Right to Delete

The consumer right under CCPA/CPRA to request deletion of personal information a business has collected from them, subject to specific exceptions. Under Section 1798.105, businesses must delete the consumer's personal information from their records and direct service providers to delete the information from their records. Businesses must respond within 45 days (extendable by 45 days with notice). Exceptions allow businesses to retain information when necessary to: complete transactions, detect security incidents, debug products, exercise free speech, comply with legal obligations, conduct research (if consumer provided informed consent), or enable internal lawful uses reasonably aligned with consumer expectations. Before denying a deletion request, businesses must inform consumers of the reasons. Organizations should implement processes for verifying identity, searching all systems for data, securely deleting information, notifying service providers, documenting deletion and exceptions, and maintaining deletion logs. Unlike GDPR's right to erasure, CCPA's deletion right has broader business-related exceptions reflecting commercial considerations.