How to Delete Your Personal Data: 4 US State Laws to Know
Laura Martisiute
Reading time: 11 minutes
Table of Contents
The General Data Protection Regulation (GDPR) exists in the European Union to protect consumer data. This comes in handy when European consumers want personal data deletion. But what about the US?
This guide covers four US consumer privacy laws, including:
- California Consumer Privacy Act & California Privacy Rights Act
- Virginia Consumer Data Protection Act
- Colorado Privacy Act
- Connecticut Personal Data Privacy and Online Monitoring Act.
Please note that individual states enforce different personal data and consumer privacy laws. There are only 12 states in the US with comprehensive privacy laws, eight of which are yet to come into effect.
Something to note is that even if you don’t live in a state with privacy laws, you can still request companies to delete your personal information. While they don’t have to comply, many are likely to do so.
Don’t forget data brokers, either. These are companies that collect your personal information from various sources online and then sell it to anyone who wants it. Luckily, most data brokers let you opt out from their databases – and it doesn’t matter what state you live in.
Personal Data Deletion
As a response to growing privacy concerns around data collection, several states in the U.S. have adopted laws that give individuals greater control over their personal data.
According to the US state privacy legislation tracker created by the International Association of Privacy Professionals, only 12 states have enacted laws surrounding personal data protection and deletion (four of which are currently in effect). Another three have introduced bills to increase privacy for consumers. The remaining 35 states have inactive bills or no bills at all.
What does that mean for you? What rights are available to you as a consumer in the United States? Let’s jump into some of the core privacy laws in the US today to help you better understand personal data erasure.
California Consumer Privacy Act & California Privacy Rights Act
California is one of the states that prioritizes consumer data and privacy most in the United States. This is evident by the passing of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Here’s what you need to know about these two laws.
Right to Delete
The CCPA ushered in a pivotal right for California consumers: the right to request the deletion of their personal data. Upon this request, businesses must remove any collected information about the consumer.
The CPRA further amplifies this provision. Under the CPRA, businesses need to honor this deletion request and pass the request to any third parties to which they’ve either shared or sold the consumer’s data so the data can be deleted.
But there are some exceptions worth noting. Businesses are not bound to delete personal information if there are legal obligations, regulatory requirements, or other specific circumstances necessitating data retention.
The term personal information is also a loosely used term when focusing on these laws. Personal info generally encompasses details directly or indirectly linked with an individual or household. This can range from direct identifiers like names and addresses to other data like browsing history or even certain inferences drawn about the consumer.
Beyond just the right to delete, consumers can opt out of data sales or sharing, ask businesses to correct inaccurate information, and limit the reasons companies can use sensitive information.
How to request businesses to delete your personal data
First, determine which business has collected your personal information. This might be a company with which you’ve directly interacted or one you believe may have your data due to indirect interactions.
Businesses required to comply with the CCPA/CPRA should have an accessible privacy policy on their website. Most companies offer online forms for CCPA/CPRA requests. Fill out all the prompted details and submit the request. You can also find data removal request templates for California residents online.
Businesses have a stipulated time (usually 45 days, which can be extended to 90 days) to process and respond to your request. They will inform you once the data has been deleted or if there are exceptions that prevent deletion.
If the business doesn’t respond within the stipulated time or if you believe they haven’t adequately addressed your request, you may need to follow up with them.
Tip: The Frequently Asked Questions section on the CCPA site answers common questions people and businesses have about the law.
Virginia Consumer Data Protection Act
Virginia is another state committed to consumer data and personal privacy protection through the Virginia Consumer Data Protection Act (VCDPA). Under the VCDPA, Virginia residents can exercise their right to request businesses to delete personal data.
Companies must erase this information once a legitimate request is made unless certain exceptions apply. If the business does not comply, they are subject to a financial penalty.
The VCDPA characterizes personal data as any information relating to an identified or identifiable individual. This could range from traditional identifiers, such as names or social security numbers, to more modern data points, like IP addresses or cookie data.
However, the VCDPA does not enforce a private right of action. This means that individual consumers cannot personally sue a company for alleged non-compliance with the VCDPA. Instead, enforcement lies primarily with the state’s attorney general.
While the VCDPA and the CCPA both emphasize the right to data deletion, there are nuanced differences between the two. The CCPA allows consumers to request the deletion of their data and requires businesses to forward this request to the third parties to which the data has been shared or sold.
That’s a provision that does not exist in the VCDPA. Businesses do not need to forward this request to third parties with your data. This can be problematic if your data was already passed along or sold.
How to request businesses to delete your personal data
Companies under the VCDPA’s jurisdiction should display their privacy policy on their website. This document will include details or a section highlighting how to execute your “Right to Delete” under the VCDPA.
Craft an email or written request if a specialized form is unavailable. In your correspondence, be clear that you are invoking your “Right to Delete” as specified under the VCDPA. The business has 45 days to respond to your request or 90 days after requesting an extension.
If the company doesn’t react within the timeframe or you believe they haven’t appropriately addressed your request, you might need to initiate a follow-up.
Colorado Privacy Act
The Colorado Privacy Act (CPA) is Colorado’s response to the growing need for data privacy regulation in the digital era. Like other state-specific privacy laws, the CPA protects consumers and ensures businesses handle personal data responsibly.
Under the CPA, Colorado residents can request that businesses delete the personal data they have collected. Personal data is defined as any data that is linkable to an identified/identifiable individual and can be used to identify them, either on its own or in conjunction with other data.
Businesses under the CPA must notify consumers about their data collection, processing, and sharing activities. They also must offer consumers an opt-out choice for data collection and processing, especially for targeted advertising. Lastly, businesses must conduct regular data protection assessments for high-risk processing activities, like profiling or selling sensitive data.
The Data Subject Access Requests (DSARs) are a critical component of the CPA. These requests empower consumers to exercise their rights, and businesses have 45 days (extendable by another 45 days) to respond.
How to request businesses to delete your personal data
First, find the company’s privacy policy on their website. This document should tell you how to make a “Right to Delete” request under the CPA. Submit your request to the data controller.
The controller may provide an online portal, form, or dedicated email. Be prepared to undergo an identity verification process. This is a safety measure to protect against fraudulent requests and confirm you are the rightful owner of the data.
The controller will either accept your request and delete your data or decline your request. In the latter case, they must provide a valid reason for their decision.
Connecticut Personal Data Privacy and Online Monitoring Act
Signed into law on May 10, 2022, the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) is how Connecticut safeguards and protects personal data and privacy for CT residents.
Like other state-specific data privacy acts, the CTDPA provides Connecticut residents the power to access, correct, delete, and obtain their personal data and opt out of the sale and processing of their information.
Connecticut’s act does not integrate a gross revenue threshold as a condition for compliance. Instead, the focus is on businesses processing personal data of over 100,000 consumers or those handling data of at least 25,000 consumers and deriving a significant portion of their revenue from data sales.
The act also presents exemptions. It excludes state agencies, nonprofits, higher education institutions, and entities already covered under federal legislation like HIPAA.
How to request businesses to delete your personal data
Under the CTDPA, consumers have the right to request the deletion of their personal data. Businesses subject to the act are obligated to provide an accessible way for consumers to make the request on their website. This is usually in the privacy policy section.
After receiving a deletion request, controllers must delete data as soon as practicable, ideally within 15 days. This is a little faster than other states, which enforce 45 or 90 days.
The data removal request process should be as streamlined as when the consumer initially provided their data, ensuring transparency and ease of navigation for consumers.
How to Delete Your Personal Data from Data Brokers
When sending requests to companies to delete your data, don’t forget data brokers.
Data brokers are companies that gather your data (like your home address, phone number, and family details) from a wide variety of sources, package it into a profile, and then sell it to advertisers, law enforcement agencies, and other third parties. Basically, more or less anyone with a credit card.
You can read more about data brokers in our comprehensive guide on them.
Because most of the information data brokers collect and sell is publicly available, i.e., it comes from social media, public records, etc., they’re not technically breaking the law.
But their business is putting your privacy at risk. Thanks to data broker profiles, which are easily accessible and can sometimes even appear as the first few Google Search results (and appear at the top of other search engines), you are more likely to fall victim to doxxing, harassment, and stalking. They also put you at risk of cybersecurity threats like targeted phishing and identity theft.
Here’s what a typical data broker profile looks like:
Luckily, you can opt out of data brokers to keep your personal details protected.
Use our free opt-out guides for step-by-step instructions on how to remove your name from data brokers. Some of our most popular guides include:
- How to remove yourself from Whitepages.
- How to remove yourself from Spokeo.
- How to remove yourself from BeenVerified.
- How to remove yourself from PeopleFinder.
- How to remove yourself from Radaris.
- How to remove yourself from People Background Check.
- How to remove yourself from TruthFinder.
- How to remove yourself from MyLife.
- How to remove yourself from Intelius.
- How to remove yourself from Fast People Search
- How to remove yourself from Arrests.org.
- How to remove yourself from CheckPeople.com
- How to remove yourself from Instant Checkmate.
Remember to opt out of data brokers regularly – they will relist your data when they find more of it, even if you had previously opted out. If you’d rather not have to opt out of data brokers manually, you can also subscribe to a data broker removal service like DeleteMe. You can read reviews of our service here.
Our privacy advisors:
- Continuously find and remove your sensitive data online
- Stop companies from selling your data – all year long
- Have removed 35M+ records
of personal data from the web
Save 10% on any individual and
family privacy plan
with code: BLOG10
news?
Don’t have the time?
DeleteMe is our premium privacy service that removes you from more than 750 data brokers like Whitepages, Spokeo, BeenVerified, plus many more.
Save 10% on DeleteMe when you use the code BLOG10.