TL;DR. CCPA / CPRA gives California consumers the right to request deletion of their personal information. You have 45 calendar days from receipt to respond, extendable once by 45 days. Most teams trip on the same three steps: verification, finding the data across systems, and knowing which exceptions actually apply. The checklist below covers each.

If you'd rather have the deadline math handled for you, our DSAR deadline calculator computes the response date and the extension date for CCPA, GDPR, PIPEDA, and the major U.S. state laws — free, no sign-up.

The six steps

Step 1

Receive and log the request

The 45-day clock starts the day the request lands — not the day someone reads the email, not the day a ticket gets assigned. Timestamp receipt against the timezone you operate in.

  • Record exact date and time of receipt.
  • Capture the request channel (email, web form, mail, phone).
  • Acknowledge receipt to the consumer within a few business days — not legally required, but kills 80% of "did anyone see this?" follow-ups.
  • Log the request in whatever system tracks your DSARs (spreadsheet, ticketing system, or a dedicated tool).
Step 2

Verify the consumer

CCPA / CPRA requires a verifiable consumer request. The verification standard scales with the sensitivity of the data and the type of request — a deletion request demands more rigour than a basic categories-of-data disclosure.

  • For a password-protected account: an authenticated session is sufficient.
  • For a non-account holder requesting deletion: match at least two pieces of personal information already on file (e.g., email + last transaction date, or shipping address + order ID).
  • For sensitive personal information (financial account, government ID, precise geolocation): match three or more pieces, or require a signed declaration under penalty of perjury.
  • Document every verification step with timestamps. If you later reject for failed verification, you need a defensible trail.
Common mistake: demanding more verification than the regulation requires. Asking for a copy of a government ID for a low-risk deletion is overcollection — you're processing more personal information to fulfill a privacy request, which itself raises issues.
Step 3

Search every system that holds the data

This is where SMBs most often miss data: they delete from the primary CRM and miss the backup, the marketing automation tool, the customer-support helpdesk, the analytics tool, the email archive.

  • Have a data map — a list of every system, what categories of personal information each holds, and the deletion mechanism for each.
  • Cover both internal systems (production DB, BI warehouse, logs, backups) and service providers (CRM, marketing, support, analytics, payroll …).
  • Decide your policy on immutable backups. Most teams document them as exception-protected and delete on the next rotation rather than restoring just to delete.
  • Don't forget paper records, voicemails, video recordings.
Step 4

Apply the statutory exceptions

CCPA gives nine reasons you may refuse to delete some or all of the personal information. The biggest practical ones for SMBs:

  • Completing the transaction for which the information was collected (active order in progress).
  • Detecting security incidents, protecting against fraudulent or illegal activity, and prosecuting those responsible.
  • Complying with a legal obligation — the classic one is tax record retention (typically 6–7 years for U.S. tax records).
  • Internal uses reasonably aligned with the consumer's expectations based on the consumer's relationship with the business (narrow — don't over-rely).
  • Compliance with a legal hold in active or threatened litigation.
Important: exceptions are applied per data category, not per request. You may have to delete the consumer's marketing data while retaining the financial record for tax purposes. Be specific in your response about what was deleted and what was retained, with the basis.
Step 5

Notify service providers

Under CCPA, you must "notify each service provider" that holds the consumer's data of the deletion. Your Data Processing Addendums with those service providers should already obligate them to comply.

  • Use whatever channel your service provider has set up — most have a self-serve deletion API or a dashboard form.
  • Get a confirmation (timestamp + reference) where the service provider supplies one.
  • If a service provider is uncooperative or unresponsive, you remain liable for the request being unfulfilled. Document the attempt and escalate via your DPA's dispute clause.
Step 6

Respond to the consumer

Your response must arrive within 45 calendar days of receipt. You may extend once by 45 more days if you notify the consumer of the extension and the reason within the first 45.

  • Confirm what was deleted, in plain language.
  • For any data retained under an exception, name the exception and (where reasonable) the data category retained.
  • Confirm the date by which any pending operations (e.g., backup rotation deletion) will complete.
  • Reiterate the consumer's right to appeal or complain to the Attorney General if dissatisfied.
  • Send via the channel the consumer used, or a more secure equivalent if PII is included.

Three mistakes that show up in enforcement actions

1. Treating a deletion request as one-time and "done." If the consumer signs up again later, you must not pre-populate their record from cached data — that defeats the deletion. Tag the consumer's identifying information so re-association is blocked.

2. Over-broad fraud-prevention exception. The exception is real, but using it to retain everything because "we might have fraud someday" doesn't survive scrutiny. Be specific about what you're retaining and why.

3. Missing the deadline by a few days because of vendor delays. The clock doesn't pause because your vendor is slow. Build in time for the slowest service provider in your data map.

How Privacy Automated handles this

Privacy Automated auto-classifies inbound deletion requests, starts the verification flow, and fans the request out to every department + service provider you've configured. Each one gets a tokenised link to confirm what data they hold and the action they took, with the deadline countdown live on every request. The privacy team's job becomes oversight, not coordination. See the DSAR routing section of our product tour for what the lifecycle stepper and department fan-out look like.

Stop tracking DSARs in spreadsheets.

Automatic classification, verification flow, department fan-out, live deadline countdown. Free 14-day trial, no credit card.

Start free trial →