The Anatomy of a Legally Binding Opt-Out Request (CCPA & GDPR)

Not all emails are created equal. If you email a data broker saying *"Please delete me,"* they will likely ignore it. To force compliance under CCPA (California), GDPR (Europe), or VCDPA (Virginia), your request must contain four specific elements, each of which triggers a different part of the broker's compliance obligation.

Key Takeaways

• A properly structured opt-out request is treated as a legal demand, not a customer service ticket.
• Brokers use email parsers that route on keywords: CCPA, Article 17, "Privacy Officer" get you into the compliance queue.
• The subject line, identity proof, legal citation, and opt-out declaration are all required; missing one weakens the request.
• State-specific statute citations carry more weight than generic "privacy law" references.
• If a broker doesn't respond within 45 days, you have grounds for an FTC complaint and state AG referral.

The 4 Pillars of a Binding Request

1. The Subject Line

Must signal legal intent immediately.

• Bad: "Remove my info"
• Good: "FORMAL DEMAND: Opt-Out Request Pursuant to California Civil Code § 1798.105 (CCPA)"

The subject line is what gets the email routed to the compliance team vs. general support. Brokers' inboxes parse subject lines for legal keywords. A generic subject goes to the trash; a statutory citation goes to the legal queue.

2. The Verification Data

You must provide enough to identify the record, but not enough to create a new one.

• Include: Full Name, City/State, Record URL (if found), email address on the listing.
• Exclude: SSN, Driver's License number, Full DOB, financial account numbers.

The goal is to match the record that exists, not to prove identity by handing over sensitive documents. Under CCPA § 1798.130, brokers can only request "reasonably necessary" verification. The email address associated with the listing is sufficient.

3. The Legal Citation

You must cite the specific statute that gives you jurisdiction. Vague language ("my privacy rights") creates wiggle room. Statutory citations don't.

• CCPA: *"I am exercising my right under California Civil Code § 1798.105(a) to request deletion of all personal information you have collected about me."*
• GDPR: *"I am exercising my Right to Erasure under Article 17 of the General Data Protection Regulation."*
• VCDPA: *"I am exercising my right to deletion under Virginia Code § 59.1-578(A)(3)."*

4. The "Do Not Sell" Declaration

For US brokers, this is legally separate from deletion. You must explicitly opt out of the *sale* of your data, not just ask them to take down the public-facing profile. The profile may be removed from search but your record can still be sold to list brokers unless you invoke this separately.

• *"I strictly withhold consent for the sale, sharing, or transfer of my personal information under California Civil Code § 1798.120(a)."*

A Complete Opt-Out Email Template

Use this template verbatim, substituting your information in the bracketed fields:

To: privacy@[broker].com

Subject: FORMAL DEMAND: Deletion and Opt-Out Request. California Civil Code § 1798.105 / GDPR Article 17

Attn: Privacy Compliance Officer

I am writing to formally demand deletion of all personal information your company has collected, stored, or sold about me, and to opt out of the sale or sharing of my personal information.

Full Name: [Your Full Name]

City/State: [City, State]

Email: [Your Email]

Record URL (if known): [paste URL]

Legal Basis:

• If you process data of California residents: California Civil Code § 1798.105(a) (CCPA/CPRA)
• If you process data of EU/UK residents: GDPR Article 17 (Right to Erasure)
• If you process data of Virginia residents: Virginia Code § 59.1-578(A)(3) (VCDPA)

Requested Actions:

1. Delete all personal information you hold about me.
2. Do not sell, share, license, or transfer my personal information (Cal. Civil Code § 1798.120).
3. Confirm in writing that the deletion has been completed, within the statutory 45-day window.

I have not consented to the collection, sale, or sharing of my personal data. No legitimate business purpose exists that would override my deletion right for people-search and data-aggregation services.

If you fail to comply within 45 days, I will file a complaint with the California Attorney General's Office, the FTC, and any applicable state AG office.

[Your Full Name]

[Date]

Weak vs Strong Opt-Out Request

State-by-State Legal Citations

Use the exact statute that matches where you reside. Citing the wrong jurisdiction gives brokers grounds to delay.

• California (CCPA/CPRA): "California Civil Code § 1798.105(a). Right to Deletion" and "§ 1798.120(a). Right to Opt Out of Sale"
• EU/UK (GDPR): "General Data Protection Regulation, Article 17. Right to Erasure ('Right to be Forgotten')"
• Virginia (VCDPA): "Virginia Consumer Data Protection Act, Va. Code § 59.1-578(A)(3)"
• Colorado (CPA): "Colorado Privacy Act, C.R.S. § 6-1-1306(1)(c)"
• Connecticut (CTDPA): "Connecticut Data Privacy Act, Conn. Gen. Stat. § 4-48(b)(3)"
• Texas (TDPSA): "Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541.051(c)"

If you are not in any of these jurisdictions, cite the broker's home state if it has a privacy law, or lead with GDPR if the broker is multinational. Most major US brokers honor GDPR-cited requests from non-EU users rather than triggering a jurisdictional dispute.

What to Do When Brokers Don't Respond

Step 1: Follow up at 46 days. The statutory window is 45 days. Send a second email on day 46 citing the non-response and restating your demand.

Step 2: FTC complaint. File at reportfraud.ftc.gov. Select "Identity Theft/Privacy" → "Data Broker." The FTC uses complaint volume to prioritize investigations. A filed complaint also creates a timestamped record useful in later escalation.

Step 3: State AG complaint. If you are in a covered state:

• California: oag.ca.gov/privacy (CPPA enforcement)
• Virginia: oag.state.va.us
• Colorado: coag.gov

Step 4: Private right of action. California CCPA § 1798.150 creates a private right of action for security breaches involving your data. For general non-compliance, CPPA enforcement is the primary mechanism. New Jersey's Daniel's Law (for covered professionals) and GDPR (for EU residents) provide stronger private rights.

Step 5: Small claims court. In some states, consumer protection statutes allow small claims filings for statutory damages from willful non-compliance. This is rarely worth it for a single broker but is effective when patterns of non-compliance exist.

Frequently Asked Questions

Q: Do I need a lawyer to send an opt-out request?

A: No. These are consumer rights exercised directly by individuals. A lawyer is useful only if you escalate to litigation or AG complaint. The template above is legally sufficient for a first-party request.

Q: What if the broker says it cannot find my record?

A: This sometimes happens with records indexed under a different name variation. Reply with alternate name formats (maiden name, common misspellings) and ask them to confirm a comprehensive search. Under CCPA, they must make a "reasonable effort" to locate the record.

Q: Can I send one email to all brokers or do I need individual emails?

A: Individual emails with the specific broker's name in the body are more effective, they signal a human wrote them and they clear spam filters better. OfflistMe generates per-broker emails with correct recipient addresses pre-filled.

Q: Does citing GDPR work for US residents?

A: Many brokers honor GDPR-cited requests globally because maintaining two separate response pipelines is operationally complex. It is not a legal entitlement for US residents, but in practice it often works. Always cite your home-state statute first.

Q: What's the difference between deletion and opt-out?

A: Deletion removes the record from the broker's database. Opt-out of sale stops the broker from selling your data to third parties, but they may still keep a suppressed record internally. For people-search sites, deletion is what you want. For marketing data brokers (Acxiom, Oracle), opt-out of sale is the primary lever.

Don't guess. Use a template that works.

Generate legally structured opt-out emails for 300+ brokers →