How to File a CCPA Data Deletion Request in 2026

The California Consumer Privacy Act (CCPA) gives California residents the legal right to demand that businesses delete their personal information. Whether a company collected your data through a purchase, website visit, or third-party data broker, you can submit a formal deletion request and the business must comply within 45 days. In 2026, a powerful new tool called DROP makes this process easier than ever. Here is everything you need to know about filing a CCPA data deletion request.

What the CCPA Right to Delete Actually Means

Under the CCPA (as amended by the California Privacy Rights Act, or CPRA), any California resident can request that a covered business delete the personal information it has collected about them. This includes data like your name, home address, email, phone number, browsing history, purchase records, geolocation data, and more.

When you submit a valid deletion request, the business must:

• Delete your personal information from its records
• Direct any service providers or contractors to delete your data as well
• Respond to your request within 45 calendar days
• Notify you if an extension is needed (an additional 45 days is allowed with written notice)

The business cannot charge you a fee for making a deletion request, and it cannot discriminate against you for exercising this right — meaning it cannot deny you service, charge you more, or provide a lesser experience because you asked for deletion.

Who Can File a CCPA Deletion Request?

To file a CCPA deletion request, you must be a California resident. The law applies regardless of whether the business is headquartered in California. Covered businesses include those with annual gross revenue over $25 million, those that buy or sell the personal information of 100,000+ consumers per year, or those that derive 50% or more of revenue from selling personal information.

How to File a CCPA Deletion Request: Step by Step

Step 1: Identify the Business

Determine which company holds the personal data you want deleted. This could be a retailer, social media platform, data broker, app developer, or any other business that has collected your information.

Step 2: Find the Company's Request Method

Under the CCPA, businesses must offer at least two methods for consumers to submit deletion requests. Common methods include:

• An online form or web portal (often linked from the privacy policy)
• A toll-free phone number
• An email address dedicated to privacy requests

To find the right method, look for links labeled "Your California Privacy Rights", "Do Not Sell or Share My Personal Information", or "Privacy Choices" in the company's website footer or within its privacy policy. Most large companies now include a dedicated privacy rights page.

Step 3: Submit Your Request and Verify Your Identity

Provide the information the business needs to verify your identity and locate your records — typically your name, email address, and any account details. State clearly that you are exercising your right to delete personal information under the CCPA. The business will verify your identity, which may involve confirming your email, answering security questions, or providing additional information. They cannot make verification so burdensome that it discourages you from completing the request.

Step 4: Wait for the Response

The business has 45 calendar days to respond. They can extend this by an additional 45 days with written notice, making the maximum response time 90 days. If the business denies your request, they must explain why. If you believe the denial is unjustified, you can file a complaint with the California Privacy Protection Agency (CPPA) or the California Attorney General's office.

Using an Authorized Agent

You do not have to file the request yourself. The CCPA allows you to designate an authorized agent to submit deletion requests on your behalf. An authorized agent can be:

• An individual you have authorized in writing
• A business entity registered with the California Secretary of State

If you use an authorized agent, the business may still require you to verify your identity directly and confirm that you authorized the agent. Data removal services like PrivacyOn effectively function as authorized agents, submitting opt-out and deletion requests across 100+ data brokers on your behalf — saving you the time of contacting each one individually.

The DROP Platform: California's New One-Stop Deletion Tool

One of the most significant developments in consumer privacy in 2026 is the launch of DROP — the Delete Request and Opt-Out Platform. Mandated by California's DELETE Act (SB 362) and operated by the California Privacy Protection Agency, DROP went live on January 1, 2026.

DROP allows California residents to submit a single deletion request that is sent to every data broker registered in the state. Instead of contacting dozens or hundreds of data brokers individually, you submit one request through DROP and it reaches all of them.

How DROP Works

1. Verify your identity through California's identity gateway (CalIdentity)
2. Submit your personal information for deletion: name, address, email, phone number, date of birth, and optionally your mobile advertising ID
3. DROP immediately hashes your information — it is converted into an encrypted format so your raw data is not stored on the platform
4. Your request is sent to all registered data brokers in California's registry
5. Data brokers must process your request — starting August 1, 2026, registered data brokers are required to access and process DROP requests every 45 days

DROP Limitations to Understand

While DROP is a powerful new tool, it has important limitations:

• California residents only. You must be a California resident to use DROP. Non-Californians cannot submit requests through the platform.
• Registered data brokers only. DROP only reaches data brokers that are registered with the CPPA. While California law requires registration, not every broker complies, and many operate outside California's jurisdiction.
• No coverage for non-broker businesses. DROP targets data brokers specifically. It does not cover retailers, social media companies, or other businesses that collect your data directly — you still need to contact those individually.
• Compliance timeline. The requirement for data brokers to check DROP every 45 days does not take effect until August 1, 2026. Until then, processing times may be inconsistent.
• No dark web coverage. DROP addresses data broker listings but does not monitor or remove your information from dark web marketplaces or breach databases.

When a Business Can Deny Your Deletion Request

The CCPA includes several exceptions where a business may refuse to delete your personal information. A business can deny your request if the data is necessary to:

• Complete a transaction or provide a service you requested
• Detect security incidents or protect against fraud
• Debug or repair functionality
• Exercise free speech or another legal right
• Comply with a legal obligation
• Conduct research in the public interest (with your consent)
• Enable solely internal uses reasonably aligned with your expectations

If a business denies your request, it must explain the legal basis for the denial. The business must still delete any portion of your data that does not fall under an exception.

Beyond CCPA: Comprehensive Data Removal

Filing CCPA requests and using DROP are important steps, but they only cover part of the picture. Your personal information lives on data broker sites nationwide, many of which are not registered in California and are not reachable through DROP. Data reappears regularly as brokers rebuild profiles from public records, commercial databases, and scraped sources.

For ongoing, comprehensive protection, a dedicated data removal service handles the work that manual requests and DROP cannot. PrivacyOn removes your personal information from 100+ data broker sites across the country, provides dark web monitoring to alert you when your data appears in breach databases, and runs 24/7 continuous monitoring to catch and re-remove data as it reappears. Family plans cover up to 5 people starting at just $8.33 per month.

The CCPA gives you the legal right to demand deletion. DROP gives you a streamlined tool to reach California-registered brokers. And PrivacyOn gives you the persistent, automated protection that keeps your data off broker sites month after month — so you do not have to keep filing requests yourself.