Last updated: March 16, 2026

Send formal deletion requests explicitly referencing applicable state laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA) even to non-GDPR/CCPA companies, as many voluntarily comply. If companies refuse, escalate to state attorneys general, the FTC, or BBB. For companies beyond legal reach, minimize future data sharing through temporary emails, pseudonyms, and privacy tools, or pursue small claims court for significant violations.

Table of Contents

Understanding the Data Protection Gap

When GDPR and CCPA don’t apply to a company, your personal data rights become significantly limited. GDPR covers companies with EU connections, either offering goods/services to EU residents or monitoring their behavior. CCPA applies primarily to for-profit businesses meeting specific thresholds (>$25M revenue, data >100K consumers, or deriving 50%+ revenue from selling personal data).

This leaves a massive gap. Many US-based companies, startups, small businesses, and organizations operating outside these jurisdictions collect and store your personal information without legal obligation to delete it when you request.

For developers and power users, this means building automation around data deletion requests requires understanding both legal frameworks and practical API-driven approaches.

What Data Companies Typically Hold

Before requesting deletion, understand what companies might have:

Automating Data Discovery with Developer Tools

Power users can script discovery of where their data lives:

Search for account data across known services
#!/bin/bash
Script to check known data broker registrations

SERVICES=("haveibeenpwned" "dehashed" "breachdirectory" "passwordscanner")

for service in "${SERVICES[@]}"; do
    echo "Checking $service for your email..."
    curl -s "https://$service.org/api/your@email.com" | jq '.'
done

Step-by-Step Method to Request Data Deletion

Step 1 - Identify the Company and Their Privacy Practices

First, locate the company’s privacy policy. Search for terms like:

Check if they have:

Step 2 - Draft Your Data Deletion Request

Create a clear, formal request. Include:

Subject - Data Deletion Request - [Your Account Email/ID]

To the Privacy Team at [Company Name],

I am requesting the deletion of all personal data your company holds about me.

Account identifier - [Your email or username]
Registered name - [Your full name if known]
Account created - [Approximate date if known]

This request is made under [applicable law if any, e.g., California Civil Code § 1798.105, or as a general privacy request].

Please confirm receipt of this request and provide timeline for deletion.

Sincerely,
[Your Name]
[Your Email]
[Your Address]

Step 3 - Send the Request Through Multiple Channels

Step 4 - Follow Up

Alternative Strategies

State-Level Privacy Laws

Beyond CCPA, several US states have enacted privacy laws:

Check if the company operates in these states, they may still honor deletion requests.

Industry-Specific Regulations

Certain industries have their own data protection rules:

Programmatic Deletion Requests

For developers building privacy tools, here’s a Python template for managing deletion requests:

import smtplib
from email.mime.text import MIMEText
import json
from datetime import datetime

class DataDeletionRequest:
    def __init__(self, email, company_config):
        self.email = email
        self.company = company_config['name']
        self.contact = company_config['contact']
        self.sent_date = None

    def generate_request_email(self, subject, body_template):
        msg = MIMEText(body_template.format(email=self.email))
        msg['Subject'] = subject
        msg['From'] = 'your-email@example.com'
        msg['To'] = self.contact
        return msg

    def send_via_smtp(self, smtp_config):
        with smtplib.SMTP(smtp_config['host'], smtp_config['port']) as server:
            server.starttls()
            server.login(smtp_config['user'], smtp_config['pass'])
            # Send request
            self.sent_date = datetime.now()

Usage
companies = [
    {'name': 'Company A', 'contact': 'privacy@companya.com'},
    {'name': 'Company B', 'contact': 'dpo@companyb.com'},
]

for company in companies:
    request = DataDeletionRequest('your@email.com', company)
    # Send deletion request

Direct Technical Methods

Where legal requests fail, technical options exist:

Minimize data shared:

Use privacy tools:

Data Breach Use

If the company has experienced a data breach, use this as use. Under many state laws, companies must maintain specific security practices. A breach history may encourage compliance.

What to Do If They Refuse

Document Everything

Keep records of:

File Complaints

Consider Legal Action

Small claims court is an option for significant data mishandling:

Template Collection

Simple Deletion Request Email

Subject - Account Deletion Request

Hello,

Please delete my account and all associated personal data.

Email - [your@email.com]
Username - [your-username]

Regards,
[Your Name]

Formal Legal-Style Request

Subject - Formal Data Deletion Request Under [State Law]

To the Data Protection Officer:

This letter constitutes a formal request to delete all personal information you maintain about me.

Identifying Information:
- Email: [email]
- Account ID: [if known]
- Name: [name]
- Address: [address]

I request that you:
1. Delete all personal data within 30 days
2. Confirm deletion in writing
3. Notify any third parties with whom you've shared my data

If you cannot fulfill this request, please provide specific legal basis for refusal.

[Your signature]
[Date]

GDPR-Style Request (Even for Non-Covered Companies)

Subject - Data Subject Access Request and Deletion Request

To Whom It May Concern:

Regardless of whether your organization falls under GDPR jurisdiction, I formally request:

1. Access to all personal data you hold about me
2. Correction of any inaccurate data
3. Deletion of all personal data (right to erasure)
4. Portability of my data in machine-readable format

I reserve all rights under applicable privacy laws and expect good-faith compliance.

[Your details]

Frequently Asked Questions

How long does it take to request data deletion from companies not covered?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Can I adapt this for a different tech stack?

Yes, the underlying concepts transfer to other stacks, though the specific implementation details will differ. Look for equivalent libraries and patterns in your target stack. The architecture and workflow design remain similar even when the syntax changes.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles