Privacy & Data · UK, EU & US

How to Request Any Company Delete Your Personal Data (GDPR Right to Erasure and CCPA, Explained Separately)

Signing up for something online doesn't hand your data over permanently. Under both UK/EU data protection law and California's privacy law, you have a legal right to ask a company to delete what it holds about you — but these are two different laws with different deadlines and different rules about who they even apply to, and treating them as interchangeable is where this kind of request usually goes wrong.

UK/EU: the GDPR right to erasure (Article 17)

Under UK GDPR (and the equivalent EU GDPR), you can request erasure of your personal data, and a company must comply within one calendar month — extendable by up to two further months for genuinely complex requests. This applies in specific circumstances: the data is no longer needed for its original purpose, you've withdrawn consent, or you've objected to it being used for direct marketing, among others.

It's not unconditional. A company can lawfully refuse if it has a legal obligation to retain the data (tax or accounting records, for example), needs it to establish or defend a legal claim, or the data supports public-interest archiving or freedom of expression. If they refuse, they must tell you why in writing and inform you of your right to complain to the ICO or take the matter to court.

California: the CCPA right to delete — a different law, a different deadline

California's Consumer Privacy Act gives California residents a similar but legally distinct right to delete. Two important differences from GDPR:

Who to actually contact — it's often not a "DPO"

Not every company has a formal Data Protection Officer — under GDPR, a DPO is only legally required for public authorities, or companies doing large-scale monitoring or large-scale processing of sensitive data. For most everyday businesses, use whatever privacy contact is listed in their privacy policy — often a general privacy or support email rather than a named DPO. Addressing a request to "the Data Protection Officer" when no such role exists at that company won't invalidate your request, but don't assume the title exists everywhere.

What to actually write

"I am exercising my right to erasure under Article 17 of the UK GDPR [or: my right to delete under the CCPA]. Please delete all personal data you hold about me, including my account details, transaction history, and any tracking or marketing data, and confirm in writing once this is complete. If any part of this request cannot be fulfilled, please explain which specific exemption applies."

That last line matters — asking them to specify the exact exemption if they refuse makes a vague "we can't do that" response much harder to give you, and creates a clearer paper trail if you need to escalate.

What "erasure" realistically covers

A compliant company should also inform any third parties it shared your data with about the erasure, so they can delete their copies too — but only if this is possible without disproportionate effort, which is a genuine (if sometimes convenient) escape valve for larger organisations. Deletion from live, active systems is the realistic expectation; complete removal from every historical backup on the same day is not always how this plays out in practice, though the data shouldn't be actively used or restored for ordinary purposes afterward.

If the deadline passes with no action

Keep a dated record of your original request. If the company misses its deadline (30 days for GDPR, 45 for CCPA) without a valid exemption cited in writing, escalate: