In U.S. states with comprehensive privacy laws, such as California under the CCPA/CPRA, consumers can request that covered businesses delete their personal data. Businesses must confirm receipt of delete requests within 10 days, according to the California Privacy Protection Agency (CPPA). CPPA regulations became effective January 1, 2026, and the agency established a deletion mechanism by that date. These rights apply only to qualifying businesses and data types in states with such laws; no uniform federal deletion right exists. Check your state law, identify if the business is covered, and submit via their designated method.
Which States Have Data Deletion Rights?
California's CCPA/CPRA provides a right to request data deletion, backed by official CPPA guidance. As of 2025, trackers from sources like Bloomberg Law indicate around 20 states--including California, Colorado, Connecticut, Texas, Utah, and Virginia--have comprehensive privacy laws that may include deletion rights. However, official details like timelines come primarily from California sources; other states' processes vary, and deletion rights are not uniformly confirmed by official guidance in available evidence.
Rights apply to residents of these states interacting with covered businesses, typically those meeting revenue or data-handling thresholds. Not all states have equivalent laws, and details differ.
What Controls a Data Deletion Request?
State privacy laws govern deletion requests where they exist. Under California's CCPA/CPRA, per the CPPA FAQ, businesses must confirm receipt of delete requests within 10 days. CPPA regulations took effect January 1, 2026, tasking the agency with a consumer deletion mechanism by that date.
Covered businesses handle personal data of a certain volume and meet other criteria under the law. Exceptions apply to some data types, such as public records or data needed for transactions.
| Aspect | California CCPA/CPRA (CPPA Guidance) |
|---|---|
| Confirmation Timeline | Within 10 days of receipt |
| Regulations Effective | January 1, 2026 |
| Deletion Mechanism | Established by CPPA by January 1, 2026 |
What Does Not Control Data Deletion Requests?
Federal U.S. laws do not provide a general right to delete personal data from businesses. Sector-specific rules like HIPAA or FCRA address health or credit data separately and do not grant broad deletion rights.
Voluntary company privacy tools, such as account deletion options, operate under business policy, not state law mandates. States without comprehensive privacy laws lack these statutory rights.
How to Submit a Deletion Request and Next Steps
First, verify your state has a comprehensive privacy law and the business qualifies as covered. Submit the request through the business's designated channel, such as an online portal, email, or toll-free number.
Expect confirmation of receipt--for example, within 10 days under California rules. Gather evidence like your request copy, account details, and any confirmation received.
If the business ignores or denies the request without valid exception, contact your state attorney general, as they handle enforcement in states with these laws.
Checklist for Submission:
- Confirm state law applies (e.g., California CCPA).
- Check business coverage via their privacy policy.
- Submit via official method; keep records.
- Note receipt confirmation timeline (e.g., 10 days in California).
- Save all correspondence for potential escalation.
FAQ
Does every U.S. state have a data deletion right?
No. Only states with comprehensive privacy laws, such as California, provide this statutory right.
What happens after I submit a request?
Businesses must confirm receipt--for example, within 10 days in California per CPPA guidance--with a full response to follow.
Are 2026 changes nationwide?
No, they apply to California CPPA regulations only.
Can companies charge for deletion requests?
Official sources do not indicate fees for valid requests.