CCPA Right-to-Delete Requests: How to Process Them Correctly
How to handle CCPA deletion requests step by step. Verification tiers, the nine exceptions, service provider notifications, and response requirements.
Last updated: 2026-02-08
A Consumer Wants Their Data Deleted
"I want to know what data you have on me. And then I want you to delete it." This is the most common DSAR combination under CCPA. Here is how to process it.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
The Two Requests Together
When a consumer asks for both access and deletion, you have two separate obligations:
- Right to Know (§ 1798.100): Disclose the personal information you hold
- Right to Delete (§ 1798.105): Delete the personal information
Process them in order: disclose first, then delete. Both share the same 45-day deadline.
Verification: The Two Tiers
CCPA's verification requirements are more prescriptive than most other frameworks.
For right-to-know (categories only): Verify to a "reasonable degree of certainty" — match at least two data points.
For right-to-know (specific pieces) or deletion: Verify to a "reasonably high degree of certainty" — match at least three data points plus a signed declaration under penalty of perjury.
The logic: deletion is irreversible, so the bar is higher. You do not want to delete the wrong person's data.
For account holders: Account authentication is sufficient for both tiers.
See our identity verification guide for methods and implementation.
Processing a Deletion Request
1. Acknowledge (Within 10 Business Days)
Confirm receipt in writing. Include your expected timeline.
2. Verify (Days 1-10)
Apply the appropriate verification tier. If the consumer cannot be verified, you may deny the deletion request but must still process a right-to-know request for categories (lower verification tier).
3. Search All Systems (Days 10-20)
Find all personal information about the consumer across every system: databases, CRM, email marketing, analytics, support, cloud storage, email, spreadsheets.
4. Check Exceptions (Days 15-25)
The nine CCPA exceptions (§ 1798.105(d)):
- Completing a transaction or providing a requested service
- Detecting security incidents or protecting against fraud
- Debugging errors
- Exercising free speech or another legal right
- California Electronic Communications Privacy Act compliance
- Public-interest research (with consumer opt-in)
- Internal uses aligned with consumer expectations
- Legal obligation compliance
- Internal use compatible with the original context
If an exception applies to some data, delete the rest and explain what you retained and why.
5. Delete and Notify (Days 20-35)
- Delete from all active systems
- Direct service providers and contractors to delete (§ 1798.105(c))
- Notify third parties to whom you sold or shared the data to delete
- Verify each deletion
6. Respond (By Day 45)
Your response should confirm:
- What personal information was deleted
- Which service providers and third parties were notified
- Any data retained, with the specific exception cited
- If denied: the reason and the consumer's right to escalate
When You Cannot Verify
If the consumer fails verification for deletion (three data points + declaration), you cannot delete. But:
- Tell them why verification failed
- Offer to process a categories-only right-to-know request (lower bar: two data points)
- Suggest they resubmit with additional verification information
Do not simply ignore unverifiable requests.
Backups
Delete from all active systems. For encrypted backups:
- Document that backups may retain the data
- Ensure reasonable backup retention periods
- Do not restore deleted data from backups
- Most regulators accept this approach
Related Guides
- CCPA DSARs: The Four Request Types — full overview
- CCPA DSAR Process — operational workflow
- DSAR Identity Verification — verification methods
- Deletion Request Differences: CCPA vs GDPR — framework comparison