How do I delete my data from a US company?

Most large businesses have a dedicated privacy-request portal because the CCPA + the 19 other state laws have made this routine compliance work. Use the portal first; fall back to written request when the portal is missing or broken.Find the business's privacy request portal. Most have a 'Do Not Sell or Share My Personal Information' link in the website footer and a 'Privacy Choices' or 'Manage My Data' page. Both are CCPA-required for businesses that meet the state thresholds (commonly: $25M+ revenue, OR 100,000+ consumers' data, OR 50%+ revenue from selling consumer data).Submit a Right to Delete request. Provide the verification info the portal asks for — usually email, name, and proof of identity proportionate to the sensitivity of the data. The business may push back on overly-broad requests but cannot reject a verified, narrowly-scoped deletion.Track the 45-day response. Under Cal. Civ. Code § 1798.130(a)(2), the business has 45 days from receipt; it can extend once for another 45 days with written notice explaining the extension. Total maximum: 90 days.If the business denies, escalate. California: file a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov or the California Attorney General. Other states: the state Attorney General is generally the enforcement authority. The CCPA private right of action is currently limited to data-breach litigation, not general DSAR refusals.For under-13 data, use COPPA. File the request with the operator's COPPA contact (15 U.S.C. § 6502 requires the privacy notice to designate one). Operators must delete on parent request under § 6502(b)(1)(B)(ii).For data brokers specifically, register on the Data Broker registries. California maintains a registry of data brokers at the CPPA; opt-out tools like the DeleteMe service (paid) and the free Privacy Rights Clearinghouse list maintain bulk-opt-out workflows.

What should you NOT do about making a data deletion request under us state privacy laws?

Don't pay services that 'guarantee' deletion. No service can guarantee deletion across the entire data-broker ecosystem; the statutory route is free.Don't expect data already shared with third parties to disappear. The CCPA's deletion right reaches the business and its service providers, but data already sold to or independently collected by third parties is reachable only through separate requests to each.Don't combine your verification with new data collection. Some portals ask for ID copies or sensitive data 'to verify.' Submit only what's strictly necessary for identity matching — proportionality is in the CCPA verification regs.Don't let the 45-day clock slip. If day 46 arrives with no response and no extension notice, that is itself a CCPA violation enforceable by the CPPA / state AG.

Making a Data Deletion Request Under US State Privacy Laws

Researched by A. R. Alsaedi, Head Researcher

Primary sources cited; not legal advice.

Source: California Consumer Privacy Act, Cal. Civ. Code § 1798.105 (right to delete) + § 1798.130 (business response within 45 days, extendable once by 45 days); equivalent provisions in VCDPA (VA), CPA (CO), CTDPA (CT), UCPA (UT), and 14 other state privacy laws.

About this article

Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Federal Law

What is this right?

Under California's CCPA / CPRA and the growing roster of state comprehensive privacy laws, US consumers can require a business to delete the personal information it has collected from them. The CCPA also provides the right to know what's been collected, the right to correct inaccuracies, and the right to opt out of the sale or sharing of personal information. Businesses must respond to a verifiable deletion request within 45 days, extendable once by another 45 days with notice — total maximum 90 days under Cal. Civ. Code § 1798.130.

As of 2026, 20 US states have enacted comprehensive privacy laws (with Florida's narrower-scope law counted separately by some sources): California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah (UCPA), Virginia (VCDPA), and Washington. Each has its own threshold, scope, and procedural detail — the CCPA is the model most other state laws follow.

When does it apply?

You are a resident of a US state with a comprehensive privacy law (or of any state, where the business has voluntarily extended CCPA-style rights nationwide).
A business has collected personal information about you — through a website, app, purchase, sign-up, or third-party data broker.
You want to delete the data, see what's been collected, correct what's wrong, or opt out of its sale / sharing for targeted advertising.
You are filing on behalf of a child under 13 — COPPA gives parents the right to demand deletion regardless of state.

Submitting a Verified Data Deletion Request Under State Privacy Law

Most large businesses have a dedicated privacy-request portal because the CCPA + the 19 other state laws have made this routine compliance work. Use the portal first; fall back to written request when the portal is missing or broken.

Find the business's privacy request portal. Most have a 'Do Not Sell or Share My Personal Information' link in the website footer and a 'Privacy Choices' or 'Manage My Data' page. Both are CCPA-required for businesses that meet the state thresholds (commonly: $25M+ revenue, OR 100,000+ consumers' data, OR 50%+ revenue from selling consumer data).
Submit a Right to Delete request. Provide the verification info the portal asks for — usually email, name, and proof of identity proportionate to the sensitivity of the data. The business may push back on overly-broad requests but cannot reject a verified, narrowly-scoped deletion.
Track the 45-day response. Under Cal. Civ. Code § 1798.130(a)(2), the business has 45 days from receipt; it can extend once for another 45 days with written notice explaining the extension. Total maximum: 90 days.
If the business denies, escalate. California: file a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov or the California Attorney General. Other states: the state Attorney General is generally the enforcement authority. The CCPA private right of action is currently limited to data-breach litigation, not general DSAR refusals.
For under-13 data, use COPPA. File the request with the operator's COPPA contact (15 U.S.C. § 6502 requires the privacy notice to designate one). Operators must delete on parent request under § 6502(b)(1)(B)(ii).
For data brokers specifically, register on the Data Broker registries. California maintains a registry of data brokers at the CPPA; opt-out tools like the DeleteMe service (paid) and the free Privacy Rights Clearinghouse list maintain bulk-opt-out workflows.

What should you NOT do?

Don't pay services that 'guarantee' deletion. No service can guarantee deletion across the entire data-broker ecosystem; the statutory route is free.
Don't expect data already shared with third parties to disappear. The CCPA's deletion right reaches the business and its service providers, but data already sold to or independently collected by third parties is reachable only through separate requests to each.
Don't combine your verification with new data collection. Some portals ask for ID copies or sensitive data 'to verify.' Submit only what's strictly necessary for identity matching — proportionality is in the CCPA verification regs.
Don't let the 45-day clock slip. If day 46 arrives with no response and no extension notice, that is itself a CCPA violation enforceable by the CPPA / state AG.

Common Questions

Which US states have a comprehensive privacy law?

As of 2026, twenty states have enacted comprehensive consumer-privacy laws: California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah (UCPA), Virginia (VCDPA), and Washington. Florida has a narrower-scope law that some sources count separately. Each state has its own thresholds (the CCPA uses $25M revenue / 100,000 consumers / 50% data revenue) and slightly different procedural rules. The CCPA is the model most state laws follow.

Is there a federal comprehensive privacy law?

No. The closest federal sectoral laws are COPPA (under-13 children), HIPAA (health information), GLBA (financial institutions), and the FCRA (credit reporting). The American Privacy Rights Act has been introduced in Congress but not enacted as of 2025.

What's the difference between deleting and opting out?

Deletion removes existing data; opt-out stops future sale or sharing. Most state privacy laws give you both rights separately. Submit both for a complete reset — deletion first, then opt-out, so the business doesn't re-acquire and re-sell the same data immediately.

What if I'm not in a state with a privacy law?

Many large businesses voluntarily extend CCPA-style rights nationwide because building two separate systems is more expensive than one. Use the same portal — if the business refuses, your enforcement options are weaker, but federal sectoral laws (COPPA, HIPAA, GLBA, FCRA) may still apply depending on the data type.

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

LawDepotCreate, edit, and print legal documents in minutes. Lawyer-reviewed templates for every situation.Create Legal Documents →LegalNatureAttorney-drafted legal documents customized to your state. Create, download, and print in minutes.Create Documents →LegalZoomAffordable legal documents and attorney consultations. File complaints, demand letters, and more.Visit LegalZoom →