Robinhood: “There is no way to permanently delete an account”

An adventure about the limitations of California privacy law.

About a month ago, I got a typical scam email from “Robinhood”. Robinhood made a statement from their Reddit account that it was an “abuse of our login system”, and that “no data was leaked”.

Frankly, I’d forgotten that I even have a Robinhood account; I had never even finished setting it up. I never verified the email or phone number, and I never deposited any money. For all intents and purposes, a blank account. I decided to tie up loose ends and delete it.

So fresh. So unverified. So deactivated. So not deletable.

As it turns out, that’s not simple at all! There isn’t a “Delete Account” or “Close Account” or anything like that. There is only a “Deactivate Account” option, which disables a few things. Unfortunately, “Account Deactivation” doesn’t prevent logins (and apparently, also doesn’t prevent people from abusing it to send me scam emails).

But in any case, I sent an email to privacy@robinhood.com in order to make a formal CCPA deletion request (as a resident of California). In the past, I’ve had no issues getting companies to close my accounts using this method. Robinhood was a whole different story.

What is the CCPA?

The CCPA is a set of laws that help to prevent companies from abusing the privacy rights of individuals. Basically, a sadder version of Europe's GDPR. But it's still better than what the rest of the USA has. It introduced the CPPA, which is an agency dedicated to implement and enforce the law.

FWIW, if you're a resident of California, the CPPA has a new free tool called Drop for making mass data deletion requests to data brokers (somewhat similar to services like Incogni or Deleteme).

Details are Inconvenient #

The first response was a generic template, summed up with “Due to federal laws and financial regulations, this information has to be retained”. While I’m aware that there are some exceptions in the data deletion regulations in order to account for national laws (in particular, the Gramm-Leach-Bliley Act), this was still odd to me, since I’ve successfully deleted accounts from banks and investment services in the past. Were all those companies breaking the law? Were FINRA regulations actually preventing them from deleting my account? Or was Robinhood just using it as an excuse, and refusing to delete my account out of inconvenience? Powered by my annoyance, I decided to engage in a lengthy email thread to get more information.

Each email reply was from a different agent. Some had particular styles. Some just sent the basic refusal template without answering anything at all. Others actually tried to help explain things somewhat. But despite my prodding for details, nobody ever gave me any real specifics as to WHY they need to keep my data. They only gave me the same super-broad responses of “Well, regulations of course”.

Why specificity matters for the CCPA

The California Code of Regulations requires that (even if they have reason to refuse deletion of some data), that they need to be able to specifically respond as to WHY they are keeping my data. According to CCR §7022, in addition to a number of other requirements, a business must:

1. Provide to the consumer a detailed explanation of the basis for the denial, including any conflict with federal or state law, exception to the CCPA, or factual basis for contending that compliance would be impossible or involve disproportionate effort, unless prohibited from doing so by law.

2. Delete the consumer's personal information that is not subject to the exception.

But over my 15 emails, despite my annoying prodding, they never stated any reasoning more specific than "regulations require us to keep your data". I don't think it's too much of a stretch to say that the lack of explanation could be a violation in itself!

Robinhood couldn’t even explain to me how to “end my relationship with Robinhood”. Which is important, seeing that their Privacy Policy states “we may retain certain data for the duration of your relationship with us and for a period of up to 5 years after the relationship ends”. Over the 15-email thread, I ended up with some rather entertaining replies:

“Closing your account ends your active brokerage relationship.” (So I ask how to close it)
“There is no way to permanently delete an account.”
“Once an account is deactivated, this is as close to deleting the account as possible.”
“When your account is deactivated, […] we still treat your relationship as ongoing.”

I have deleted accounts from many services. I understand that some data needs to be kept for some amount of time for other legal requirements. It’s not rare to see messages like the “It could take up to 12 months to delete your information completely” I received from Cloudflare. That’s pretty normal.

Similar services such as Fidelity and Webull have sections on their website dedicated to deleting accounts. I assume that these companies also keep data that they need to satisfy federal regulations. It’s Robinhood’s outright refusal of account deletion that I find to be problematic. In my view, it muddies the water on what it means to “end a relationship with Robinhood”, and conveniently lets them keep a maximum amount of data indefinitely.

Getting sidetracked: wtf is "Essential Data"?

Robinhood also kept reminding me "Oh we have a tool for deleting non-essential data". Which I used. But it doesn't really delete all the non-essential data, does it?

I'm really glad that my investment broker keeps my essential social @nickname

Even IF they have to keep some data for federal laws, is FINRA really going to ask Robinhood for my social tag?

The Unfortunate Reality #

And so what now? There isn’t really a satisfying conclusion to this story. I filed a CCPA complaint. But I don’t really have high hopes. The CCPA doesn’t really have the power to make Robinhood to change their behavior. The maximum CCPA fine for a single violation is $7,988 (as of 2026). For things like refusing to delete accounts, it’s a drop in the bucket. The fine is just too small for a company as big as Robinhood to really care. And there isn’t really any history of this kind of CCPA violation being enforced on any large scale.

But really, we need consumer privacy laws that have more power and actual consequences. For example, when I was working at Sony, people made a HUGE deal about GDPR when those laws were passed in Europe. Wanna know why? Because GDPR could fine you 4% of global revenue! Robinhood earned $2.95 billion revenue in 2024, so that would be a fine of $118 million. Stronger threats of consequence cause companies to take real action, and not just ignore random privacy requests.

In any case, if you’re reading this at Robinhood, please delete my account.

Thanks,

Ben

The email text:

I’m still wondering which laws 😢