DATA DELETION REQUEST PROCEDURE
[ORGANIZATION NAME]
Procedure Number: [PROC-PRIV-002]
Effective Date: [DATE]
Last Reviewed: [DATE]
Procedure Owner: [Chief Privacy Officer / Privacy Team]
1. PURPOSE AND SCOPE
1.1 Purpose
This procedure establishes the process for handling consumer/data subject requests to delete their personal information pursuant to applicable privacy laws including CCPA/CPRA, VCDPA, CPA, CTDPA, and other state privacy laws.
1.2 Scope
This procedure applies to:
☐ All deletion requests from consumers/data subjects
☐ All personal information held by [ORGANIZATION NAME]
☐ Personal information held by service providers on behalf of [ORGANIZATION NAME]
☐ All employees, contractors, and third parties processing deletion requests
2. LEGAL FRAMEWORK
2.1 Right to Delete Under State Privacy Laws
| Law | Citation | Response Time | Exceptions |
|---|---|---|---|
| CCPA/CPRA | Cal. Civ. Code Section 1798.105 | 45 days (+45 extension) | 9 statutory exceptions |
| VCDPA | Va. Code Section 59.1-577(A)(3) | 45 days (+45 extension) | Similar exceptions |
| CPA | C.R.S. Section 6-1-1306(1)(a)(VI) | 45 days (+45 extension) | Similar exceptions |
| CTDPA | Conn. Gen. Stat. Section 42-518(a)(3) | 45 days (+45 extension) | Similar exceptions |
| UCPA | Utah Code Section 13-61-201(1)(b) | 45 days (+45 extension) | Consumer-provided data only |
| GDPR | Article 17 | 1 month (+2 months extension) | 6 specified exceptions |
2.2 Statutory Exceptions to Deletion
Under most privacy laws, deletion may be refused when the personal information is needed to:
- Complete a transaction or provide goods/services requested
- Detect security incidents or protect against malicious/fraudulent activity
- Debug to identify and repair errors
- Exercise free speech or another legal right
- Comply with legal obligations
- Conduct research in the public interest with safeguards
- Enable solely internal uses reasonably aligned with consumer expectations
- Make other internal and lawful uses compatible with the context of collection
3. DELETION REQUEST PROCESS
3.1 Process Overview
[Request Received] --> [Intake & Logging] --> [Identity Verification]
| |
| [Verification Failed] <-+-> [Verification Successful]
| | |
v v v
[Deny Request] [Request Info] [Data Collection]
|
v
[Exception Analysis]
|
[Exceptions Apply] <-+--> [No Exceptions]
| |
v v
[Partial Deletion] [Full Deletion]
| |
+-------+-------+-------+
|
v
[Notify Service Providers]
|
v
[Confirm Deletion]
|
v
[Send Response to Consumer]
3.2 Step-by-Step Procedure
STEP 1: REQUEST INTAKE
Timeframe: Within 24 hours of receipt
Responsible Party: Privacy Team / Customer Service
Actions:
☐ Log request in tracking system with unique ID
☐ Record receipt date (starts clock for response deadline)
☐ Document request channel and details
☐ Identify jurisdiction/applicable law based on consumer location
☐ Send acknowledgment to consumer within 10 business days (CCPA requirement)
Checklist:
| Item | Completed | Notes |
|---|---|---|
| Request logged | ☐ | Request ID: _________ |
| Deadline calculated | ☐ | Due date: _________ |
| Consumer location identified | ☐ | State: _________ |
| Acknowledgment sent | ☐ | Date: _________ |
STEP 2: IDENTITY VERIFICATION
Timeframe: Within 5 business days of receipt
Responsible Party: Privacy Team
Actions:
☐ Determine verification level required:
- Standard request: Match 2+ data points
- Sensitive data or high-risk: Match 3+ data points
☐ Verify identity using approved methods:
- Account login verification
- Matching provided information to records
- Signed declaration under penalty of perjury
- Third-party verification service
☐ Document verification process and results
☐ If verification fails, request additional information (provide 15 days to respond)
Verification Methods:
| Method | Suitable For | Documentation |
|---|---|---|
| Account login | Existing customers | Screenshot of login verification |
| Data matching | All requests | Verification worksheet |
| Signed declaration | High-risk requests | Signed declaration form |
| Third-party service | When needed | Service confirmation |
STEP 3: DATA DISCOVERY
Timeframe: Within 15 business days of verification
Responsible Party: Privacy Team / IT / Data Owners
Actions:
☐ Search all relevant systems for consumer's personal information:
| System | Searched | Data Found | Owner Contacted |
|---|---|---|---|
| CRM | ☐ | ☐ Yes ☐ No | ☐ |
| E-commerce Platform | ☐ | ☐ Yes ☐ No | ☐ |
| Marketing Database | ☐ | ☐ Yes ☐ No | ☐ |
| Customer Support | ☐ | ☐ Yes ☐ No | ☐ |
| Analytics Systems | ☐ | ☐ Yes ☐ No | ☐ |
| Financial Systems | ☐ | ☐ Yes ☐ No | ☐ |
| HR System (employee) | ☐ | ☐ Yes ☐ No | ☐ |
| Email Archives | ☐ | ☐ Yes ☐ No | ☐ |
| Backup Systems | ☐ | ☐ Yes ☐ No | ☐ |
| Third-Party Processors | ☐ | ☐ Yes ☐ No | ☐ |
☐ Document all personal information found
☐ Identify data owners for each system
STEP 4: EXCEPTION ANALYSIS
Timeframe: Within 5 business days of data discovery
Responsible Party: Privacy Team / Legal (if needed)
Actions:
☐ Review each category of data for applicable exceptions:
| Data Category | System | Exception Applies | Exception Reason | Retain/Delete |
|---|---|---|---|---|
| ☐ Yes ☐ No | ☐ Retain ☐ Delete | |||
| ☐ Yes ☐ No | ☐ Retain ☐ Delete | |||
| ☐ Yes ☐ No | ☐ Retain ☐ Delete | |||
| ☐ Yes ☐ No | ☐ Retain ☐ Delete |
☐ Consult Legal if complex exceptions apply
☐ Document exception analysis
Common Exception Scenarios:
| Scenario | Exception | Action |
|---|---|---|
| Active order/transaction | Complete transaction | Retain until fulfilled |
| Tax records <7 years | Legal obligation | Retain per retention schedule |
| Active warranty | Provide goods/services | Retain until expiration |
| Security investigation | Detect security incidents | Retain until resolved |
| Legal hold | Legal obligation | Do not delete |
| Fraud detection records | Protect against fraud | May retain |
STEP 5: DELETION EXECUTION
Timeframe: Within 10 business days of exception analysis
Responsible Party: IT / Data Owners / Service Providers
Actions:
☐ Delete personal information from all systems where no exception applies
☐ Use appropriate deletion method based on system type:
| System Type | Deletion Method |
|---|---|
| Production databases | DELETE command, verify removal |
| CRM | Delete/anonymize record |
| Marketing systems | Unsubscribe and purge |
| Analytics | Delete/anonymize |
| Email archives | Delete from archive |
| File systems | Secure deletion |
| Cloud services | Delete per provider method |
| Backups | Delete from rotation OR anonymize in next backup cycle |
☐ Document deletion for each system:
| System | Data Deleted | Deletion Method | Deleted By | Date | Verified |
|---|---|---|---|---|---|
| ☐ | |||||
| ☐ | |||||
| ☐ |
STEP 6: SERVICE PROVIDER NOTIFICATION
Timeframe: Concurrent with internal deletion
Responsible Party: Privacy Team / Vendor Management
Actions:
☐ Identify all service providers with consumer's personal information
☐ Send deletion directive to each service provider:
| Service Provider | Contact | Notified | Confirmation Received |
|---|---|---|---|
| ☐ Date: _____ | ☐ Date: _____ | ||
| ☐ Date: _____ | ☐ Date: _____ | ||
| ☐ Date: _____ | ☐ Date: _____ |
☐ Use Service Provider Deletion Directive template (see Section 5)
☐ Track confirmation from each service provider
☐ Follow up if confirmation not received within 15 days
STEP 7: RESPONSE TO CONSUMER
Timeframe: Within 45 calendar days of request (or extended deadline)
Responsible Party: Privacy Team
Actions:
☐ Prepare response letter using appropriate template:
- Full deletion confirmation
- Partial deletion with exceptions explained
- Denial with reason
☐ Include required disclosures per applicable law
☐ Send response via verified contact method
☐ Document response sent
3.3 Timeline Summary
| Step | Timeframe | Cumulative Days |
|---|---|---|
| Intake | Day 0 | 0 |
| Acknowledgment | Within 10 business days | 10 |
| Verification | Within 5 business days of receipt | 5 |
| Data Discovery | Within 15 business days | 20 |
| Exception Analysis | Within 5 business days | 25 |
| Deletion Execution | Within 10 business days | 35 |
| Service Provider Notification | Concurrent | 35 |
| Response to Consumer | Within 45 calendar days | 45 |
Extension: Additional 45 days permitted when reasonably necessary (must notify consumer)
4. SPECIAL SCENARIOS
4.1 Household Requests
☐ Verify requestor has authority to request deletion for household
☐ Obtain consent from other household members if feasible
☐ Document basis for household authority
4.2 Authorized Agent Requests
☐ Verify agent authorization (written permission or power of attorney)
☐ Separately verify consumer identity
☐ Document agent verification
4.3 Employee/HR Data Requests
☐ Route to HR/Legal for review
☐ Consider employment law retention requirements
☐ Document employment-related exceptions
4.4 Data Subject is Deceased
☐ Verify identity of requestor and relationship to deceased
☐ Obtain death certificate or legal documentation
☐ Consult Legal on applicable law (some states extend rights to estate)
4.5 Legal Hold in Effect
☐ DO NOT DELETE data subject to legal hold
☐ Document that deletion was not completed due to legal hold
☐ Notify Legal
☐ Inform consumer that some data cannot be deleted at this time (without disclosing litigation details)
5. TEMPLATES
5.1 Service Provider Deletion Directive
[COMPANY LETTERHEAD]
DELETION DIRECTIVE TO SERVICE PROVIDER
Date: [DATE]
To: [SERVICE PROVIDER NAME]
From: [ORGANIZATION NAME]
Re: Deletion of Personal Information - Directive ID: [ID]
Pursuant to our Data Processing Agreement and applicable privacy law, we direct you to delete the following personal information:
Consumer Identifier: [ANONYMIZED IDENTIFIER OR ACCOUNT NUMBER]
Data to Delete:
- [SPECIFY DATA CATEGORIES]
Directive:
☐ Delete all personal information associated with the above identifier from your systems
☐ Do not retain copies except as required by law
☐ Confirm deletion within 15 calendar days
Compliance Required By: [DATE]
Please send written confirmation of deletion to [EMAIL].
Questions: Contact [PRIVACY CONTACT] at [PHONE/EMAIL].
Authorized By:
[NAME]
[TITLE]
5.2 Deletion Confirmation to Consumer
[See Data Subject Access Request Response Template for full response letters]
6. BACKUP AND ARCHIVE HANDLING
6.1 Production Systems
☐ Delete immediately from production systems
☐ Verify deletion through system query
6.2 Backup Systems
Option A: Delete from Backups
☐ If technically feasible, delete from backup media
☐ Document deletion from each backup set
Option B: Anonymize in Backup Rotation
☐ If deletion from backups is not feasible, ensure data is:
- Anonymized when backup is restored (if ever)
- Deleted when backup ages out of rotation
☐ Document backup retention schedule
☐ Ensure data is not restored from backup after deletion
Note: Under CCPA, deletion from backups is not required if:
- Backup system does not allow access to the specific data
- Data will be deleted when backup is accessed for restoration
6.3 Archive Systems
☐ Delete from active archives
☐ Document archive deletion
☐ Ensure archived data is not accessed after deletion
7. DOCUMENTATION AND RECORD KEEPING
7.1 Required Documentation
For each deletion request, maintain:
☐ Original request
☐ Verification documentation
☐ Data discovery results
☐ Exception analysis
☐ Deletion logs for each system
☐ Service provider notifications and confirmations
☐ Consumer response
☐ Processing notes
7.2 Retention of Deletion Records
☐ Retain deletion request records for 3 years
☐ Store in secure, centralized location
☐ Do not retain personal information in deletion records (use anonymized identifiers)
8. METRICS AND REPORTING
8.1 Metrics to Track
| Metric | Target | Actual |
|---|---|---|
| Requests received (monthly) | N/A | |
| Average response time | <45 days | |
| Requests completed on time | >95% | |
| Requests requiring extension | <10% | |
| Requests denied | Track | |
| Service provider compliance rate | 100% |
8.2 Reporting
☐ Monthly metrics to Privacy Officer
☐ Quarterly summary to Legal/Compliance
☐ Annual report to Executive team
9. ROLES AND RESPONSIBILITIES
| Role | Responsibilities |
|---|---|
| Privacy Team | Request intake, verification, coordination, response |
| IT | Data discovery, technical deletion, backup handling |
| Data Owners | Exception analysis, deletion approval for owned systems |
| Legal | Complex exception review, legal hold verification |
| Vendor Management | Service provider notification and follow-up |
| Customer Service | Initial request receipt, escalation |
10. ESCALATION
10.1 Escalation Triggers
☐ Consumer disputes denial
☐ Deadline at risk (>30 days elapsed)
☐ Legal exception unclear
☐ Service provider non-compliance
☐ Consumer complaint to regulator
10.2 Escalation Path
- Level 1: Privacy Team Lead
- Level 2: Chief Privacy Officer
- Level 3: Legal Counsel
- Level 4: Executive Leadership
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
Approval:
| Role | Name | Signature | Date |
|---|---|---|---|
| Chief Privacy Officer | |||
| Legal Counsel |
This procedure is confidential and for internal use only. Questions should be directed to the Privacy Team at [EMAIL].
Need help customizing this document?
Get 3 days of intelligent editing. Tailor every section to your specific case.
About This Template
Jurisdiction-Specific
This template is drafted for general use across all U.S. jurisdictions. State-specific versions with local statutory references are also available.
How It's Made
Drafted using current statutory databases and legal standards for compliance regulatory. Each template includes proper legal citations, defined terms, and standard protective clauses.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026