How to Write a Data Deletion Request Letter (With Templates)

Sometimes an online opt-out form is not enough. Data brokers ignore requests, forms break or disappear, and some companies simply do not offer a self-service option for deleting your data. When that happens, a formal data deletion request letter is your most powerful tool. Backed by the right legal citation and sent through documented channels, a well-written letter compels businesses to take your request seriously -- or face regulatory consequences.

When You Need a Formal Letter

A formal data deletion request letter is appropriate in several situations:

• The company has no online opt-out form: Some data brokers and businesses only accept requests via email or postal mail
• The online form did not work: You submitted a request through their website but your data is still listed weeks or months later
• The company ignored your initial request: You received no response within the legally required timeframe
• You want a paper trail: A formal letter, especially one sent via certified mail, creates documented evidence that you made the request -- which is critical if you need to escalate to a regulator
• You are exercising rights under a specific privacy law: Citing the applicable statute in a formal letter makes it clear that the business has a legal obligation to respond

Which Law Applies to You

The legal basis for your request depends on where you live and, in some cases, where the business is located. Here are the major privacy laws you can cite:

• CCPA/CPRA (California): California Consumer Privacy Act, Section 1798.105 -- right to delete personal information. Applies to California residents
• VCDPA (Virginia): Virginia Consumer Data Protection Act -- right to delete personal data. Applies to Virginia residents
• CPA (Colorado): Colorado Privacy Act -- right to delete personal data. Applies to Colorado residents
• CTDPA (Connecticut): Connecticut Data Privacy Act -- right to delete personal data. Applies to Connecticut residents
• TDPSA (Texas): Texas Data Privacy and Security Act -- right to delete personal data. Applies to Texas residents
• RIDTPPA (Rhode Island): Rhode Island Data Transparency and Privacy Protection Act -- right to delete personal data. Effective January 1, 2026
• GDPR (European Union/UK): General Data Protection Regulation, Article 17 -- right to erasure. Applies to EU/UK residents or when an EU/UK-based company processes your data

If your state does not have a comprehensive privacy law, you may still be able to cite the federal Fair Credit Reporting Act (FCRA) if the company qualifies as a consumer reporting agency, or you can reference the company's own privacy policy, which often includes commitments to honor deletion requests.

Key Elements of an Effective Letter

Your data deletion request letter should include these essential components:

1. Identify Yourself -- But Do Not Over-Share

Provide enough information for the company to locate your records, but do not hand over more data than necessary. Typically, your full name, email address, and mailing address are sufficient. Never include your Social Security number unless the company specifically requires it to process your request, and even then, consider whether you trust the company with that information.

2. Cite the Applicable Law

Explicitly name the law under which you are making your request and reference the specific section. For example:

• "Pursuant to Section 1798.105 of the California Consumer Privacy Act (CCPA)"
• "Under Article 17 of the General Data Protection Regulation (GDPR)"
• "In accordance with the Virginia Consumer Data Protection Act (VCDPA)"

Citing the specific law signals that you know your rights and understand the company's legal obligations. Vague requests without legal citations are much easier for companies to ignore.

3. Specify What You Want Deleted

Be clear about what data you want removed. You can request deletion of all personal data the company holds about you, or you can target specific categories such as your home address, phone number, or financial information. The more specific your request, the harder it is for the company to claim confusion about what you are asking for.

4. Set a Deadline

Reference the legally mandated response timeframe. Most state privacy laws require a response within 30 to 45 days:

• CCPA: 45 days, with a possible 45-day extension
• VCDPA: 45 days, with a possible 45-day extension
• CPA: 45 days, with a possible 45-day extension
• GDPR: 30 days, with a possible 60-day extension for complex requests
• RIDTPPA: 45 days, with a possible 45-day extension

5. State the Consequences of Non-Compliance

Politely but clearly note that failure to comply may result in a complaint to the appropriate regulatory authority. This is not a threat -- it is a statement of fact about your rights under the law.

How to Send Your Letter

The method of delivery matters for creating a verifiable paper trail:

• Certified mail with return receipt: This is the gold standard. You get proof of delivery and a record of when the company received your letter. The cost is minimal and the documentation is valuable if you need to escalate
• Email with read receipt: Faster than postal mail and acceptable for most requests. Request a read receipt and save the sent email along with any delivery confirmations
• Online privacy request portals: If the company offers one, use it -- but also send a follow-up email or letter referencing your submission with the date and any confirmation number

Regardless of the method, always keep copies of everything you send and receive. Save screenshots of online submissions, confirmation emails, and postal receipts.

Following Up on Your Request

Track the deadline from the date your letter was received (not the date you sent it). If you have not received a response by the deadline:

1. Send a follow-up letter or email referencing your original request, the date it was sent, and the legal deadline that has passed
2. Check whether your data has actually been removed by searching for yourself on the site or requesting a copy of any remaining data
3. Document the company's failure to respond -- this documentation is critical for regulatory complaints

When to Escalate

If a company ignores your request or denies it without a valid legal basis, you have escalation options:

• File a complaint with your state Attorney General: Most state privacy laws are enforced by the AG's office. File a complaint through their website and include copies of all your correspondence
• File a complaint with the FTC: The Federal Trade Commission handles complaints about unfair or deceptive business practices, including data privacy violations. File at reportfraud.ftc.gov
• File a complaint with a data protection authority (GDPR): If you are in the EU or UK, file a complaint with your national data protection authority
• Consult a privacy attorney: For persistent violations involving sensitive data or significant harm, legal counsel may be worthwhile. Some state laws allow for statutory damages

Let PrivacyOn Handle It Automatically

Writing, sending, tracking, and following up on data deletion requests across dozens of data brokers is a major time commitment. And even when you succeed, many brokers re-list your data within months, requiring you to start the process all over again.

PrivacyOn automates the entire data removal process. PrivacyOn submits opt-out and deletion requests to over 100 data broker sites on your behalf, tracks responses, follows up on ignored requests, and continuously monitors for re-listings. Instead of spending hours drafting letters and tracking deadlines, you can let PrivacyOn handle it -- starting at just $8.33 per month.

Whether you choose to write letters yourself or use an automated service, the important thing is to exercise your rights. Your personal data belongs to you, and the law is increasingly on your side.