RatedWithAI

RatedWithAI

Accessibility scanner

AI PrivacyJune 23, 2026

CCPA Data Deletion Requests and AI Models 2026: Can Users Force You to Retrain?

A California consumer sends a CCPA deletion request — and their data is baked into the model you shipped last quarter. Do you have to retrain? Delete the model? Just the source rows? Here is what the law actually requires, what the FTC has already ordered, and how to build a deletion workflow that holds up.

45 days
CCPA deadline to respond to a verified deletion request (extendable to 90)
$2,500
Civil penalty per unintentional CCPA violation — $7,500 per intentional violation
4+
FTC algorithmic disgorgement orders requiring model deletion (Everalbum, Rite Aid, WW, Cambridge Analytica)

What CCPA Deletion Actually Requires

Under the CCPA (as amended by the CPRA), a consumer can request that a business delete the personal information it has collected about them. On a verified request, the business must delete the personal information from its records and direct its service providers and contractors to delete it too — unless a statutory exception applies.

The text targets "personal information" in your "records." For AI, that clearly covers the raw training data, feature stores, embeddings keyed to an individual, logs, and any identifiable copy of the consumer's information. The harder question is the trained model itself.

The Three Layers of AI Data — and What You Must Delete

Source & Training Data

DELETE

Raw records, datasets, feature stores, and any identifiable copy used to train or fine-tune the model. This is squarely 'personal information in your records' and must be deleted on a verified request.

Inference Logs & Embeddings

DELETE

Prompt/response logs, embeddings, vector-DB entries, and caches that can be linked to the individual. If it can be re-associated with the consumer, it is personal information and in scope.

Model Weights

CONTEXT-DEPENDENT

Whether you must alter the trained weights is unsettled. If the model memorizes and can regurgitate the individual's data, regulators are more likely to treat the weights as containing personal information. Practical responses: exclude from future retraining, apply machine unlearning, or (in disgorgement cases) delete the model.

Algorithmic Disgorgement: When Regulators Order Model Deletion

The reason "we already trained on it" is a dangerous defense: the FTC has repeatedly ordered companies to destroy the models themselves, not just the data. This remedy is called algorithmic disgorgement or model deletion.

Cambridge Analytica

2019

FTC order required deletion of information and any algorithms or work product derived from improperly obtained Facebook data.

Everalbum

2021

Required to delete facial recognition models and algorithms developed using photos collected without consent — the landmark model-deletion case.

WW / Kurbo

2022

Required to destroy algorithms built from children's data collected in violation of COPPA.

Rite Aid

2023

Five-year ban on facial recognition and an order to delete the biometric data and models built from it.

These are FTC actions, not CCPA deletion responses — but they set the regulatory tone. If your training data was collected unlawfully, the downstream model is at risk, and the California Privacy Protection Agency has signaled increasing interest in automated decision-making and AI training practices.

Machine Unlearning vs Full Retraining

When source deletion is not enough and you need to remove an individual's influence from a model, you have options of escalating cost:

Exclude & Retrain on Schedule

Low–Medium

Delete the source records now and exclude them from your next scheduled retraining cycle. The most common, defensible approach for models retrained regularly.

Machine Unlearning

Medium

Algorithmic techniques (e.g. influence functions, SISA training) that approximately remove a data point's effect without full retraining. Emerging, not yet a settled legal standard.

Full Retraining

High

Retrain the model from scratch on the cleaned dataset. The strongest guarantee, used when memorization risk or regulatory exposure is high.

Model Deletion

Highest

Destroy the model entirely. Reserved for disgorgement orders or models trained on data with no lawful basis.

Deletion Exceptions You Can Actually Rely On

CCPA lets you deny or limit a deletion request in specific situations. "We trained a model on it" is not one of them — but these are:

  • Completing a transaction or providing a good/service the consumer requested
  • Detecting security incidents or protecting against fraud and illegal activity
  • Complying with a legal obligation or exercising/defending legal claims
  • Genuinely deidentified or aggregated data (outside CCPA scope entirely)
  • Certain internal uses reasonably aligned with the consumer's expectations

The strongest structural protection is deidentification: if your training pipeline strips identifiers and meets the CCPA deidentification standard (reasonable safeguards, a public no-reidentification commitment, and contractual bans on re-identification), the data falls outside CCPA and deletion requests do not reach it.

A Deletion Workflow That Survives an Audit

Build this before the requests arrive — retrofitting deletion into a trained pipeline is painful.

Maintain a data lineage map: which datasets, feature stores, and models a given record flows intoFoundation
Verify the requester's identity to the CCPA standard before deleting anythingRequired
Delete source records, embeddings, vector-DB entries, and identifiable logs within 45 daysRequired
Direct service providers, sub-processors, and model-hosting vendors to delete the same dataRequired
Flag the record for exclusion from the next retraining run; document the scheduleRequired
For high-memorization models, evaluate machine unlearning or full retrainingRisk-based
Deidentify training data at ingestion so future requests fall outside CCPA scopePreventive
Log every deletion action with timestamps to evidence compliance in an auditEvidence

Audit your AI product's privacy exposure

RatedWithAI helps teams understand their compliance posture across privacy, accessibility, and AI-regulation requirements. Start with a free scan.

Scan Your Product for Free →

Frequently Asked Questions

Do I have to retrain my model for every CCPA deletion request?

Not usually. The core obligation is to delete the personal information from your records and direct service providers to do the same. Most businesses satisfy this by deleting source data and excluding the record from future training runs. Full retraining or unlearning is reserved for high-risk cases — models that memorize and can output the individual's data, or data collected without a lawful basis.

What is the CCPA deadline to respond to a deletion request?

You must confirm receipt within 10 business days and complete the response within 45 calendar days of a verified request. The deadline can be extended by another 45 days (90 total) when reasonably necessary, with notice to the consumer.

Does deidentified training data protect me from deletion requests?

Yes, if it genuinely meets the CCPA deidentification standard. Data that cannot reasonably be re-identified, where you publicly commit not to re-identify it and contractually prohibit re-identification, falls outside CCPA. Pseudonymized data that can still be linked back to a person does not qualify and remains in scope.

Can the FTC really order me to delete an AI model?

Yes. The FTC has imposed algorithmic disgorgement — model deletion — in multiple cases, including Everalbum, Rite Aid, and WW/Kurbo. The remedy applies when a company built models on data collected unlawfully or in violation of its own representations. It is a strong signal that downstream AI models inherit the legal risk of their training data.

Related Guides