California Privacy Rights: How to Use CCPA to Delete Your Data

If you're a California resident, you have some of the strongest privacy rights in the United States thanks to the California Consumer Privacy Act (CCPA) and its expansion, the California Privacy Rights Act (CPRA). These laws give you real power to find out what companies know about you and demand they delete it.

But having rights and exercising them are two different things. This guide walks you through exactly how to use CCPA to take control of your personal data—including template letters you can send today.

What Is CCPA/CPRA?

The California Consumer Privacy Act (CCPA), effective January 2020, and the California Privacy Rights Act (CPRA), which strengthened it in 2023, give California residents specific rights over their personal information.

Who's Covered?

You're covered if you:

• Are a California resident (regardless of where you're physically located at the moment)
• Interact with businesses that meet certain thresholds

Businesses must comply if they:

• Have gross annual revenue over $25 million, OR
• Buy, sell, or share personal information of 100,000+ consumers/households annually, OR
• Derive 50%+ of revenue from selling/sharing personal information

This covers most major companies, data brokers, and people search sites you'd want to target.

Your Rights Under CCPA/CPRA

Right to Know (Access)

You can request that a business disclose:

• Categories of personal information collected
• Specific pieces of personal information held about you
• Sources of the information
• Business purposes for collection
• Third parties the information was shared with

Right to Delete

You can request deletion of personal information collected about you. Businesses must delete it and direct service providers to delete it too.

Right to Correct

Added by CPRA, you can request correction of inaccurate personal information.

Right to Opt-Out

You can tell businesses not to sell or share your personal information.

Right to Limit Use of Sensitive Personal Information

You can limit how businesses use sensitive data like precise geolocation, race, health information, or financial data.

Right to Non-Discrimination

Businesses cannot penalize you for exercising these rights (no worse prices or service).

How to Exercise Your Right to Delete

Here's a practical, step-by-step process for requesting deletion of your data:

Step 1: Identify Who Has Your Data

Before sending requests, identify which companies to target. Common categories include:

Data Brokers and People Search Sites

• Acxiom, Experian, Oracle Data Cloud
• Whitepages, Spokeo, BeenVerified
• LexisNexis, Epsilon

Companies You've Done Business With

• Retailers (online and offline)
• Service providers
• Subscription services

Advertisers and Marketing Companies

• Companies that have sent you marketing
• Ad tech companies

PrivacyScan helps with this step by identifying 200+ data broker sites that have your information, so you know exactly who to target with CCPA requests.

Step 2: Find the Company's CCPA Contact

Companies are required to provide a way for consumers to submit CCPA requests. Look for:

• A "Do Not Sell My Personal Information" link (usually in the website footer)
• A "Privacy" or "Your Privacy Rights" link
• A specific CCPA request form
• A privacy email address (often privacy@company.com)

For data brokers specifically, California maintains a Data Broker Registry at https://oag.ca.gov/data-brokers where registered data brokers must be listed.

Step 3: Submit Your Request

You can submit CCPA requests through:

• Online forms — The easiest method when available
• Email — To the privacy contact address
• Mail — For companies without online options
• Phone — Some companies offer toll-free numbers

When submitting, you'll need to:

• Identify yourself (enough that they can verify your identity)
• Specify that this is a CCPA request
• State clearly what you're requesting (deletion, access, opt-out, etc.)

Step 4: Verify Your Identity

Companies must verify you are who you claim to be before deleting data. Common verification methods:

• Matching information you provide against what they have
• Confirming your email address
• Answering security questions
• Providing documentation (for sensitive requests)

Companies can't require you to create an account just to submit a CCPA request.

Step 5: Track and Follow Up

• Companies must respond within 45 days (can be extended once by 45 more days with notice)
• Keep records of your requests and any responses
• Follow up if you don't receive a response

Template CCPA Deletion Request Letters

Here are templates you can use for different scenarios:

Template 1: General Deletion Request (Email)

Subject: CCPA Deletion Request

To Whom It May Concern:

Pursuant to the California Consumer Privacy Act (Civil Code Section 1798.105), I am requesting deletion of all personal information you have collected about me.

My identifying information:
- Full Name: [Your Full Name]
- Email Address: [Your Email]
- Mailing Address: [Your Address]
- Phone Number: [Your Phone Number, if applicable]

I am a California resident and am exercising my right to deletion under CCPA. Please delete all personal information collected about me and direct any service providers to do the same.

Please confirm within 45 days that my personal information has been deleted.

Sincerely,
[Your Name]
Date: [Current Date]

Template 2: Data Broker Deletion Request

Subject: CCPA Deletion Request - California Resident

To the Privacy Department:

I am a California resident exercising my rights under the California Consumer Privacy Act (CCPA), Cal. Civil Code § 1798.100 et seq.

I am requesting that you:
1. Delete all personal information you have collected about me
2. Direct any service providers and contractors to delete my information
3. Confirm deletion within the required 45-day period

My Information for Verification:
Full Name: [Your Name]
Date of Birth: [Your DOB]
Current Address: [Your Current Address]
Previous Addresses: [List any that may be in their database]
Email Addresses: [Your Email(s)]
Phone Numbers: [Your Phone(s)]

I am also exercising my right to opt out of the sale or sharing of my personal information under Civil Code Section 1798.120.

Please acknowledge receipt of this request and provide written confirmation when deletion is complete.

Sincerely,
[Your Name]
[Date]

Template 3: Escalation Letter (When Initial Request Is Ignored)

Subject: Second CCPA Deletion Request - Non-Response to Initial Request

To Whom It May Concern:

On [Date of Original Request], I submitted a CCPA deletion request via [email/form/mail]. More than 45 days have passed without a response, which is a violation of the California Consumer Privacy Act.

I am resubmitting my request and requesting immediate action:

[Include original request details]

Please be aware that failure to respond to CCPA requests within the required timeframe may be enforced by the California Privacy Protection Agency and may result in penalties of up to $7,500 per intentional violation.

I expect a response within 10 business days confirming either:
1. Deletion of my personal information, or
2. A valid exemption under CCPA for retaining my information

Sincerely,
[Your Name]
[Date]

Companies Cannot Always Refuse

Companies must honor your deletion request with limited exceptions. They may retain information only if needed to:

• Complete a transaction you requested
• Provide goods or services you requested
• Perform a contract with you
• Detect security incidents
• Protect against illegal activity
• Debug/repair functionality
• Exercise free speech rights
• Comply with legal obligations
• Conduct research in the public interest (with safeguards)

Important: Data brokers who simply sell your information generally cannot claim these exemptions. Your deletion request should be honored.

What If a Company Ignores You?

If a company doesn't respond within 45 days (or 90 days with notice of extension):

1. Send a follow-up request with documentation of your original request
2. File a complaint with the California Privacy Protection Agency at cppa.ca.gov
3. Document everything — Companies face penalties of $2,500 per unintentional violation and $7,500 per intentional violation
4. Consider legal action — For certain violations, you may have a private right of action

Practical Tips for Success

Be Systematic

Don't send one request and forget about it. Create a tracking spreadsheet:

• Company name
• Date of request
• Method of submission
• Response received
• Date completed
• Notes

Start with Data Brokers

Data brokers are the root source. If you remove your information from data brokers, it will eventually stop propagating to other sites. Priority targets:

1. Major data brokers (Acxiom, Experian Marketing, Oracle Data Cloud)
2. People search aggregators (Spokeo, BeenVerified, Whitepages)
3. Companies that have sent you marketing

Use Data Broker Registry

California requires data brokers to register. The registry at oag.ca.gov/data-brokers lists registered brokers and often includes links to their opt-out mechanisms.

Combine with Direct Opt-Outs

While CCPA gives you legal rights, many sites have simpler opt-out processes. For people search sites, direct opt-outs are often faster than formal CCPA requests.

PrivacyScan identifies both approaches—showing you where your information appears and providing the most efficient removal method for each site, whether that's a direct opt-out or a CCPA request.

Beyond Deletion: Opt-Out of Sale

CCPA also lets you tell businesses not to sell or share your personal information going forward. Look for "Do Not Sell or Share My Personal Information" links on websites. Clicking these should trigger an opt-out.

The Global Privacy Control (GPC) is a browser setting that automatically sends opt-out signals to every website you visit. Businesses must honor GPC signals under California law. Consider enabling it:

• Firefox: Built-in setting
• Chrome: Requires extension (DuckDuckGo Privacy Essentials, etc.)
• Brave: Built-in support

The Scale of the Problem

Here's the challenge: there are hundreds of data brokers and thousands of companies that may have your information. Sending individual CCPA requests to each one is theoretically possible but practically exhausting.

A strategic approach:

1. Know where you're exposed — A privacy scan shows you which sites actually have your data
2. Prioritize high-impact targets — Start with data brokers and people search sites
3. Use the fastest removal method — Sometimes that's direct opt-out, sometimes CCPA

Get Started Today

California law gives you powerful tools to take back your privacy. The key is knowing where to direct your efforts.

PrivacyScan gives you that knowledge. We identify where your personal information appears across 200+ data broker sites—including which ones are required to honor CCPA requests—and provide step-by-step removal instructions for each.

Instead of blindly sending requests, you get a targeted action plan. Instead of missing data brokers, you see every site that has your information.

Your privacy rights are only as powerful as your ability to exercise them. Let's put CCPA to work for you.

Get your PrivacyScan report and start reclaiming your data today.