Last updated 2026-07-11

TL;DR
Under the California Consumer Privacy Act, California residents can demand you delete their personal information, including phone numbers on your calling lists. You have 45 days to respond and must purge the data unless a legal exemption applies. Fines run up to $7,500 per intentional violation. This guide walks through every step of the process.
What does CCPA actually require for data deletion?
The California Consumer Privacy Act, codified at Cal. Civ. Code sections 1798.100 through 1798.199, gives California residents the right to request that a business delete personal information it has collected about them [1]. A phone number is personal information under the statute. So is a name, email, address, or any identifier that can be linked to a specific person. Your calling list is not exempt just because it looks like a plain spreadsheet of digits.
The law requires a business to delete the consumer's personal information from its records and to direct any service providers or contractors that hold the same data to do the same [1]. That second part trips up a lot of teams. If you use a CRM, a dialer platform, a data broker list you licensed, or a lead vendor, each of those downstream holders is in scope the moment you get a valid deletion request.
Businesses that qualify as "data brokers" under Cal. Bus. & Prof. Code section 1798.99.80 have extra annual registration and deletion obligations specific to that category [2]. But even a regular outbound sales team buying leads has to follow the standard CCPA deletion rules once it crosses the thresholds explained below.
Does CCPA apply to my business?
CCPA, as amended by the California Privacy Rights Act (CPRA) effective January 1, 2023, applies to for-profit businesses that do business in California and meet any one of three thresholds [1]:
- Annual gross revenues above $25 million
- Buy, sell, or share the personal information of 100,000 or more California consumers or households per year
- Derive 50 percent or more of annual revenue from selling or sharing consumers' personal information
The $25 million revenue bar sounds like a relief for small teams. The 100,000-record threshold is where most active outbound operations get caught. If your dialer touches a purchased list with more than 100,000 California numbers over a calendar year, you're covered no matter your revenue [1].
The law also covers businesses that control or are controlled by a business that meets these thresholds and share a common brand. A subsidiary of a large company doesn't get a pass just because the subsidiary itself is small [1].
Non-profits and government agencies generally aren't covered. Employee data and B2B contact information had limited exemptions under early CCPA, but those exemptions largely expired under CPRA. Treating every California contact as a covered consumer is the safer operating posture now [2].
| Threshold | Level | Notes |
|---|---|---|
| Annual revenue | Over $25 million | Any California-touching business |
| Records processed | 100,000+ consumers/year | The most common trigger for outbound teams |
| Revenue from data | 50%+ from selling/sharing data | Typically data brokers |
| CPRA effective date | Jan. 1, 2023 | Employee/B2B exemptions mostly expired |
What counts as a valid deletion request?
A deletion request is valid when it comes through a designated request method, the consumer can reasonably be verified, and it isn't entirely covered by an exemption. That's the whole test. You don't get to add extra requirements [1].
Businesses must provide at least two methods for submitting requests, one of which must be a toll-free telephone number [1]. Most outbound teams also set up a web form or a dedicated email address. California Privacy Protection Agency (CPPA) enforcement guidance is blunt on this: burying the request process inside a privacy policy with no working link, or a phone number that's always busy, is itself a violation [2].
Verification is the one place you get some flexibility. Cal. Civ. Code section 1798.130 lets you ask the consumer for information reasonably necessary to verify their identity, matched against data you already hold. For a calling list, that usually means confirming the phone number, a name, and maybe an email [1]. You cannot demand a notarized ID or a Social Security number for a routine deletion request. The CPPA's regulations at 11 CCR section 7060 lay out tiered verification standards based on how sensitive the data is [2].
If a request comes in and you can't verify the consumer after a good-faith attempt, decline to delete and tell them why, giving them a chance to resubmit with more information. Document that exchange. You'll want the paper trail if the CPPA comes asking.
How long do you have to respond to a deletion request?
The statute gives you 45 calendar days from the date you receive the request [1]. You can extend that by another 45 days if you notify the consumer within the first 45-day window and explain why you need the extra time. That's a one-time extension, not a rolling one.
The clock starts when the request arrives, not when you get around to opening it. If your deletion inbox sits unmonitored for two weeks, those two weeks still count. Assign someone to check that inbox on a set schedule, daily during heavy periods.
A 90-day window sounds generous until you remember you also have to notify every service provider and contractor downstream inside that same period. If your CRM vendor, dialer, and lead data warehouse each need separate instructions to purge the record, the coordination alone can eat the entire first 45 days when you haven't built the process in advance.
What are the valid exemptions to a deletion request?
CCPA doesn't require deletion in every case. Cal. Civ. Code section 1798.105(d) lists situations where you can keep the data despite a valid request [1]. For calling lists, four exemptions matter in practice.
Complete a transaction. If the consumer is in the middle of a purchase or contract you're executing on their behalf and the phone number is needed to fulfill it, you can keep the data for that purpose. Once the transaction is done, the basis disappears.
Legal obligation. Some regulated industries (financial services, healthcare) carry record-retention mandates from federal regulators. If a specific federal or state law requires you to keep the data for a set period, you can retain it for that period, but only for that compliance purpose, not for future calling [1].
Security. If deleting the data would impair your ability to detect, prevent, or respond to a security incident, you can hold it temporarily.
TCPA internal do-not-call lists. This one deserves a flag. The TCPA and its implementing regulations at 47 C.F.R. section 64.1200 require covered callers to maintain an internal do-not-call list and honor it for at least five years [3]. There's a solid argument that you must retain the phone number in a suppression file to honor a DNC request. That argument holds, but it means the number lives in a suppressed or flagged state, not as an active calling target. You don't get to use the TCPA retention argument as a license to keep dialing someone who asked to be deleted under CCPA. The number goes to suppression, not back into the queue.
If none of those exemptions apply, deletion is mandatory.
How do you actually purge a phone number from a calling list?
Here's where policy meets reality. Removing the row from your master spreadsheet does not satisfy a deletion request. The CPPA's regulations require deletion from every system where the data lives, including backup files and archived records, unless a specific retention exemption covers those backups [2].
Here's a sequence that holds up:
1. Receive and log the request. Timestamp it, note the channel it arrived on, and assign it a ticket ID. You'll need this if an enforcement inquiry ever lands.
2. Verify identity. Run the consumer's provided information against your records. Document the match or the mismatch.
3. Search all data stores. Your CRM, your dialer platform, any data warehouse, purchased list archives, email marketing tools, and any third-party enrichment databases you sync back to. Use the phone number and any linked identifiers (email, name) as the search key.
4. Suppress before you delete. Add the number to your suppression list first. This stops you from accidentally re-acquiring the same number in a future list buy. Then delete the active record.
5. Notify service providers. Send written instructions to every vendor holding a copy. A short email with the ticket ID and the specific record is enough. You don't need a formal legal notice. Keep their confirmation responses.
6. Respond to the consumer. Tell them the deletion is complete (or explain any exemption that blocked full deletion) inside the 45-day window.
7. Log the completion. Close the ticket with dates and the list of systems purged.
For teams running high call volume, none of this works reliably without a written procedure and someone accountable for running it. A shared inbox and a manual checklist are fine for five requests a month. Once you're handling dozens, you need a workflow tool or a dedicated privacy operations process.
What about phone numbers you bought from a data broker or lead vendor?
This is the trickiest part for outbound sales teams. You buy a list of 50,000 California leads. One of those people files a deletion request. You're now obligated to delete their data from your own systems and direct your service providers and contractors to do the same [1]. CCPA does not require you to go back to the original data broker and demand deletion from their master database. The contractor and service-provider chain runs downstream from you, not back upstream to your supplier.
Check your data purchase agreement anyway. Some data brokers write in contractual obligations that flow both ways. And under the CPPA's data broker registration law (Cal. Bus. & Prof. Code section 1798.99.80), registered data brokers carry their own independent deletion obligations when a consumer submits a request directly to them [2]. The consumer can hit the broker's deletion portal separately from your process.
Your practical duty: delete from your systems, suppress the number so you don't re-purchase it, and notify any CRM, dialer, or analytics vendor you've shared it with. That satisfies CCPA.
The TCPA rules governing cell-phone calling and prior express written consent run in parallel with CCPA, not instead of it. Complying with one doesn't automatically satisfy the other.
What does a CCPA deletion violation actually cost?
The CPPA can seek civil penalties of up to $2,500 per unintentional violation and up to $7,500 per intentional violation [1]. There's no private right of action for deletion failures. Unlike TCPA, which lets individual plaintiffs sue for $500 to $1,500 per call, CCPA deletion enforcement runs through the CPPA or the California Attorney General.
The CPPA issued its first enforcement action in August 2023 against a mobile advertising company and has signaled it's prioritizing systemic violations over one-off complaints [2]. The agency can investigate on its own initiative without waiting for a consumer to complain.
"Intentional" sounds like a high bar. It isn't always. Regulators have found intent where a business had a written policy, received a deletion request, and simply didn't run the process. Having the policy matters less than proving you actually executed it.
For context on how fast statutory-damages cases scale against outbound teams: the cash app tcpa class action settlement ended at $8.75 million, and the credit one tcpa settlement reached $12.5 million, both driven by per-call violations that compounded before litigation. CCPA deletion violations don't compound the same way since they're per-record rather than per-call. Still, a calling list with thousands of unprocessed deletion requests can produce thousands of violations fast.
How does CCPA deletion interact with your TCPA do-not-call obligations?
These two frameworks don't fully overlap, which creates a real operational puzzle. TCPA requires you to maintain an internal do-not-call list under 47 C.F.R. section 64.1200(d) and honor it for at least five years [3]. CCPA says delete the data when a consumer asks. Delete the number entirely and you lose the record of the do-not-call request, which means you could unknowingly re-acquire and dial the same number from a future list buy.
Most compliance attorneys recommend the same fix: keep a suppression database that holds only the minimum needed to identify and filter the number going forward, typically just the phone number and the date of the opt-out or deletion request, with no other personal data attached. That satisfies the TCPA retention need without keeping a full consumer profile CCPA would require you to delete.
That suppression record must not feed any outbound contact. It's a firewall, not a re-engagement list. If your dialer or CRM can't hold a suppression-only record type, configure one or move to a platform that can.
The do not call list operated by the FTC under the Telemarketing Sales Rule is a separate federal registry. Registration on the national DNC does not satisfy a consumer's CCPA deletion request, and a CCPA deletion request doesn't automatically add the number to the national DNC. Parallel, independent systems. You manage both.
What records should you keep to show compliance?
The CPPA can audit your deletion practices, and the burden of proving compliance sits with you, not the consumer. At minimum, keep:
- A log of every deletion request received, with the date, the channel (email, phone, web form), and the requester's contact information
- Your verification determination for each request (verified, not verified, and why)
- A record of which systems were searched and which held the data
- Written instructions sent to each service provider, and their acknowledgment
- The date deletion was completed and confirmation sent to the consumer
- Any exemptions invoked and the legal basis for each
How long should you keep these records? CPPA regulations reference the period during which the request could be subject to enforcement, which practically means at least four years given California's statute of limitations on civil actions. Some compliance teams keep privacy request logs for five years to line up with the TCPA's internal DNC retention requirement.
Store these records somewhere other than the system you're deleting from. Keeping the compliance log in your CRM and then deleting the row out of that same CRM creates an obvious documentation gap.
How do you build a deletion request workflow that won't break under volume?
Handle more than a handful of requests a month and the manual checklist starts to fail. Here's what a functional process looks like at different scales.
Small teams (under 20 requests/month). A shared inbox, a Google Sheet log, and a written standard operating procedure naming who owns each step. Assign backup coverage. Unglamorous, but it works if people actually follow it.
Mid-size teams (20-200 requests/month). A dedicated privacy request ticketing workflow inside your CRM, or a tool like OneTrust, TrustArc, or Osano. These platforms automate the intake form, track deadlines, and send reminders as the 45-day clock runs down. They also ship pre-built integrations with common CRMs and marketing platforms to trigger deletion workflows automatically [4]. LeadCompliant's compliance kit includes a deletion request intake template and a vendor notification script that covers the service-provider notification step, a starting point if you don't want to spin up a dedicated platform yet.
Enterprise teams (200+ requests/month). You probably need a full privacy operations function and a dedicated data subject rights (DSR) platform. The manual overhead at this volume creates material liability.
Test your process at least quarterly, whatever your scale. Submit a test deletion request and confirm the record actually disappears from every connected system. Processes that look airtight on paper have real failure points where data hides in a backup sync or a de-normalized analytics table.
Are there any CCPA deletion requirements specific to text message and cold calling campaigns?
CCPA treats phone numbers used for texting and voice calling the same way: both are personal information subject to deletion [1]. The operational risks differ by channel.
For cold calling, the main risk is re-purchasing a deleted number in a future list buy and dialing it again. The suppression file described above is your main defense. If your dialer doesn't run purchased lists against a suppression check before upload, add that step to your list hygiene process.
For text message marketing, SMS platforms often store subscriber records separately from your main CRM. An opt-out from your SMS platform doesn't automatically flow to your CRM, and a CCPA deletion in your CRM often doesn't reach your SMS platform. You have to audit both and build explicit connectors or manual steps between them.
The mobile phone do not call list issue compounds this: wireless numbers carry additional TCPA protections under 47 U.S.C. section 227(b), and the same number can trigger both a TCPA consent problem and a CCPA deletion obligation at once [3]. If a consumer revokes consent to receive texts and also files a CCPA deletion request, treat those as separate actions with separate compliance steps.
Building your outbound process from scratch? Understanding your obligations on cold call compliance before you build the list is far cheaper than unwinding violations after the fact.
Frequently asked questions
Does CCPA require me to delete a phone number I bought from a third-party vendor?
Yes. If you hold the phone number in your own systems, you must delete it from those systems and direct your service providers to do the same when a valid deletion request comes in. CCPA doesn't require you to reach back upstream to the original vendor's database, but you should suppress the number so you don't re-acquire it from a future list purchase.
Can I keep a phone number on file just to honor a do-not-call request?
Yes, with a narrow limit. TCPA regulations at 47 C.F.R. section 64.1200(d) require you to maintain an internal DNC list for five years. Most compliance attorneys recommend keeping only the phone number and the opt-out date in a suppression-only record, with no other personal data. That satisfies the TCPA retention need without maintaining a full consumer profile that CCPA requires you to delete.
What happens if I miss the 45-day deadline?
You can face civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation under Cal. Civ. Code section 1798.199.95. The CPPA can investigate on its own without a consumer complaint. Missing a deadline for a handful of requests is a contained risk. Missing it systematically across a large list is material enforcement exposure.
Does CCPA apply to B2B calling lists?
The early CCPA included a B2B exemption, but that exemption largely expired under the CPRA amendments effective January 1, 2023. If the phone number you hold can be linked to a specific individual, even a business contact, it's personal information under CCPA. The safest approach is to treat every California contact as a covered consumer.
Do I have to notify the consumer after I complete the deletion?
Yes. Cal. Civ. Code section 1798.105 requires you to inform the consumer whether you complied with the deletion request and, if you invoked an exemption, to tell them what part of their data you retained and why. That notification must arrive within the 45-day response window.
What verification can I require before processing a deletion request?
You can ask for information reasonably necessary to verify identity, matched against data you already hold. For a calling list, that usually means confirming the phone number, name, and email. You cannot require notarized documentation or a government ID for a standard deletion request. The CPPA's regulations at 11 CCR section 7060 provide tiered verification standards based on data sensitivity.
Is there a private right of action for CCPA deletion failures?
No. Unlike the CCPA's data breach provision, deletion failures don't create a private right of action. Only the California Privacy Protection Agency or the California Attorney General can bring enforcement actions for deletion violations. This differs sharply from the TCPA, where individual plaintiffs can sue for $500 to $1,500 per call without needing the government to act.
How do I handle a deletion request if I can't verify the consumer's identity?
If you make a good-faith verification attempt and can't match the consumer's provided information to your records, you may decline to delete and must tell them why, giving them the chance to resubmit with additional information. Document the verification attempt and the outcome. This protects you from claims that you refused a valid request without cause.
Does a CCPA deletion request also remove the consumer from the national Do Not Call Registry?
No. The national DNC Registry is a federal system maintained by the FTC under the Telemarketing Sales Rule. A CCPA deletion from your records has no effect on the national registry. Separately, registration on the national DNC does not satisfy a CCPA deletion request. These are parallel systems with independent rules.
What if the phone number is part of an active sales contract or account?
You can invoke the transaction completion exemption under Cal. Civ. Code section 1798.105(d) to retain data needed to complete an active transaction or perform a contract. Once the transaction is complete, the basis disappears and you must honor the deletion. You cannot use an ongoing business relationship as an indefinite shield against deletion requests.
Do my CRM vendor and dialer platform also have to delete the data?
Yes. If your CRM or dialer acts as a service provider or contractor under CCPA, you must direct them to delete the consumer's data when you receive a valid request. Most enterprise SaaS vendors have service-provider agreements and deletion request workflows. Check your data processing agreement with each vendor and build their deletion notification into your standard process.
How does CCPA deletion apply to autodialer and prerecorded call compliance?
CCPA deletion and TCPA autodialer/prerecorded call rules are separate obligations. Deleting a number from your calling list satisfies CCPA but doesn't retroactively cure a past TCPA violation. Getting express written consent for an autodialed call doesn't exempt you from CCPA deletion rights either. You need both a consent process and a deletion process running in parallel.
Sources
- California Legislative Information, Cal. Civ. Code sections 1798.100-1798.199 (CCPA as amended by CPRA): CCPA grants deletion rights, defines covered businesses by three thresholds, sets the 45-day response deadline, and lists exemptions including transaction completion and legal obligation
- California Privacy Protection Agency, CPPA Enforcement and Regulations: CPPA issued its first enforcement action in August 2023, adopted regulations at 11 CCR section 7060 on verification tiers, and Cal. Bus. & Prof. Code section 1798.99.80 governs data broker registration and deletion obligations
- FCC, 47 C.F.R. section 64.1200, Telemarketing and TCPA Implementing Regulations: TCPA regulations require covered callers to maintain an internal do-not-call list and honor it for at least five years; wireless numbers have additional protections under 47 U.S.C. section 227(b)
- International Association of Privacy Professionals (IAPP), Privacy Tech Vendor Report: Privacy operations platforms including OneTrust, TrustArc, and Osano provide data subject rights workflow automation and integrations with common CRM and marketing platforms
- FTC, National Do Not Call Registry, Telemarketing Sales Rule: The national Do Not Call Registry is a federal system under the Telemarketing Sales Rule, independent from CCPA deletion obligations
- U.S. Congress, 47 U.S.C. section 227 (Telephone Consumer Protection Act): TCPA permits individual plaintiffs to recover $500 per violation and up to $1,500 for willful violations, with no government agency required to act
- California Attorney General, CCPA Enforcement Actions and Guidance: California AG has concurrent enforcement authority over CCPA violations and can seek civil penalties of up to $7,500 per intentional violation under Cal. Civ. Code section 1798.199.95
- California Legislative Information, Cal. Bus. & Prof. Code section 1798.99.80, Data Broker Registration: Registered data brokers under California law have independent deletion obligations when consumers submit requests directly to them