In February, Whitney Merrill, a privacy attorney who lives in San Francisco, asked audio-chat company Clubhouse to disclose how many people had shared her name and phone number with the company as part of its contact-sharing feature, in hopes of getting that data deleted.
Only after that, and weeks after the California Consumer Privacy Act’s 45-day deadline for companies to respond to data deletion requests, Clubhouse responded and complied with her request to delete her information, Merrill said.
“They eventually corrected it after a lot of pressure because I was fortunate enough to be able to tweet about it,” she said.
The landmark California Consumer Privacy Act (CCPA), which went into effect in 2020, gave state residents the right to ask companies to not sell their data, to provide a copy of that data or to delete that data. Virginia and Colorado have also passed consumer privacy laws, which go into effect in 2023.
As more states adopt privacy legislation — Massachusetts, New York, Minnesota, North Carolina, Ohio and Pennsylvania may be next — more of us will get the right to ask for our data to be deleted. Some companies — including Spotify, Uber and Twitter — told us they already honor requests from people outside California when it comes to data deletion.
But that doesn’t mean it always goes smoothly. Data is valuable to companies, and some don’t make it easy to scrub, privacy advocates say. Data deletion request forms are often tucked away, processes are cumbersome, and barriers to verifying your identity slow things down. Sometimes personal data is tied up in confusing legal requirements, so companies can’t get rid of it. Other times, the technical and personnel burden of data requests is simply too much for companies to handle.
Exercising CCPA rights can be an uphill battle, Consumer Reports found in a 2020 study involving more than 400 California consumers who submitted “do not sell my personal data” requests to registered data brokers. Sixty-two percent of the time, participants either couldn’t figure out how to submit the request or were left with no idea whether it worked.
It doesn’t bode well for data deletion, Maureen Mahoney, a Consumer Reports analyst, said. People have to verify their identities before companies can delete data, which poses an extra obstacle.
But that doesn’t mean it’s a lost cause. Many data deletion requests are successful, according to company metrics, and things get easier if you know where to look. Most companies are doing their best to figure out how to deal with patchwork privacy laws and an influx of data rights requests, Merrill said.
“We’ve grown much faster this year than we ever imagined, and since the spring have built a team to better handle the new scale of our user community,” Clubhouse spokeswoman Reema Bahnasy said, adding that the company’s current average CCPA response time is 10 days.
Data Deletion 101
What data can you actually request to delete?
When we say “your data,” we mean information like your name, phone number, email and home address. Some companies collect far more, like your age, gender, interests, real-time location, friends and behavior on apps and sites — and inferences about you based on those things.
All this data-sharing may feel harmless, but it creates problems when a company is hacked and your information falls into the wrong hands, or when companies use it to influence your spending and other decisions without your consent, privacy advocates say.
Under CCPA, businesses are supposed to provide at least one way for consumers to get in touch and ask for data deletion — that might be a phone number, online form, email address or paper form. Big companies that serve more than 10 million California consumers in a year are also supposed to disclose in their privacy policies how many requests to delete they’ve received during the previous calendar year and how many they’ve honored.
We checked the websites and privacy policies of 11 popular apps to see how easy it was to submit data deletion requests, and whether the companies disclosed the number of requests they’ve received. Of the 11, only one, Yelp, did not have a clear way to submit requests, and the company promptly fixed the problem after we pointed it out.
When it came to data deletion disclosures, things got dicier. The companies behind six of the 11 apps, including Southwest Airlines and Twitter, were not sharing how many requests they’d received and honored. Twitter said it plans to add the information.
“This information will be included in a future update and will provide the number of requests we receive on a global basis as these are tools we provide to every person who uses our service,” Twitter spokeswoman Katie Rosborough said.
Southwest Airlines declined to comment.
How to submit a data deletion request
If our 11 apps are any indication, companies are doing a good job providing forms or email addresses where you can ask for data deletion. Finding those forms and addresses isn’t exactly intuitive, but the process tends to look similar across websites.
First, go to the company’s website and scroll down to the very bottom of the homepage. There will probably be a link that says something like “privacy,” “privacy policy,” “CCPA” or “your California privacy rights.”
Click the link, and you should find yourself on a page dedicated to privacy or CCPA. (CCPA pages often show up for all site visitors, because building different websites for different people would require a lot of extra work for companies.)
Scroll until you find references to data deletion, or use CTRL+F to search for the word “delete.” The company will probably list either an email address for a data protection, privacy or legal department — or provide a form you can fill out online.
If the form doesn’t specifically reference data deletion, that’s okay. Include “data deletion request” somewhere prominent, like the subject line, if there is one, and let the company know you are happy to verify your identity. Hayley Tsukayama, a legislative activist at digital rights advocacy group Electronic Frontier Foundation (EFF) and former reporter at The Washington Post, suggested referencing your CCPA rights in the request, as well.
CCPA gives companies 45 calendar days to respond to your initial deletion request. The company will probably ask for you to send over additional information or set up an appointment to verify your identity — that’s so no one can pretend to be you and steal or delete your data. To verify, you may need to confirm your account username and password, provide a piece of data like your phone number for the company to cross-check, or, rarely, show your government-issued ID. You should never be required to set up an account to get your data deleted, according to CCPA.
Fielding data deletion requests isn’t easy, Merrill said, so make sure to keep your tone friendly and respond to any verification requirements as quickly as possible.
What if I don’t live in California?
Only California residents have the right to data deletion under CCPA. (Why companies have the right to your data and you do not is another story. And here’s another. And another.)
But some companies have said they’ll honor deletion requests no matter where you live. Spotify, Uber and Twitter said they treat deletion requests from any geographic location the same. Netflix, Microsoft, Starbucks and UPS have also said they’ll extend CCPA rights to all Americans.
Extending CCPA rights to all consumers is one way companies can practice “privacy by design,” Merrill said, adding that the security industry has set a good example by taking steps to protect consumers beyond what’s immediately necessary or legally required.
“Privacy is still in the nascent stages of shaking this out: What are the core, top 10 things that you need from a privacy perspective, whether or not the law requires it?” she said.
Does submitting a request mean my data will get deleted?
Nope. Deletion requests are subject to some broad exemptions. Some companies — like financial services — have to hold on to certain data for legal compliance and reporting. The CCPA also allows companies to keep your data if they’re using it for security, debugging or fraud protection, or “to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” Language that slippery is easy to exploit, Consumer Reports’s Mahoney said.
Sometimes, the difference between data that’s eligible for deletion and data that isn’t gets murky. Eddie Lo, a tech worker in San Francisco, felt frustrated and confused, he said, when just days after going through the identity-verification process with financial services app Ellevest and requesting that the company delete his data, he received what appeared to him to be a marketing email asking him to update his data on file with the company.
Turns out, sending emails to people who have asked for their data to be deleted could be within Ellevest’s rights and responsibilities as a financial services company.
Ellevest Director of Client Experience Patricia Selwood said that the email Lo received was “transactional,” not marketing, and that the company acted in accordance with the law.
Lo said the whole process felt like an exercise in futility.
Additionally, CCPA doesn’t require companies to delete personal data that has been aggregated or “de-identified.” That means if they combine your data with data from other people in a way that obscures which data comes from whom, they’re allowed to keep it.
But according to the EFF’s Tsukayama, de-identified personal data is an oxymoron. She pointed to studies — like this one from researchers in Europe — that have found ways to re-identify large percentages of individuals in anonymized data sets.
Some particularly shady companies use a design technique called “dark patterns” to discourage customers from accessing and deleting their data, Tsukayama said. You’re probably familiar with dark patterns from those pop-ups on shopping sites that try to strong-arm you into providing your email address, with options like, “Yes, I want emails,” or “No, I’d like to remain ignorant of important sales and promotions.”
Other companies ignore requests, hide forms or require unreasonable proof of identity — one company in Consumer Reports’s data opt-out study asked a participant to submit a notarized affidavit, Mahoney said.
If you think a company is shirking its CCPA responsibilities, you can report it to the California attorney general here. Tagging companies on social media is another good way to call attention to problems, said Mary Stone Ross, who helped author CCPA while serving as president of the advocacy group Californians for Consumer Privacy.
“I’m all for public shaming,” she said. “Twitter is a great place to call out these companies.”
Can’t somebody do this for me?
Actually, yes. The CCPA allows for an authorized agent to submit requests on your behalf — they just have to prove they have your permission. Consumer Reports is working on a tool that could submit mass “do not sell” opt-outs on behalf of California residents, said Mahoney and Yael Grauer, a reporter at the publication. If you’ve got some technical savvy, the open-source tool Privacy Bot can send mass data deletion requests from your email address.
Some browsers and extensions — including Brave and Duck Duck Go — include a signal called Global Privacy Control, which sends your “do not sell” preference directly to websites you visit. Companies have been slow to honor the signal, Mahoney and Grauer said, but the California attorney general’s office makes clear in its CCPA FAQs that businesses must treat Global Privacy Control as a valid opt-out request. That said, many companies still choose to ignore it, according to Stone Ross.
Wait — this all seems inefficient.
Oh, it is.
Companies you use — and even ones you’ve never heard of — are vacuuming up your data all day long, privacy advocates say. It would be impossible to send a deletion request to every company that’s ever gotten its hands on your phone number, for instance, because there’s no way to know who has it.
A more effective approach, privacy attorney Merrill said, may be to focus on opting out of the sale of your data. You can do that by submitting “do not sell” requests, usually in the same place you’d submit deletion requests, or through a “do not sell my personal data” link on the company’s website. It’s the difference between addressing data collection in the present and managing it for the future, she said, describing a hypothetical scenario where a company deletes your data just to purchase it all again from a third party.
Companies aren’t obligated to honor these requests from people outside California, but plenty do, Consumer Reports’s Grauer said. Don’t lie about where you live, she advised, but feel free to leave the field blank and see what happens.
Ultimately, your approach to data deletion will depend on your concerns, Grauer said, whether that’s identity theft, targeted content, stalking, security breaches or other issues that come with rampant data sharing.
Stricter protections for consumers would make this all less complicated, Mahoney and Grauer said. But policymakers would have to step in.
“I think it’s the early days, and I am hoping that processes improve over time and there will be more solutions developed to make it easier for consumers to exercise their right to delete,” Mahoney said.
