Responding to US Deletion Requests: State-by-State DSAR Guide

A Customer Asks You to Delete Their Data

You received a deletion request from a US consumer. Maybe it cites CCPA, maybe a state law, maybe it just says "delete my data." This guide covers how to process these requests across all US state privacy laws.

Deadlines by State

Most US state privacy laws give you 45 calendar days. California also requires a 10-business-day acknowledgment.

If you also handle GDPR requests, note that GDPR's deadline is shorter: 30 calendar days. Building your process around 30 days covers all frameworks. See our DSAR response deadlines guide for the full breakdown.

Step-by-Step: Processing a US Deletion Request

1. Log and Acknowledge

Record the date, requester identity, and what they want deleted. If the requester is a California resident, acknowledge receipt within 10 business days.

2. Verify Identity

US state laws require "reasonable" verification. The level depends on the data sensitivity:

• Account-based requests: Account authentication is sufficient
• Non-account requests, non-sensitive data: Match at least two data points (name + email, or name + account number)
• Sensitive data: Match at least three data points plus a signed declaration under penalty of perjury (CCPA standard)

Do not use verification as a barrier. See our identity verification guide.

3. Check Exceptions

CCPA provides nine exceptions — broader than GDPR's five:

• Completing a transaction or providing a requested service
• Detecting security incidents or protecting against fraud
• Debugging errors
• Free speech or another right provided by law
• Complying with the California Electronic Communications Privacy Act
• Scientific, historical, or statistical research in the public interest
• Internal uses reasonably aligned with consumer expectations
• Complying with a legal obligation
• Internal use compatible with the context the data was provided

Other state laws have similar exception lists. If an exception applies, document it specifically.

4. Execute Deletion

Delete from all systems: databases, CRM, email marketing, analytics, customer support, cloud storage, spreadsheets, and local copies.

Under CPRA, you must also:

• Direct service providers and contractors to delete
• Notify third parties to whom you sold or shared the information

5. Respond

Confirm in writing what was deleted, from which systems, and which third parties were notified. If you retained any data, cite the specific exception.

Multi-State Compliance

If you operate in multiple states, build one process that satisfies the strictest requirements:

• Acknowledge within 10 business days (California requirement, good practice everywhere)
• Respond within 45 calendar days (universal across all state laws)
• Verify to the CCPA standard (most prescriptive)
• Push deletion to third parties (CPRA requirement, increasingly standard)
• Document everything (protects you under all frameworks)

Common Mistakes

• Ignoring requests that don't cite a specific law — "delete my data" is a valid request regardless of whether they name CCPA
• Requiring consumers to explain why — unlike GDPR, US state laws do not require consumers to cite a ground for deletion
• Over-verifying — demanding excessive identity proof to discourage requests can itself be a violation
• Missing the acknowledgment deadline — California's 10-business-day acknowledgment is separate from the 45-day response deadline
• Forgetting downstream deletion — under CPRA, you must direct service providers and third parties to delete too

Related Guides

• DSAR Response Deadlines — all deadlines across all jurisdictions
• DSAR Identity Verification — verification methods and proportionality
• Deletion Request Differences: CCPA vs GDPR — when you handle both frameworks
• Handling Right-to-Erasure Requests — the GDPR side of deletion requests