What the CCPA Actually Gives You

The California Consumer Privacy Act (CCPA), as strengthened by the California Privacy Rights Act (CPRA) that took full effect in 2023, is the most powerful data privacy law available to U.S. residents. It gives California consumers a specific set of enforceable rights over their personal data, and data brokers are squarely within its scope.

Here is what the law provides:

Right to Delete (Section 1798.105)

You can request that any business delete the personal information it has collected about you. The business must comply and must also direct its service providers and contractors to delete your data. There are limited exceptions (such as completing a transaction you initiated, detecting security incidents, or complying with a legal obligation), but data brokers rarely qualify for these exceptions when they are simply aggregating and reselling your information.

Right to Know (Section 1798.110)

You can request that a business disclose exactly what personal information it has collected about you, the sources it came from, the business purpose for collecting it, and the categories of third parties it has been shared with. This right is powerful because it forces transparency: you can learn whether a broker has your name, address, phone number, relatives, and financial data before you request deletion.

Right to Opt Out of Sale (Section 1798.120)

You can direct a business to stop selling your personal information. Under the CPRA amendment, this also includes "sharing" your data for cross-context behavioral advertising. For data brokers, whose entire business model is selling personal data, this right is particularly significant.

Right to Correct (Section 1798.106, added by CPRA)

You can request that a business correct inaccurate personal information it holds about you. This is useful when a broker has outdated addresses, wrong phone numbers, or incorrect associations with relatives or criminal records.

Right to Limit Use of Sensitive Information (Section 1798.121, added by CPRA)

You can direct a business to limit its use of sensitive personal information (including Social Security numbers, precise geolocation, race, ethnicity, and health data) to what is necessary to provide the service.

Who Must Comply with the CCPA

The CCPA applies to for-profit businesses that do business in California and meet any one of these thresholds:

Annual gross revenue exceeding $25 million
Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices per year
Derive 50% or more of annual revenue from selling or sharing personal information

Most major data brokers -- including Spokeo, BeenVerified, Radaris, Acxiom, Epsilon, LexisNexis, CoreLogic, Oracle Data Cloud, and Nielsen -- easily meet these thresholds. California law also requires data brokers to register with the California Privacy Protection Agency, and as of 2026, over 500 data brokers are registered.

Importantly, the CCPA applies based on where the consumer resides, not where the business is located. If you are a California resident, a data broker in Virginia or New York must comply with your CCPA request.

How to Submit a CCPA Data Deletion Request: Step by Step

Step 1: Identify Which Brokers Have Your Data

Before submitting deletion requests, you need to know who has your data. You can:

Search your name on major people-search sites (Spokeo, WhitePages, BeenVerified, TruePeopleSearch, Radaris)
Check California's data broker registry at cppa.ca.gov for a list of registered brokers
Run a privacy scan with a service like GhostMyData to identify all brokers that have your information across 150+ sites simultaneously

Step 2: Locate the Broker's Privacy Contact

Every CCPA-covered business must provide at least one method for submitting requests. Look for:

A "Do Not Sell My Personal Information" link on their website (required by law)
A privacy@ or optout@ email address in their privacy policy
An online request form, often found in the "Privacy" or "Your Privacy Choices" section
A toll-free phone number for privacy requests

Step 3: Submit Your Request

You can submit a CCPA deletion request by email, through an online form, or by phone. Email is generally the most effective method because it creates a written record with a timestamp.

Step 4: Provide Verification Information

The business is allowed to verify your identity before processing your request. Typically they will ask you to confirm:

Your full name
Your email address
Your mailing address or the address they have on file
Sometimes, the last four digits of your phone number

You are not required to create an account with the business to submit a request, and the business cannot require you to do so.

Step 5: Track the 45-Day Response Window

Under the CCPA, the business must respond to your request within 45 calendar days of receiving it. They may extend this by an additional 45 days (90 days total) if they notify you of the extension and the reason for it. During this period, they must either:

Confirm that they have deleted your data
Explain which specific exemption prevents deletion
Request additional verification information

CCPA Deletion Request Email Template

Here is a template you can send directly to a data broker's privacy email address:

---

Subject: Data Deletion Request -- [Your Full Name]

To Whom It May Concern:

I am a California resident and I am exercising my right to deletion under the California Consumer Privacy Act (Cal. Civ. Code Section 1798.105) and the California Privacy Rights Act.

I request that you delete all personal information you have collected about me, and that you direct any service providers or contractors to delete my personal information as well.

My identifying information:

Full Name: [Your full legal name]
Address: [Your current or most recent address]
Email: [Your email address]
Phone: [Your phone number, if applicable]

Please confirm deletion within 45 days as required by law. If you cannot complete this request, please provide a specific explanation of the legal exemption you are relying on.

Thank you.

[Your Name]

[Date]

---

This template is direct, cites the specific legal authority, and provides the information a broker needs to locate your records. You do not need to use legal language beyond citing the statute, and you do not need a lawyer to submit the request.

What to Do If They Do Not Respond

After 45 Days with No Response

If a data broker does not respond to your deletion request within 45 days, they are in violation of the CCPA. Here is what you can do:

Send a follow-up email referencing your original request date and reminding them of the 45-day requirement. Sometimes requests fall through the cracks, and a follow-up resolves it.

File a complaint with the California Privacy Protection Agency (CPPA). The CPPA is the dedicated enforcement body for CCPA/CPRA violations. You can file a complaint at cppa.ca.gov. Include your original request, the date it was sent, and documentation of the lack of response.

File a complaint with the California Attorney General. The AG's office also has enforcement authority over CCPA violations. File at oag.ca.gov/privacy/filing-a-complaint.

Consider a private right of action. The CCPA provides a limited private right of action (Section 1798.150) for data breaches resulting from a business's failure to implement reasonable security measures. For other violations, enforcement is primarily through the CPPA and AG, but the legal landscape is evolving.

Common Broker Responses and What They Mean

"We have no records matching your information." This may be accurate, or it may mean they searched under a slightly different name or address. Reply with alternative spellings, maiden names, or previous addresses.

"Your request is exempt under [reason]." The business must cite a specific statutory exemption. Common legitimate exemptions include completing a transaction, legal compliance, or security incident detection. Data brokers rarely have valid grounds for these exemptions when they are simply reselling your data.

"We need additional verification." This is permitted under the CCPA, but the verification requirements must be reasonable. They cannot require you to provide a government ID or sensitive information that goes beyond what is necessary to match your records.

"We have forwarded your request to our privacy team." This resets the 45-day clock from the date of their acknowledgment. Keep the acknowledgment email as evidence.

The California DELETE Act (SB 362)

In 2023, California passed Senate Bill 362, the Delete Act, which created a mechanism for submitting a single deletion request that applies to all registered data brokers simultaneously. The California Privacy Protection Agency was directed to build the deleteMyData.com platform, which launched in phases starting in 2024.

Key provisions:

Data brokers must register with the CPPA and pay a registration fee
The CPPA must provide a free mechanism for consumers to request deletion from all registered brokers through one request
Data brokers must process these requests within 45 days
Data brokers must delete data every 45 days on an ongoing basis (not just upon request)
Penalties for non-registration or non-compliance are significant

This is a major step forward, though the system is still in its early implementation stages, and not all brokers are fully compliant yet.

States with Similar Deletion Rights

California is not the only state with CCPA-like protections. As of March 2026, the following states have enacted comprehensive privacy laws with deletion rights:

Strong Deletion Rights

State

Law

Effective

Key Differences

California	CCPA/CPRA	2020/2023	Broadest scope, dedicated enforcement agency, DELETE Act
Virginia	VCDPA	Jan 2023	No private right of action, AG enforcement only
Colorado	CPA	Jul 2023	Universal opt-out mechanism, AG + DA enforcement
Connecticut	CTDPA	Jul 2023	Similar to Virginia, includes data broker provisions
Oregon	OCPA	Jul 2024	Covers nonprofit entities, broad definition of sale
Texas	TDPSA	Jul 2024	Broad applicability, no revenue threshold
Montana	MCDPA	Oct 2024	Low threshold (50,000 consumers), strong opt-out
Delaware	DPDPA	Jan 2025	Covers small businesses, broad definition of sale
New Jersey	NJDPA	Jan 2025	Strong enforcement, broad consumer rights
Maryland	MODPA	Oct 2025	Limits data minimization, strong deletion rights
Minnesota	MCDPA	Jul 2025	Broad scope including data brokers

Emerging Protections

Indiana, Iowa, Tennessee, Nebraska, New Hampshire, and Kentucky have also enacted privacy laws with varying degrees of deletion rights. Several more states have bills in progress as of 2026.

States Without Comprehensive Privacy Laws

If you live in a state without a comprehensive privacy law, you can still submit deletion requests, but brokers are not legally obligated to comply. However, many brokers honor deletion requests regardless of your state because they apply CCPA-compliant processes uniformly (it is cheaper than maintaining state-by-state systems). Additionally, you can cite the strongest applicable law based on any address in your profile. For example, if you have an address in California, Virginia, or Colorado, you can cite that state's law in your request.

How GhostMyData Automates CCPA Deletion Requests

Submitting CCPA deletion requests manually is straightforward for one or two brokers, but the reality is that your data exists across dozens of enterprise data brokers that require individual legal requests. GhostMyData automates this process for 35+ enterprise data brokers that fall under CCPA jurisdiction:

Automatic right-to-know requests: We send legally formatted inquiries to enterprise data brokers (Acxiom, Epsilon, LexisNexis, Oracle Data Cloud, Nielsen, CoreLogic, and others) asking what data they hold on you
Follow-up deletion requests: When a broker confirms they have your data, we automatically submit a deletion request citing the applicable state privacy law
Multi-state law selection: Our system identifies the strongest applicable privacy law based on all addresses in your profile, not just your current state
45-day deadline tracking: Every request is tracked against the legal response window, with automatic follow-ups for non-responsive brokers
Continuous monitoring: After deletion is confirmed, we re-scan periodically to ensure your data does not reappear

Beyond enterprise brokers, GhostMyData also handles opt-out submissions for 150+ consumer-facing people-search sites (Spokeo, WhitePages, BeenVerified, Radaris, TruePeopleSearch, and many more) through automated form submissions and direct removal requests.

Start your free privacy scan to see which data brokers have your personal information and let us handle the deletion requests.

Frequently Asked Questions

Do I have to be a California resident to use the CCPA?

Yes, the CCPA applies to California residents. However, many other states have similar laws (Virginia, Colorado, Connecticut, Oregon, Texas, and others). If you are not in California, check whether your state has enacted a comprehensive privacy law. GhostMyData automatically cites the strongest applicable law for your location.

Can a data broker charge me to delete my data?

No. Under the CCPA, businesses cannot charge a fee for processing a deletion request. They also cannot discriminate against you (such as providing worse service) for exercising your rights.

What if a broker says they need my SSN to verify my identity?

A broker can ask for reasonable verification, but they cannot require information that is more sensitive than what they already have. If they only have your name and address, they cannot require your SSN. If they make an unreasonable verification demand, file a complaint with the CPPA.

Does the CCPA apply to data brokers outside the United States?

The CCPA applies to any for-profit entity that does business in California and meets the thresholds, regardless of where the business is physically located. Most major international data brokers meet these criteria.

How often should I submit CCPA deletion requests?

Because data brokers continuously re-collect your information, deletion requests should be repeated every 60 to 90 days for maximum effectiveness. Automated services handle this cycle for you.

CCPA Data Deletion Request: How to Delete Your Data in 2026 (Complete Guide)