How to Exercise Your CCPA Rights with Sample Form Letter

Page content

Right To Non-Discrimination

Per California Consumer Privacy Act (CCPA), Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.

However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction.

Businesses can also offer you promotions, discounts and other deals in exchange for collecting, keeping, or selling your personal information. But they can only do this if the financial incentive offered is reasonably related to the value of your personal information. If you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information. If you are not sure how your request may affect your participation in a special offer, ask the business.

How To Exercise CCPA Right to Request That A Business Deletes Your Personal Information

You may request that businesses delete personal information they collected from you and to tell their service providers to do the same. However, there are many exceptions that allow businesses to keep your personal information.

Under the CCPA, a consumer has the right to request that a business deletes their personal information. Once a business verifies your request, it must delete your personal information.

  • There are exceptions to your right to delete your personal information. If a business denies your request, the business must tell you why it refused your request to delete your personal information.
  • You do not need to have a direct relationship with the business in order to request that business delete your personal information.
  • If a business requires you to provide additional information to verify your identity, it is not allowed to use that information for any other purpose.
  • Even if a business does not sell personal information but only collects personal information, it must respond to your request to delete your personal information.
  • A business is not allowed to charge you for deleting your personal information.
  • A business must provide two or more methods for you to request that your personal information is deleted

Sample Letter to Request Delete Personal Data

Businesses must designate at least two methods for you to submit your request—for example, a toll-free number, email address, website form, or hard copy form. Businesses do not have to provide an online form for requesting deletion.

Businesses cannot make you create an account just to submit a deletion request, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your deletion request through one of the business’s designated methods, which may be different from its normal customer service contact information. If you can’t find a business’s designated methods, review its privacy policy, which must include instructions on how you can submit your request.

If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Sample form to request exercising CCPA rights to delete personal information (excerpt from epic.org):

Dear Privacy Compliance Officer,

My name is [insert name]. I reside in California and am exercising my right to delete my personal information under the California Consumer Privacy Act. I request that [insert name of company here] deletes all of the information it has collected about me, whether directly from me, through a third party, or through a service provider.

My email address is [insert email address] phone number is [insert phone number].

If you need any more information from me, please let me know as soon as possible. If you cannot comply with my request–either in whole or in part–please state the reason why you cannot comply. If part of my information is subject to an exception, please delete all information that is not subject to an exception. If my request is incomplete, please provide me with specific instructions on how to complete my request.

Sincerely,

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to delete and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

References