How to Delete Your Data From Any Company

TL;DR: You have the legal right to request deletion of your personal data from most companies under the GDPR, CCPA, and many state privacy laws. To delete your data: find the company's privacy or deletion page, submit a request identifying yourself and the data you want deleted, and wait for the company to respond (30 days under CCPA, one month under GDPR). If a company ignores your request, you can file a complaint with your data protection authority or attorney general. PrivacyFetch tracks deletion difficulty for every company in its directory.

Your Legal Right to Delete Your Data

The right to delete your personal data is established by law in most of the world. This is not a favor companies grant you -- it is a legal obligation they must comply with.

Under GDPR (European Union)

The GDPR's Article 17 establishes the "right to erasure," commonly called the "right to be forgotten." If you are in the EU or EEA, you can request any company delete your personal data. The company must comply within one month and can extend this by two additional months for complex requests.

Companies must delete your data when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data was processed unlawfully
• Deletion is required by law

Under CCPA (California)

The CCPA gives California residents the right to request deletion of personal information that a company has collected from them. Companies must comply within 45 business days and can extend by an additional 45 days with notice.

The CPRA (California Privacy Rights Act) strengthened this right by requiring companies to also direct their service providers and contractors to delete the data.

Under State Privacy Laws

Multiple US states have passed privacy laws with deletion rights:

If you live in any of these states, you have a legal right to data deletion. Even if your state does not have a specific privacy law, many companies honor deletion requests from all US residents as a matter of policy.

Step-by-Step: How to Delete Your Data

Step 1: Find the Company's Deletion Process

Every company handles deletion requests differently. Start by finding the right channel:

Check PrivacyFetch first: Go to privacyfetch.com/explore, search for the company, and open its profile. The User Rights tab shows available request channels -- whether the company offers an online form, email address, or other methods. PrivacyFetch also rates the deletion difficulty so you know what to expect.

Check the company's privacy policy: Scroll to the section titled "Your Rights," "Your Choices," or "How to Contact Us." This section lists how to submit privacy requests.

Look for a dedicated privacy page: Many companies have a privacy request portal. Common URLs include:

• company.com/privacy
• company.com/privacy-request
• company.com/data-request
• company.com/my-data

Look for "Do Not Sell" or "Privacy Choices" links: These are usually in the website footer and often lead to a broader privacy request form.

Step 2: Determine What Data to Request Deletion Of

Before submitting your request, decide what you want deleted:

Full deletion: Request deletion of all personal data the company holds about you. This is the strongest option and is appropriate for companies you no longer use.

Partial deletion: Request deletion of specific data categories. For example, you may want to keep your account but delete your browsing history, location data, or advertising profile.

Account deletion: Request full account deletion, which should include all associated personal data. Some companies treat account deletion and data deletion as separate processes -- make sure to request both.

Step 3: Submit Your Deletion Request

Submit your request through the channel you identified in Step 1. Here is what to include:

For an online form:

• Fill in all required fields
• Specify "Delete my personal data" or "Right to erasure"
• Note whether you want full or partial deletion
• Reference the applicable law (GDPR Article 17, CCPA Section 1798.105, or your state law)

For an email request, include:

• Subject line: "Personal Data Deletion Request - [Your Name]"
• Your identity: Full name, email address associated with the account, and any account ID or username
• What you are requesting: Clearly state you are requesting deletion of all personal data the company holds about you
• Legal basis: Reference the applicable law
• Response deadline: State that you expect a response within the legally required timeframe
• Confirmation: Request written confirmation when deletion is complete

Sample email template:

Subject: Personal Data Deletion Request - [Your Name]

To the Privacy Team,

I am writing to request deletion of all personal data your company holds
about me, as is my right under [GDPR Article 17 / CCPA Section 1798.105 /
applicable state law].

My account details:
- Name: [Your full name]
- Email: [Your email address]
- Account ID/username: [If applicable]

Please delete all personal data associated with my identity, including but
not limited to: account data, usage data, tracking data, advertising
profiles, and any data shared with third-party partners.

I also request that you direct your service providers and data partners to
delete my data, as required by law.

Please confirm completion of this request in writing within [30 days for
GDPR / 45 days for CCPA].

Thank you,
[Your name]

Step 4: Verify Your Identity

Most companies will require identity verification before processing your request. Common verification methods:

• Email verification: A confirmation email sent to the address on file
• Account login: Log in to your account to confirm the request
• ID upload: Some companies require a government-issued ID (more common under GDPR)
• Knowledge-based verification: Answer questions about your account activity

Companies cannot ask for more personal information than necessary to verify your identity. If a company requests excessive verification (fax a notarized letter, provide your SSN), that is a red flag.

Step 5: Wait for the Response

After submitting your request:

• GDPR: The company has one month to respond. They can extend by two months for complex requests but must notify you of the extension within the first month.
• CCPA: The company has 45 business days to respond. They can extend by an additional 45 days with notice.
• State laws: Most require a response within 45 days.

The company must either:

1. Confirm that your data has been deleted
2. Explain why it cannot delete your data (with a legal justification)
3. Request additional time (with a valid reason)

Step 6: Confirm Deletion

After the company confirms deletion:

• Check your account to verify it is no longer accessible (if you requested account deletion)
• Submit a data access request to verify that the company no longer holds your information
• Check third-party services -- if the company shared your data with partners, verify that partners also received and processed the deletion request
• Note the date -- if the company collects new data about you in the future (through cookies, for example), you may need to submit another request

What Companies Can Legally Refuse to Delete

Companies are not required to delete your data in every situation. Legally recognized exceptions include:

If a company cites one of these exceptions, it must explain which exception applies and why. A vague refusal without a specific legal basis is not compliant.

What to Do If a Company Ignores Your Request

If a company does not respond within the legal deadline, or refuses your request without a valid legal basis:

1. Send a Follow-Up

Wait until the deadline passes, then send a follow-up email referencing your original request, the date it was submitted, and the legal deadline. State that the company is now in violation of [applicable law] and that you intend to file a complaint if the request is not processed within 14 days.

2. File a Complaint

For GDPR violations:

• File a complaint with your national Data Protection Authority (DPA)
• EU DPA directory: edpb.europa.eu/about-edpb/about-edpb/members_en
• DPAs have the authority to investigate and impose fines up to EUR 20 million or 4% of global revenue

For CCPA violations:

• File a complaint with the California Privacy Protection Agency: cppa.ca.gov
• File a complaint with the California Attorney General: oag.ca.gov
• Companies face fines of $2,500-$7,500 per violation

For state law violations:

• Contact your state Attorney General's office
• Most state AG offices have online complaint portals for privacy violations

3. Consider Legal Action

Under the CCPA, you have a private right of action for certain violations, particularly data breaches. For deletion request refusals, the regulatory complaint route is typically more effective.

In the EU, some member states allow individuals to bring civil claims for GDPR violations. Consult a privacy attorney in your jurisdiction.

Deletion Difficulty: Why Some Companies Make It Hard

Not all companies treat deletion requests equally. PrivacyFetch tracks deletion difficulty as a key indicator in the User Rights dimension of the privacy score.

Easy Deletion (No Score Penalty)

• Self-service account deletion in settings
• Online form with quick processing (under 7 days)
• Clear instructions with minimal verification
• Automatic deletion of associated third-party data

Moderate Deletion (-5 Points)

• Requires email request (no self-service option)
• Multi-step verification process
• 2-4 week processing time
• Unclear about third-party data deletion

Difficult Deletion (-15 Points)

• Requires phone call or mailed request
• Extensive identity verification (ID upload, notarized documents)
• Long processing times (over 30 days)
• Hidden or hard-to-find request process
• "Dark patterns" that discourage completing the request

Companies use difficult deletion processes as a retention tactic -- the harder it is to delete your data, the fewer people will complete the process. This is why PrivacyFetch penalizes difficult deletion in its scoring system.

You can check any company's deletion difficulty rating on its PrivacyFetch profile.

How Long Does Deletion Take?

After a company confirms deletion, it is reasonable to wait an additional 30 days and then submit a data access request to verify that the data was actually deleted.

Tips for Effective Deletion Requests

1. Be specific: Reference the exact law, your exact name, and your exact account details. Vague requests get delayed.

2. Keep records: Save a copy of every request you send, every response you receive, and the dates of each. You will need this if you file a complaint.

3. Use the right channel: If a company has a dedicated privacy request form, use it. Requests sent to general support addresses often get lost or delayed.

4. Request confirmation: Always ask for written confirmation that deletion is complete. A company saying "we'll look into it" is not the same as "your data has been deleted."

5. Batch your requests: If you are deleting your data from multiple companies, set aside a day to submit all requests at once. Track them in a spreadsheet with submission dates and deadlines.

6. Do not give up: If a company makes the process difficult, that is a sign they do not want you to complete it. Persist. The law is on your side.

7. Check PrivacyFetch first: Before starting the process, look up the company to see its deletion difficulty rating, available request channels, and user rights support. This saves you time by knowing what to expect.

How to Prevent Future Data Accumulation

Deleting your data is reactive. To reduce the need for future deletion requests:

• Audit your accounts annually: Review every service you have signed up for. Delete accounts you no longer use.
• Minimize data at signup: Provide only required information. Use a disposable email for services you are testing.
• Adjust privacy settings immediately: When creating a new account, go straight to privacy settings and turn off optional data collection, tracking, and sharing.
• Enable Global Privacy Control (GPC): This browser signal automatically tells websites not to sell or share your data.
• Use privacy-focused services: Before signing up for any new service, check its privacy score on PrivacyFetch. Choose companies with high scores and easy deletion processes.

Key Takeaways

• You have the legal right to delete your personal data under GDPR, CCPA, and many state privacy laws
• To delete your data: find the company's privacy request channel, submit a request with your identity and the specific law you are invoking, and wait for the legally required response (30-45 days)
• Companies can refuse deletion only for specific legal reasons (regulatory requirements, ongoing contracts, legal claims). A vague refusal is not compliant.
• If a company ignores your request, file a complaint with your data protection authority (EU) or state attorney general (US)
• PrivacyFetch tracks deletion difficulty for every company -- check before you submit to know what to expect
• Keep records of every request and response in case you need to escalate
• Prevention is easier than deletion: minimize data at signup, adjust privacy settings immediately, and check privacy scores before creating accounts

This analysis is based on PrivacyFetch's automated privacy policy analysis. Check any company's privacy score