← Back to Blog

How to Handle Customer Data Deletion Requests (CCPA, VCDPA, and More)

A customer asked you to delete their data. Here's exactly what you need to do, how fast, and what you can legally keep.

2026-03-06

You just received an email from a customer: "Delete all my personal data." Under CCPA and 19 other state privacy laws, you're legally required to comply. But what does that actually mean in practice? What do you delete? What can you keep? How fast do you need to respond?

Here's a practical guide.

Step 1: Verify the Request (But Don't Overdo It)

Before deleting anything, you need to verify that the request is coming from the actual consumer (or their authorized agent). But verification must be reasonable — you can't create so many hoops that people give up.

For requests from known customers (they have an account):

  • Ask them to submit the request from their registered email, OR
  • Have them log into their account and submit through a form

For requests from anonymous visitors:

  • Match the email to any data you have
  • If you can't match them, inform them you have no data to delete

Don't ask for: Government ID, notarized letters, or multiple forms of verification for routine deletion requests. The law requires the process to be reasonable and not discouraging.

Step 2: Identify All Data

Find every piece of personal data you hold for that consumer across all systems:

  • E-commerce platform (Shopify, WooCommerce) — order history, account info, addresses
  • Email marketing (Klaviyo, Mailchimp, Omnisend) — subscriber records, engagement data
  • Analytics — if you can identify their data (usually you can't for anonymous analytics)
  • Customer support (Zendesk, Gorgias) — tickets, chat logs
  • CRM — contact records, notes
  • Payment processor — Stripe, PayPal (see exceptions below)
  • Spreadsheets or manual records — yes, these count too

Step 3: Delete (With Legal Exceptions)

Delete all personal data except what you're legally required or permitted to keep:

You Must Delete

  • Account profile information
  • Marketing/newsletter subscriptions
  • Browsing history and analytics data you control
  • Customer support tickets (unless needed for legal claims)
  • Any other data not covered by an exception

You Can Keep (Legal Exceptions)

Most state privacy laws allow you to retain data necessary for:

  • Completing a transaction — you can keep order records until fulfillment is complete
  • Legal compliance — tax records (typically 7 years), financial records required by law
  • Security — data needed to detect fraud or security incidents
  • Warranty/recall obligations — if the product has ongoing safety requirements
  • Internal analytics — aggregated, de-identified data that can't be re-identified

Important: You cannot refuse the entire request because one exception applies. Delete what you can, keep what the law permits, and explain both to the consumer.

Step 4: Notify Third Parties

If you've shared the consumer's data with third parties, you must direct those third parties to delete it too. This includes:

  • Email marketing platforms
  • Advertising partners (Meta, Google)
  • Data brokers
  • Any other service provider who received the data

In practice, this usually means:

  • Removing the contact from your email platform
  • Removing them from any custom audiences in ad platforms
  • Contacting any data broker you've shared data with

Step 5: Respond Within the Deadline

| State | Response Deadline | Extension |

|---|---|---|

| California (CCPA) | 45 days | + 45 days with notice |

| Virginia (VCDPA) | 45 days | + 45 days with notice |

| Texas (TDPSA) | 45 days | + 45 days with notice |

| Colorado (CPA) | 45 days | + 45 days with notice |

| Iowa | 90 days | None specified |

Most states give you 45 days from receipt of the request. If you need more time, you can extend by another 45 days — but you must notify the consumer of the extension and the reason.

Your response should confirm:

  • That you received the request
  • What data was deleted
  • What data was retained (and why, citing the specific exception)
  • That third parties were notified

Step 6: Document Everything

Keep a log of every data deletion request:

  • Date received
  • Consumer identifier (email)
  • What was deleted
  • What was retained and why
  • When the response was sent
  • Whether third parties were notified

This log is your evidence of compliance if a regulator ever asks. You don't need to keep the deleted data — just the record that you processed the request.

Setting Up a System

For small businesses, a simple process works:

1. Dedicated email[email protected]

2. Template responses — for acknowledgment, completion, and exceptions

3. Checklist — of all systems to check for each request

4. Spreadsheet log — tracking requests and responses

If you receive more than a few requests per month, consider a privacy rights management tool.

The Bottom Line

Data deletion requests are manageable if you have a process. The biggest risk isn't the request itself — it's ignoring it or responding too slowly. Set up your system now, before you get your first request.

ClearConsent helps you understand what data your site collects in the first place — which is the foundation for knowing what you need to delete. Scan your site to see exactly what trackers and cookies are collecting visitor data.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free