Response Letter to Request to Delete Personal Information
(CCPA/CPRA Compliant)

Summary

This sample letter responds to consumer requests to delete personal information submitted under the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (CPRA). This template includes practical guidance, drafting notes, and alternate and optional clauses. Under the CCPA/CPRA, businesses have a statutory obligation to give consumers notice of the right to request deletion of their personal information, subject to certain exceptions. Cal. Civ. Code § 1798.105. Cal. Code Regs. Tit. 11, § 7022 and related sections, which became effective March 1, 2023, further expand on the right to delete. Confirmation of Receipt. Timing provisions require a business to confirm receipt of a consumer request within 10 business days and provide information about how the business will process the request. Cal. Code Regs. Tit. 11, § 7021(a). The information must generally describe the business's verification process and when the consumer should expect a response (except in instances where the business has already granted or denied the request). Cal. Code Regs. Tit. 11, § 7021(a). You can give the confirmation in the same manner that the request was received, including orally if the request was made over the phone. Cal. Code Regs. Tit. 11, § 7021(a). Timing of Responses. You have 45 days after receipt of the consumer request to respond. Cal. Code Regs. Tit. 11, § 7021(b); Cal. Civ. Code § 1798.130(a)(2)(A). The 45-day period begins on the date of receipt. Cal. Code Regs. Tit. 11, § 7021(b). You can deny the request if you cannot verify the consumer within the 45-day period. Cal. Code Regs. Tit. 11, §§ 7021(b), 7023(a). You have an extra 45 days to respond if you provide the consumer with notice and the reason you need an additional 45 days to respond. Cal. Code Regs. Tit. 11, § 7021(b); Cal. Civ. Code § 1798.130(a)(2)(A). Choice to Delete Select Portions. In responding to a request to delete, you may present the consumer with the choice to delete select portions of their personal information if you also offer a single option to delete all personal information. Cal. Code Regs. Tit. 11, § 7022(h). A business that provides consumers the ability to delete select categories of personal information in other contexts (e.g., purchase history, browsing history, voice recordings), however, must inform consumers of their ability to do so and direct them to how they can do so. For example, a business may provide the consumer with a link to a support page or other resource that explains consumers' data deletion options. Cal. Code Regs. Tit. 11, § 7022(h). Compliance with Request. A business must comply with a consumer's request to delete their personal information by: • Permanently and completely erasing the personal information from its existing systems except archived or backup systems • Deidentifying the personal information –or– • Aggregating the consumer information Cal. Civ. Code § 1798.105(e)(1); Cal. Code Regs. tit. 11, § 7022(b)(1). Service Providers/Contractors/Third Parties. You must also notify the business's service providers or contractors and third parties to whom the business sold or shared the consumer's personal information of the need to delete the information from their records. Cal. Code Regs. tit. 11, § 7022(b)(2) and (3). If notifying all third parties proves impossible or involves disproportionate effort, you must provide the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot notify all third parties. Cal. Code Regs. tit. 11, § 7022(b). You cannot simply state that notifying all third parties is impossible or would require disproportionate effort. Cal. Civ. Code § 1798.105(c)(1); Cal. Code Regs. tit. 11, § 7022(b). Language. Note that communications with consumers must be easy to read and understandable to consumers, using plain, straightforward language and avoiding technical or legal jargon. Cal. Code Regs. Tit. 11, § 7003(a). For more practical guidance on responding to deletion requests, see CCPA/CPRA Compliance: Responding to Consumer Data Deletion Requests Checklist. For a California-compliant privacy policy and clauses, see Privacy Policy (CCPA and CPRA Compliant), Privacy Policy Clause: How to Exercise Your Rights (CCPA and CPRA Compliant), Privacy Policy Clause: Description of Consumer Rights (CCPA and CPRA Compliant). For more guidance on CCPA/CPRA obligations, see California Consumer Privacy Resource Kit (CCPA and CPRA).