The California Consumer Privacy Act (CCPA) dramatically changed the regulatory landscape for privacy in the United States. Among the CCPA’s many requirements is the right to delete (sometimes called the right of erasure or the right to be forgotten). Businesses must Comply With Consumers' Right to Delete Their Data » What is CCPA? Explore California's data privacy laws↗
Deleting Consumers' Data
According to the CCPA, if a customer requests that their personal information be deleted, a business must:
- Fully and permanently delete all personal data from its existing systems, except for backup or archival systems
- De-identify any personal information
- Aggregate the consumer information
The CCPA classifies deidentified information as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” Therefore, a company must adopt technical protections to prevent consumer reidentification and Comply With Consumers' Right to Delete Their Data The following practices can help ensure hassle-free deletion of customer data.
Provide Multiple Request Methods
Businesses must provide customers with two or more ways to submit requests to delete. The acceptable methods are:
- A toll-free phone number
- An easily accessible link or web form on the business's website
- A designated email address
- A form to be submitted in person
- A form to be submitted by mail
Validate Requests
When a request is received, the company must verify that the person making the request is the customer about whom the company has personal information. Businesses can ask the requester for more details to verify their identity, provided the business clarifies they will only use this information for the specific verification. » How do customers verify their identity? Discover different methods to verify user identity for DSARs↗
Establish Data Deletion Method
To comply with the CCPA, companies should review all aspects of their data deletion processes. It's also a good idea to create a handbook containing the approved ways of communicating a deletion request.
Stay Inside the Timeline
Businesses have ten days to acknowledge a request and 45 days to verify it. This duration may be prolonged by 45 days in case of complexity and volume. They must also notify the consumer within 45 days of accepting the verified request.
Constant and Clear Communication
Companies must ensure they stay in constant contact with the customer throughout the whole process regarding acknowledging receipt of the request, confirming what action will be taken, and informing when the request has been completed. Companies must also inform any third parties that may be affected by this data deletion.
Conclusion
Manually enforcing the right to delete can cost organizations a lot of time and money, especially for those with complicated or outdated systems. There is also the possibility of noncompliance due to human error. Therefore, many businesses opt to use automated solutions and methods like pseudonymization and de-identification↗ for improved compliance. » Looking for a data privacy solution? Explore PieEye's products↗
How Third-Party Integrations Complicate Deletions
Your eCommerce stack likely includes dozens of tools beyond your core platform. If you use Shopify, you probably have Klaviyo for email marketing, Meta Pixel for ad tracking, Google Analytics for traffic insights, and payment processors like Stripe. Each of these systems stores personal data about your customers—and CCPA deletion requests must reach all of them.
When a customer submits a deletion request, your obligation doesn't stop at your own database. You must also coordinate deletions across every vendor that has received their data. This is where most eCommerce brands stumble. You might delete a customer from Shopify, but if their email and purchase history remain in Klaviyo, you're still not compliant.
Start by mapping your data flows: Which tools receive customer names, emails, phone numbers, or purchase history? Create a spreadsheet documenting each integration and its deletion process. Some platforms have API endpoints for deletion; others require manual CSV uploads or support tickets. The disconnect between these systems is a major compliance risk.
Your vendor agreements (often buried in Terms of Service) should explicitly state their deletion obligations. If a vendor can't delete data within your 45-day timeline, you need to know that upfront. Some platforms like Meta have specific processes for pixel data deletion that differ from standard DSAR requests. Building relationships with your vendor support teams now prevents scrambling during an actual deletion request.
Handling Deletion Requests from Third Parties
Sometimes customers don't contact you directly—they file deletion requests through regulators or complaint platforms, or they use a privacy rights service that submits requests on their behalf. These third-party requests can arrive as formal letters or automated submissions, and they're just as legally binding as a request submitted through your website form.
You still have the same 10-day acknowledgment and 45-day completion timeline. The challenge is that you may not have direct contact with the requester to verify their identity. The CCPA allows you to ask for reasonable verification information, but you must document what verification you requested and why—especially if the request came from a third party.
Set up a process for receiving and tracking these external requests. If you receive a deletion request via email from a privacy service, respond immediately confirming receipt and outlining your timeline. Keep copies of everything. This documentation becomes critical if a regulator later questions whether you complied.
Balancing Deletions With Legitimate Business Records
One CCPA compliance pitfall is over-deleting. The law requires you to delete personal information, but it also allows you to retain data when you have a legal obligation to keep it. For eCommerce brands, this means you may need to preserve customer data for tax compliance, fraud prevention, or order dispute resolution.
You can't delete a customer's name and address if you need those records for a tax refund. You can't scrub payment history if you're being audited. The key is distinguishing between what you must delete and what you can legally retain.
Document your retention policies in writing. When you respond to a deletion request, explain any data you're keeping and why—tax records, chargeback documentation, or legal holds. This transparency protects you both legally and reputationally. Customers understand that some data retention is legitimate; what matters is that you're honest about it.
Without a centralized system to track requests and coordinate deletions across your vendor ecosystem, even the best intentions lead to missed deadlines and incomplete compliance. Automating your DSAR workflow across Shopify, email platforms, and ad networks removes the coordination burden and ensures nothing falls through the cracks.