California Privacy Law Delete Data: What Businesses Must Do When a Consumer Asks in 2026
People searching california privacy law delete data usually want a simple answer: yes, Californians can ask a business to delete personal information it collected from them, but the hard part is operational. The company has to intake the request, verify it, route it to the right systems and vendors, apply any lawful exception carefully, and answer on time.

If you need the broader backdrop first, start with our guides to California consumer privacy, CCPA who does it apply to, and the California Data Privacy Protection Act. This piece is narrower: what your team should do when a deletion request actually lands.
California privacy law delete data: what the right covers
Under California Civil Code section 1798.105, a consumer can request that a business delete personal information it collected from that consumer. The same section also requires the business to notify service providers, contractors, and certain third parties to delete the data too, unless an exception or disproportionate-effort limit applies.
The California Privacy Protection Agency FAQ says businesses generally must confirm receipt within 10 business days and respond within 45 calendar days, with one extra 45-day extension if the consumer is told in time. That makes california privacy law delete data less of a policy-page issue and more of an operating-model issue.
What a business should do when a request arrives
A defensible response usually comes down to five steps.
1. Capture the request through a real intake channel
The CPPA FAQ says businesses generally need at least two methods for consumers to submit requests to know, correct, or delete personal information, while online-only businesses can offer an email address. The practical takeaway is simple: if consumers have to guess where to send a deletion request, the process is already weak.
2. Verify the consumer or authorized agent
Verification needs to be strong enough to avoid deleting the wrong record and simple enough that the right is still usable. California law and regulations expect businesses to facilitate authorized-agent requests and avoid making the process needlessly difficult. In practice, that means matching verification to the risk of the request, not applying the same friction to every case.
3. Check whether a narrow exception applies
Deletion is not absolute. Section 1798.105 lists exceptions that can justify retention in specific cases, including completing a transaction, detecting security incidents, complying with a legal obligation, or supporting certain internal uses aligned with consumer expectations. The common mistake is treating those exceptions like a blanket shield. They work best when applied record by record and purpose by purpose.
4. Push the request past the front-end system
This is where many programs wobble. A deletion request has to reach the CRM, support platform, analytics exports, ad-tech audiences, warehouse tables, and relevant vendors. If one system quietly keeps the record alive, your consumer response and your evidence trail both start to fall apart.
5. Close the loop with proof
You want a dated log showing when the request came in, how it was verified, which systems were searched, what was deleted, what was retained under exception, and when the response went out. That record matters when a consumer follows up later or a regulator asks how the process actually works.
The 2026 pressure point: California’s DROP system raises the bar
The most concrete 2026 development sits with data brokers. The CPPA data brokers page says that, under the Delete Act, beginning August 1, 2026, data brokers must access the Delete Request and Opt-Out Platform (DROP) at least once every 45 days and process consumer deletion requests, subject to limited exceptions.
That requirement matters because it turns deletion from a scattered broker-by-broker chase into a scheduled workflow. Attorney General Rob Bonta described the tool as a way to “take back control over your data,” and CPPA Executive Director Tom Kemp called DROP a “groundbreaking revolution in privacy rights” when the agency opened public comment on the rules. Those quotes are short, but they capture the direction of travel: California is pushing for deletion rights that work at scale, not only on paper.
Even if your company is not a registered data broker, this still matters. It is a strong signal that California expects fewer dead ends, fewer manual excuses, and better system-level follow-through when people ask to delete their information.

A practical workflow to tighten this quarter
If I were reviewing a program this week, I would start with five checks:
- Acknowledge requests quickly. If your team is missing the 10-business-day confirmation window, fix intake first.
- Map deletion to systems, not departments. Privacy teams do not delete data. Systems do.
- Create an exception matrix. Define which records can be retained for legal, security, or transaction-completion reasons and who signs off.
- Include vendors in the workflow. Your contract language should match your actual deletion path.
- Test the evidence trail. Pick one closed request and see whether you can reconstruct it cleanly.
That work is less flashy than banner design, but it is the part buyers, auditors, and regulators care about once the conversation gets real.
The bottom line
When someone on your team searches for california privacy law delete data, the real question is whether your company can turn a legal right into a clean process. In 2026, that means timely intake, proportionate verification, careful use of exceptions, vendor follow-through, and proof that the request actually changed the data environment.
That is what holds up when the request is real.
Sources
- California Privacy Protection Agency FAQ
- California Privacy Protection Agency Data Brokers page
- California Privacy Protection Agency announcement on DROP regulations
- California Department of Justice press release on the DELETE tool
- California Legislative Information