What is Right to Delete?

The right to delete is one of the most operationally challenging CCPA requirements because it requires organizations to identify and remove personal information across all systems, databases, backups, and third-party service providers. When a consumer submits a deletion request, the business must delete the information from its own records, direct its service providers and contractors to delete the information, and notify any third parties to whom the data was sold or shared. CPRA expanded this by requiring businesses to notify all third parties who received the data. There are several exceptions: businesses may retain data necessary to complete a transaction, detect security incidents, comply with legal obligations, exercise free speech, conduct research in the public interest, or enable internal uses aligned with consumer expectations. Organizations should implement automated workflows for processing deletion requests at scale, maintain a data map showing where personal information resides, and establish clear criteria for evaluating exception applicability. The 45-day response window can be extended by an additional 45 days if reasonably necessary, but the consumer must be notified of the extension.