, after its early 2026 launch.
What happens if a data broker ignores a Delete Act deletion request?
Brokers must process requests from DROP, including deleting inferences and reporting status; non-compliance risks regulatory action beyond registration penalties.
How often must data brokers check DROP for requests?
Every 45 days, starting August 1, 2026.
What do data removal services like DeleteMe actually cover?
They target 750+ brokers and search sites with scans, removals, reports, and monitoring; coverage varies by plan.
Can companies face fines for mishandling deletion requests?
Yes, GDPR imposes up to €20 million or 4% of global turnover; Delete Act adds $200/day for late registration.
To proceed, identify your data holders and submit requests directly or via DROP/services. For businesses, audit processes against 2026 timelines now.