CCPA and GDPR data removal: when the laws actually apply

Why your data is still online

Your data rarely comes from one source. A people-search site might pull your name and address from public records, buy an old marketing list, match it with app data, and copy details from another broker. Once that starts, the same profile can spread fast.

That is why one removal request usually does not clear everything. You can get one listing taken down and still find the same phone number or home address on several other sites a few days later. Some brokers buy from the same supplier. Others copy each other, keep old snapshots, or refresh their databases on a fixed schedule.

The cycle is fed by a mix of sources: public records where disclosure is allowed, apps and ad networks that collect contact details, loyalty programs, old lead lists sold from company to company, and broker databases that get copied and reposted later.

Republishing is another reason your data sticks around. A site may remove your page today, then rebuild it after the next data import. That can happen even when the first request worked. You opt out of one broker, and two weeks later the same age, address history, and relatives show up somewhere else.

CCPA and GDPR removal rights help, but they do not cover every site on the internet. Some companies are outside those laws. Some rely on exemptions tied to public records or other legal grounds. Some act only after extra identity checks. And some smaller sites make the process slow enough that people give up.

So when your data stays online, it does not always mean the request failed. More often, it means your information exists in many copies, moves between sellers, and gets posted again after the next refresh.

When CCPA applies

CCPA is mainly for California residents. If you live in California, you can often send a CCPA deletion request even when the company is based somewhere else. What matters is whether the business does business in California and falls under the law.

In plain English, CCPA usually applies to businesses that are not tiny. A company is more likely to be covered if it makes more than $25 million a year, handles personal data for a large number of people or households, or gets a large share of its income from selling or sharing personal data.

That is why CCPA often works well with data brokers, people-search sites, ad-tech firms, and larger online services. These companies collect or trade a lot of personal information, so they are much more likely to be covered.

A personal blog, a small local business site, or a hobby project is different. Even if it shows your name or an old page about you, CCPA may not apply. The site might be too small, outside the law's scope, or not operating as a covered business. That does not mean you are stuck. It just means you may need to use the site's own contact process, platform rules, or another privacy law.

This confuses people all the time: some companies offer a delete form, an account removal button, or a privacy email even when CCPA is not the reason. They may do it because it is simpler, because they also deal with California users, or because one process for everyone is easier to run.

If you are unsure, start with two questions. Are you a California resident? Does the company look like a business that handles personal data at scale? If the answer to both is yes, CCPA is more likely to fit. If not, removal may still be possible, just through a different route.

When GDPR applies

A lot of people think GDPR only covers companies in Europe. It does not. The law often applies when an organization collects or uses personal data about people in the EU or EEA, even if the company itself is based in the US or somewhere else.

What matters is the connection to people in Europe. If a site sells to customers in Spain, offers services to users in Germany, or tracks people in the EU for ads or analytics, GDPR may apply. A data broker with no office in Europe can still be covered if it builds profiles on people who live there.

The reason the company has your data matters too. GDPR gives you a right to erasure in many cases, but not every case. If a company kept your details for marketing, lead generation, or an old unused account, deletion is often a fair request. If it needs the data to finish a contract, prevent fraud, keep tax records, or meet another legal duty, it may keep some of it.

That is why deletion requests sometimes get a partial yes. A company might erase your marketing profile and stop using your data for ads, but still keep invoice records for the period the law requires. That can feel annoying, but it is normal under GDPR.

A simple example makes this clearer. Say you signed up for a newsletter while living in Ireland and later asked to be removed. If the company only used your email for marketing, it usually has a weak reason to keep it. If you bought something, it may delete your account details while keeping a receipt or payment record it must retain.

Some uses tied to public interest can also limit deletion. News archives, legal claims, scientific research, and some health or government records can fall into special categories. GDPR is strong, but it is not a universal delete-everything button.

What these laws let you ask for

The most useful part of CCPA and GDPR is not the legal wording. It is that you can ask direct questions about your data and, in many cases, make a company act.

You can usually ask what personal data the company has about you. That can include your name, old addresses, phone numbers, email addresses, age range, relatives, job history, and other profile details. You can often ask where they got it and, in some cases, who they shared it with. If a broker built a profile on you, this is often the fastest way to see how much they know.

You can also ask for deletion. Under CCPA, people usually call this a CCPA deletion request. Under GDPR, it is often called the right to erasure. The idea is similar: if the company does not need the data for a valid reason, you can ask it to remove it. That does not always mean every record disappears right away. Some businesses can keep certain records for fraud checks, taxes, contracts, or other legal duties.

Another common request is to stop the sale or sharing of your data where the law gives you that right. This matters most with data brokers, ad-tech firms, and people-search sites. If they stop selling your data but keep the profile internally, that is better than nothing. Deletion is still the cleaner outcome when you can get it.

You may also be able to correct wrong or outdated details. That sounds minor, but it matters. An old address, a wrong age range, or a mixed-up relative can make your profile easier to find and harder to remove later.

One thing slows people down all the time: identity checks. Some companies act after you click a link in an email. Others want a masked ID, a signed form, or proof of address. If they cannot match you to the right record, they may pause the request or reject it.

How to send a removal request

Most privacy requests fail for boring reasons. They go to the wrong inbox. They do not match the data a company has on file. Or they ask for five different things at once in a messy way. A clean request usually gets a better result.

Start with the company's privacy page. Many sites have a form for deletion, access, correction, or opt-out requests. If they do not, look for a privacy contact email or a support address that handles personal data requests.

When you write the request, use the details the company is most likely to have. That usually means your full name, current and past email addresses, phone numbers, and any home addresses you used when the record may have been created. If a broker has your old apartment address but you only send your current one, it may say it cannot find you.

Keep the wording plain. State the action you want, mention the law only if it fits, and include the details they can match to your record. If they ask for proof, send only what they asked for and cover anything they do not need. Save screenshots, dates, case numbers, and every reply.

A simple message is enough: please delete my personal information from your records and confirm when this is done. If the listing is wrong, say what needs to be corrected. If you only want them to stop selling or sharing data, say that instead of asking for full deletion.

Be careful with identity documents. Some companies ask for too much. If verification is required, send the minimum that satisfies the request. Do not attach extra documents just in case. More paperwork creates a new privacy problem.

It also helps to keep one note with the date sent, where you sent it, and what they answered. That sounds basic, but it saves time later. If the company asks you to resubmit, claims it never got the request, or closes the case without action, your notes make follow-up much easier.

A simple example

Sarah searches her name and finds a data broker page with her phone number and a few old addresses. She lives in California, so she starts with a CCPA deletion request. She asks the broker to delete her personal data and stop selling or sharing it.

The reply is not dramatic. It is just paperwork. One broker removes the listing within a few days. Another asks for proof of identity.

That difference is normal. Some companies accept a basic email request. Others want a masked ID, a signed form, or confirmation from the same email address used in the request. It can feel slow, but it does not always mean the request failed.

Sarah also finds a separate company in Europe showing old contact details in a people-search style listing. For that one, she sends a GDPR right to erasure request. She is asking the company to erase personal data that should not stay public.

The European company replies faster than she expected. It removes the public page, then sends a short note saying some internal records may stay on file if the law requires them for billing, fraud checks, or other legal reasons. That is common. Public removal and full internal deletion are not always the same thing.

What makes Sarah's follow-up easier is her recordkeeping. She notes the company name, the page title or listing address, the date she sent the request, any ID or form the company asked for, and the date for her next follow-up. So when one site asks again for the exact listing and a clearer copy of her ID, she does not need to dig through old emails. She sends the missing details in a few minutes.

That is what this process usually looks like in real life. One request works fast. Another needs manual privacy follow-up. The law gives you a path, but each company still runs its own process.

Why some sites still need manual follow-up

Even with CCPA and GDPR, one request is not always enough. Some sites remove the public page quickly, but the record still sits in an internal database. If a fresh data feed arrives later, the same profile can come back.

A lot of this comes down to process. Some companies still handle privacy requests by email only. That sounds simple, but it often means slower replies, lost messages, and no clear status page. You may need to send a second message, quote the first one, and ask for a direct answer on whether the record was removed, suppressed, or simply hidden.

Matching your request to the right person can also slow things down. If the company cannot confidently match your name, address, age, or old phone number to a profile, it may ask for more proof. That is common. The tricky part is giving enough to confirm your identity without sending more personal data than necessary.

Manual follow-up often means replying to a request for more proof, sending the exact listing again, asking whether the public page is gone or the record was fully deleted, and checking back a few weeks later for re-listing. If the profile returns with slightly different details, you may have to reopen the case.

Sometimes only the page disappears. The company may keep the data in the background for legal, fraud, accounting, or suppression reasons. In some cases, that is allowed. A broker might keep the minimum needed to make sure it does not publish you again. That is very different from keeping a public people-search profile live.

Fresh data is another common problem. Many brokers buy or receive new records from partners on a regular cycle. So a successful data broker opt out today does not guarantee the profile stays gone next month.

That is why follow-up matters. If a profile returns, send the new listing details, include the old case information, and ask the company to remove the source record as well as the public page.

Mistakes that slow things down

Most delays are ordinary, not legal. A company may be willing to process your request, but it gets stuck because it cannot match the record or because the request was sent the wrong way.

One common mistake is sending the wrong request type. If you want a listing removed, an access request or a marketing opt-out may not fix that listing. Some sites split requests into separate forms for deletion, suppression, and 'do not sell' choices. Pick the one that matches the problem or you can lose a week in back-and-forth emails.

Another slow-down is using an email address the company does not recognize. If the broker has you under an old personal email but you write from a new work address, it may not find the record right away. Then it asks for more proof before doing anything.

Too little detail causes the same mess. A note that says remove my data sounds clear, but a reviewer may have no idea which record is yours, especially if your name is common. It helps to include the profile details you can see, such as your full name, any aliases, the city or past address shown in the listing, and the email or phone number tied to the record. If you have the listing address or a screenshot, include that too.

People also overshare. Some sites ask for proof of identity, but many do not need a full passport or driver's license upload. Sending extra ID rarely speeds things up, and it creates a new privacy risk. If a site asks for verification, send only what it asks for. If the form allows it, cover anything unrelated.

One more problem is easy to miss: the reply lands in spam. A lot of CCPA deletion request and GDPR right to erasure cases stall because the company sent one follow-up question and never got an answer. Check spam, promotions, and trash for several days after you submit the request.

If the company gives you a case number, save it. That one habit makes follow-up much easier.

Before you send anything

A little prep saves time. Most failed requests do not fail because the law is weak. They fail because the request is vague, missing proof, or sent under the wrong law.

Before you send anything, match the law to both you and the company. CCPA usually applies to covered businesses that deal with California residents. GDPR usually applies when your data is handled in ways covered by EU or UK privacy rules. If you are not sure, check the company's privacy page and your own location first.

Then capture the profile exactly as it appears right now. Copy the full name, age range, city, phone number, relatives, past addresses, and any listing number or profile ID. These pages change often. If the page is edited or removed later, you still have a record of what you asked them to delete.

Save a screenshot, but keep it tight. A good screenshot shows the listing, the site name, and the date if possible. A bad one includes open tabs, your inbox, or unrelated account details. Share the least amount of personal data needed to prove the request.

Decide in advance what proof of identity you are willing to provide. This is where many people hesitate, and for good reason. Some sites ask for too much. If a site wants a government ID, ask whether it accepts a masked copy. You can often hide the ID number or photo if it only needs your name and address. If the request feels excessive, stop and check the site's policy before you send anything.

This prep work is not exciting, but it makes removal much smoother. It also gives you a clean paper trail if you need to follow up a week later.

What to do next

Start where the risk is highest. If a broker shows your home address, phone number, or relatives, move that site to the top of your list. Those details are usually more urgent than an old employer or a rough age range.

Do not send dozens of requests at once. Start with a small batch, maybe five to ten sites, and see what happens. Some will remove a profile after one form. Others will ask for extra proof, a screenshot, or a reply from the same email address. That first round tells you which sites are easy and which ones will need more time.

Keep a simple log from day one. A spreadsheet, notes app, or plain text file is enough. Track the site name, when you sent the request, what proof they asked for, the current status, and when you checked again. After a week or two, it gets surprisingly easy to forget which broker replied, which one ignored you, and which one asked for more documents.

Also assume some removals will not last forever. Data broker opt out requests often work, but records can come back after a database refresh, a new data sale, or a profile merge. Check again later, especially on the sites that had your address or phone number.

If you do not want to manage all of this by hand, Remove.dev can handle removals across more than 500 data brokers, track each request in a dashboard, and keep monitoring for re-listings after a record is removed. For people who have already found their data on multiple sites, that can cut down a lot of repetitive follow-up.

The practical plan is simple: remove the most exposed records first, test a small batch, track every reply, and keep going until each case is actually closed.