ChatGPT
Claude
Perplexity
Gemini
GrokThere is no single federal "right to erasure" in the United States equivalent to GDPR's Article 17. But that does not mean deletion requests from prospective students can be ignored. California's CCPA/CPRA gives California residents the right to delete their personal information, and as of 2026, more than 20 states have enacted comprehensive privacy laws that include comparable deletion rights. When a prospect contacts your admissions office requesting that their data be removed, your legal obligation depends on where they live β and institutions recruiting nationally must treat every deletion request as a potential statutory obligation. The response deadline under CCPA is 45 days, extendable to 90 days with notice to the individual.
For a broader overview of prospect data compliance across your institution, see our complete guide to student data protection.
The US Legal Framework for Data Deletion
Unlike the EU's unified regulation, the United States relies on a patchwork of federal and state laws. For colleges and universities handling prospective student data, four frameworks govern deletion obligations.
CCPA/CPRA (California)
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, grants California residents the right to request that businesses delete their personal information. The law applies to for-profit private institutions that meet at least one threshold: annual gross revenue exceeding $25 million; personal data from 100,000 or more consumers or households per year; or 50% or more of annual revenue derived from selling personal information. Institutions meeting these thresholds must respond to verified deletion requests within 45 days, with a single 45-day extension available if the individual is notified before the original deadline expires. The California Privacy Protection Agency and the California Attorney General enforce the law; penalties reach $7,500 per intentional violation.
State Privacy Laws Beyond California
Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, Texas's TDPSA, and more than 20 other state laws enacted by 2026 create deletion rights with broadly similar timelines β typically 45 days with a single extension. Crucially, these laws apply based on the consumer's state of residence, not the institution's location. An Ohio university with a large number of Texas prospects must comply with the Texas TDPSA for those individuals. The practical implication: institutions recruiting nationally cannot limit their deletion compliance to California residents alone.
FERPA (Family Educational Rights and Privacy Act)
FERPA governs education records of enrolled students β it does not create deletion rights for prospective students who never enrolled. A prospect's inquiry data, chatbot conversations, and contact details collected before application are not FERPA-covered education records. However, FERPA best practices around data stewardship remain a useful internal benchmark, and the US Department of Education encourages institutions to apply consistent data governance across the student lifecycle.
FTC Act Section 5
The Federal Trade Commission enforces against unfair or deceptive data practices. If your privacy policy states that you delete data upon request and you fail to do so, that discrepancy creates FTC enforcement exposure. The FTC has pursued education technology companies for precisely this failure. Privacy policy promises are effectively binding.
When Deletion Obligations Apply to Prospect Data
The trigger for a deletion obligation varies by framework and by the legal basis on which data was originally collected. The table below maps the most common scenarios for US admissions teams.
| Trigger | Applicable law | Institution's obligation |
|---|---|---|
| Prospect withdraws marketing consent | CCPA/CPRA; state privacy laws | Delete personal information used for that purpose; verify no other lawful basis applies |
| Prospect submits verified deletion request | CCPA/CPRA (California residents); applicable state law for other states | Delete all personal information in all systems within 45 days (or applicable state deadline) |
| Data is no longer necessary for its stated purpose | FTC guidance; state minimization principles | Proactive deletion required β no request needed |
| Prospect opts out of sale or sharing of personal information | CCPA/CPRA | Stop sale/sharing immediately; deletion of the data shared is a separate right |
| Chatbot or form data collected without adequate notice | FTC Act; CCPA | Remediate the collection; honor any resulting deletion request |
The most operationally significant trigger is the verified deletion request under CCPA or an equivalent state law. Once verified, the institution must delete the information from its records and direct all service providers that received the information to delete it as well. This extends to your CRM vendor, email marketing platform, chatbot provider, and any data brokers to whom prospect data was disclosed.
When Can You Lawfully Decline a Deletion Request?
CCPA and most state privacy laws provide specific exceptions that allow an institution to retain data despite a deletion request. These exceptions are narrower than they appear and must be applied precisely.
Completing a transaction. If the prospect is in the middle of an active application process β for example, they submitted materials and are awaiting an admissions decision β the institution may retain data necessary to complete that transaction. Once the process concludes, this exception lapses.
Detecting and preventing security incidents or fraud. Retention is permitted to the extent data is genuinely used for security or fraud prevention purposes. This does not justify retaining an entire CRM record because a security team might theoretically need it.
Legal obligation. Federal or state law may require retention of specific records β for example, financial aid records under student aid regulations, accreditation audit requirements, or records relevant to a pending legal claim. Retention must be scoped to the data actually required by law, not an entire prospect file.
Research, public interest, or statistical purposes. CCPA permits retention of de-identified data for certain research purposes. De-identification must meet the standard defined in the statute β it is not the same as simply removing a name from a spreadsheet.
Partial retention is both permitted and often required. If a prospect's record contains data subject to a legal hold (such as records related to a formal complaint) and other data that serves no lawful purpose, only the legally required data may be retained. Blanket refusal where partial deletion is possible is not a valid compliance position and exposes the institution to enforcement action. Always document the specific legal ground for any retained data and communicate it to the individual within the response deadline.
A Five-Step Process for Handling Deletion Requests
Step 1 β Acknowledge the request (Day 1). Confirm receipt in writing immediately. The 45-day clock begins on the date you receive the request, not the date you begin investigating. Your acknowledgement should include a reference number and the date by which you will respond.
Step 2 β Verify identity (Days 1β5). CCPA requires that deletion requests be "verifiable" β you must take reasonable steps to confirm the requestor is who they claim to be. For prospect data, matching the email address used in the request to the email address in your records is usually sufficient. Do not request more information than is necessary; excessive identity verification is itself a potential compliance failure. For requests from Common App or Coalition App prospects, the application email is your primary identifier.
Step 3 β Map the data (Days 5β15). Identify every system where the prospect's information is held: your CRM, email marketing platform, chatbot logs, event registration records, shared drives, spreadsheets from college fairs, and any third-party vendors to whom you have disclosed the data. A single prospect at an enrollment management-focused institution can have data distributed across 8 to 12 systems. Your data inventory β maintained as a matter of routine compliance β is the essential tool for this step.
Step 4 β Apply the legal analysis (Days 15β35). For each data set, determine whether a CCPA exception or applicable state law exception permits retention. Document your analysis. Where deletion is required, schedule it. Where partial retention is justified, scope it to the minimum data necessary and document the legal ground specifically. Do not apply exceptions broadly β the burden of justification is on the institution.
Step 5 β Execute, confirm, and document (Days 35β45). Delete all data for which no retention ground exists, across every system and vendor. Issue a written confirmation to the individual specifying that deletion has been completed. Retain a record of the request, your analysis, and your response β this record does not constitute retention of the deleted personal information, and it provides the accountability documentation you need if the request is later challenged. If you require the full 90-day period, notify the individual of the extension before Day 45.
Retention Periods for Prospect Data
No federal law mandates specific retention periods for prospective student data at private institutions. The applicable standard is data minimization: retain personal information only as long as necessary for the purpose for which it was collected, and no longer. The FTC, CCPA, and state privacy laws all converge on this principle. The following periods represent operationally defensible benchmarks aligned with that standard.
First-contact data (inquiry form, chatbot conversation, college fair registration): 12 months from last active contact if the prospect has not progressed to an application. After 12 months, no active recruitment purpose can be sustained for most prospects.
Active pipeline data (campus tour registrant, open house attendee, partially completed application): up to 24 months from last engagement, aligned with the two-year admissions cycle used by many enrollment management teams.
Rejected or withdrawn application data: 6 months from the date the decision was communicated. Many institutions retain this longer under the mistaken belief that accreditation requires it; accreditation bodies require aggregate data, not individual prospect records.
Marketing consent records: retain for as long as is necessary to demonstrate compliance β typically 3 years from the consent event or its withdrawal, whichever is later. This is a record that consent was obtained, not a basis for retaining the underlying personal information.
The outer limit: 3 years from last active contact is the maximum defensible retention period for any prospect data under the combined weight of CCPA, state privacy laws, and FTC guidance. Data held beyond this point carries material enforcement risk and makes deletion requests significantly harder to handle β because the institution is effectively already in breach of minimization obligations.
AI Chatbots, CRM Systems, and the Deletion Challenge
Deletion requests expose the multi-system architecture of modern enrollment management. A prospect who interacted with your institution via an AI chatbot may have personal information stored across: the chatbot platform's conversation logs; your CRM lead record; your email marketing platform subscriber list; your analytics platform's behavioral data; and any third-party data brokers or Naviance records if the prospect came through a school counselor network.
Schools partnered with Skolbot handle a median of 195 qualified leads per month (Source: Skolbot Benchmark 2024β2025, panel of 18 institutions). At that volume, a 1% deletion request rate generates approximately 2 requests per month β each requiring a cross-system investigation. Institutions without systematic data mapping routinely miss at least one system during deletion processing.
Four technical measures are essential for managing deletion requests on AI and CRM data:
1. A unified prospect identifier. Every system must use a common identifier β typically the prospect's email address or a CRM-generated ID β so that a single deletion request maps across all platforms without manual cross-referencing.
2. A data inventory. Your privacy policy should accurately reflect all systems where prospect data is held. This inventory is also your operational guide during Step 3 of the deletion process.
3. Vendor deletion clauses. Your data processing agreements with CRM vendors, chatbot providers, and email platforms must require those vendors to delete prospect data upon your instruction. CCPA explicitly extends the deletion obligation to service providers. Without contractual deletion mechanisms, you cannot fulfill your statutory obligation. Review our guide on protecting prospect data under privacy law for the full vendor framework.
4. Documented deletion procedures per system. Some platforms offer API-based deletion of individual records; others require manual processes. Document the procedure for each system before a request arrives, not while the 45-day clock is running.
For cookie and tracking data, deletion obligations intersect with opt-out and consent management. Our cookie consent guide for schools addresses those interactions in detail.
FAQ
Does a prospective student need to give a reason for their deletion request?
No. Under CCPA and equivalent state privacy laws, consumers are not required to justify a deletion request. The obligation to respond within 45 days applies regardless of whether a reason is given. Where you intend to decline or partially decline the request, the burden of justifying retention is on the institution.
Does FERPA require us to delete prospect data on request?
No. FERPA does not apply to prospective students who never enrolled, and it does not create a deletion right equivalent to CCPA. However, FERPA's framework for education record stewardship is a useful internal benchmark. The deletion obligations your institution faces for prospect data come from CCPA and applicable state privacy laws, not FERPA.
What if the prospect's data came through Common App or Naviance?
Common App, Naviance, and similar platforms are separate data controllers for the data they hold. When a prospect requests deletion, your institution must delete the data it holds. Requests relating to data held by Common App or Naviance must be directed to those organizations separately. Document this distinction in your deletion response so the prospect understands which controller holds which data.
Can we charge a fee for processing a deletion request?
No. CCPA and all equivalent state privacy laws require that responses to consumer rights requests be provided free of charge. A fee may only be charged for requests that are "manifestly excessive" β a standard that is rarely met and requires specific justification. Charging for routine deletion requests is a violation.
What if we cannot find any data for the individual in our systems?
If a search of all systems returns no record matching the individual's identity β for example, because the data was already purged under your retention schedule β respond confirming that you hold no personal information about them or that any previously held data has already been deleted. This is a valid and complete response to a deletion request. It is good practice to include a brief explanation of your data retention policy to demonstrate that the absence of data reflects a compliant process.
To conduct a full privacy and compliance audit across your institution's data practices, use our privacy audit checklist for schools.
Discover how US schools improve student recruitment with Skolbot
