GUIDE

How to Opt Out of Melissa.com (and What the Opt-Out Actually Removes)

May 2026  ·  10 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

Melissa.com is one of the largest US-based data brokers, and probably one of the least understood. Most people searching for a Melissa opt-out have only just learned the name, usually because it surfaced when they were checking what records exist about them, or because someone showed them a “Melissa Personator” lookup. It is not a people-search site like Spokeo or BeenVerified. It is a B2B data quality and identity verification service whose customers are other businesses: marketers, lenders, retailers, government contractors, and CRM operators.

That distinction matters because the opt-out path, what gets removed, and what stays in their system are all shaped by the B2B model.

This guide walks through the four jurisdictions Melissa now operates under (California, 19 other US states, the EU, and a fourth universal path that is buried in their notice text), the actual webform process, what verification they require for which request type, and what the opt-out does and does not erase. It is built entirely on Melissa’s own published policies as of January 2026.

What Melissa actually is

Melissa Data Corporation runs three categories of product that touch personal data:

  • Address verification and standardisation — used by retailers and government services to validate and clean delivery addresses
  • Identity verification — used by lenders, financial services, and any business with KYC obligations to confirm a person matches the documents they provide
  • Melissa Lookups — the consumer-facing search and lookup tool, accessible to subscribers, which is the surface most opt-out requests target

Their CCPA notice describes the data sources clearly: “data licensors/brokers, government entities, social networks, publicly available information.” Melissa is a data aggregator. The records they hold about you were not collected from you directly. They were licensed from other brokers, pulled from public records, or scraped from social networks before being stitched into a profile.

What they sell is not just contact information. According to their own published categorisation, the personal information they have sold or shared in the past twelve months includes:

  • First and last names, maiden name, aliases
  • Home address
  • Email address and telephone number
  • Social security number
  • Driver’s licence number
  • Age and date of birth
  • Employment information, position, and salary
  • Professional licences and permits

That list is not theoretical. It comes from Section 4 of their CCPA Privacy Notice, where they enumerate exactly which categories they have sold or shared.

Your rights by jurisdiction

Melissa operates under four distinct privacy regimes, and the rights available to you depend on where you live.

California (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information has been collected, the right to request deletion, the right to opt out of sale or sharing, the right to correct inaccuracies, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights. These are codified in Cal. Civ. Code §§ 1798.105–1798.125.

Melissa’s published 2024 metrics give an unusually clear picture of how those rights resolve in practice:

  • Right to Delete: 4,203 requests, 4,140 approved (98.5%), average 4 days to complete
  • Right to Opt Out: 856 requests, 800 approved (93.5%), average 5 days
  • Right to Know: 106 requests, 98 approved (92.5%), average 12 days
  • Right to Correct: 62 requests, 57 approved (92%), average 12 days
  • Right to Limit: 179 requests, 164 approved (91.6%), average 5 days

Approval rates are high, and the simple deletion path resolves fastest.

Nineteen other US states

A wave of state-level privacy laws now overlaps with CCPA. Melissa’s State Law Privacy Notice covers Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Florida, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island. The exact scope of rights varies by state, but every one of them includes a right to delete and a right to opt out of sale.

Indiana, Kentucky, and Rhode Island laws took effect on 1 January 2026. Maryland’s MODPA goes further than most, requiring data minimisation strict enough that Melissa explicitly limits processing for Maryland residents to “only that which is strictly necessary for the specific product or service you interact with.”

European Union (GDPR via the EU-US Data Privacy Framework)

EU residents have the right of access, rectification, erasure, and objection under GDPR. Melissa is certified under the EU-US Data Privacy Framework and has nominated JAMS Alternate Dispute Resolution as the third-party complaints handler if a request is not resolved.

One detail worth flagging: while opt-out and access requests can be handled through the standard webform, Melissa’s DPF notice states that “to request complete erasure of personal data, individual data subjects are required to submit a written request.” That phrasing leaves room for them to insist on email or letter rather than a webform submission for full GDPR Article 17 erasure. In practice, the webform tends to be accepted; if you are pursuing a right-to-erasure rather than a generic opt-out, save your written submission and send it to ConsumerRequest@melissa.com directly.

The universal path most guides miss

This is the line buried in Section 6 of the CCPA notice and Section III of the State Law notice:

“Any individual, regardless of state of residence, may request to have their personal information deleted from our Melissa Lookups and other database products, and to opt out of the sale or sharing of their personal information.”

Residents of countries and states without statutory privacy rights, including the UK outside the GDPR framework, Canada, Australia, the Middle East, Asia, and Latin America, can still submit the same form and have their record removed from Lookups. Verification requirements are lower for this path than for a verified CCPA Right-to-Know request, because Melissa is not legally required to authenticate identity to the same degree.

This is the single most under-publicised fact about Melissa’s opt-out: the door is open globally, not just to residents of CCPA-covered jurisdictions.

The opt-out walkthrough

The mechanism is identical for all four paths. The only thing that changes is which radio button you select.

  1. Go to Melissa’s Consumer Privacy webform (linked from the bottom of every Melissa.com page under “Do Not Sell or Share My Personal Information”), or email ConsumerRequest@melissa.com directly.
  2. Select your request type. For most readers of this guide, the right selection is Right to Delete. This removes you from Melissa Lookups and other database products and is available to anyone, anywhere. If you also want to stop future sale or sharing, add Right to Opt-Out of Sale.
  3. Provide identifying information sufficient for them to match you against their records: full name, current address, prior addresses if you have moved recently, email address, and phone number. They will not require a government ID for a simple opt-out or deletion request. Melissa’s State Law Privacy Notice explicitly states this in §III.
  4. Submit. Save your submission confirmation. Melissa retains a permanent record of opt-out and deletion requests.

For California residents pursuing a Right-to-Know request specifically (the most data-rich response, listing every category and source), you will be asked to upload a driver’s licence image. That is the only request type where heavy verification kicks in. The rest are designed to be lightweight, which matches the four-to-five-day average completion time their 2024 metrics show.

What the opt-out actually removes

This is the part most opt-out guides get wrong, and where the practitioner detail matters most.

A Melissa deletion does three things:

  • It removes your record from active production systems used by Melissa Lookups and other consumer-facing or commercial query products
  • It directs Melissa’s service providers (downstream contractors) to do the same
  • It creates a permanent record of your request, so that if your data resurfaces from a future licensor feed, it will be re-suppressed rather than re-sold

A Melissa deletion does not do these things:

  • It does not remove archived copies held for “fraud prevention or lineage purposes.” Melissa’s retention policy explicitly preserves superseded records for these business uses.
  • It does not remove data that Melissa has already sold or shared with third-party customers in the prior twelve months. Those copies live in the customers’ systems, governed by their own retention policies.
  • It does not retroactively pull data from products that have already been delivered (one-off database licences, batch deliveries, integrated CRM feeds).

The third point is the most important. Melissa’s business model means that data is replicated across thousands of customer environments. The opt-out closes the tap at Melissa, but the water already in your customers’ tanks is theirs to manage.

This is why a single-broker opt-out is a starting point, not a finished job. The companion piece, how to delete personal information from the internet, walks the four-layer sequence that Melissa fits inside.

The suppression record concept

What Melissa creates when you opt out is technically more useful than the opt-out itself. Their notice describes it as: “We will maintain a record of your request to ensure your information is not re-collected or re-sold.”

That permanent record is a suppression record. Every time Melissa ingests a fresh feed from one of their data licensors, your record is filtered out before it reaches active production. It does not matter how many times the underlying broker re-sells your data. Melissa’s own pipeline now treats you as a known opt-out.

The same concept applies at every other broker that maintains a registered suppression list. Building suppression records across the broker ecosystem is what long-term removal work actually looks like, and it is durable in a way that a single deletion request is not.

Building a stable suppression footprint across the broker ecosystem is the work the Eraser does at scale: every broker, every jurisdiction, every quarterly re-check.

Talk to an Analyst

Forward look: the California Delete Act and DROP

Effective 1 January 2026, the California Privacy Protection Agency launched the Delete Request and Opt-Out Platform (DROP). DROP is designed to let California residents submit a single verifiable deletion request that propagates to every registered data broker in the state. Melissa is registered and committed to participation.

The operational dates: data brokers begin accessing the DROP system on 1 August 2026. Melissa has stated it will pull deletion requests at least every 45 days from that point. Until then, the existing webform remains the only direct route.

DROP changes the broker-removal landscape for California residents specifically. For everyone else, the jurisdictional patchwork remains, and the manual webform path is still required.

Why one broker isn’t enough

Melissa is one node in a network. The same person whose record you are deleting from Melissa probably also has records at Acxiom, LexisNexis, CoreLogic, Verisk, Whitepages Premium, BeenVerified, Spokeo, Intelius, and dozens of more obscure regional aggregators. Each one runs its own opt-out process with its own verification requirements, its own retention exceptions, and its own suppression record format. Our EU broker opt-out list is the starting point for European residents working through this manually.

A typical adult in the US is referenced by dozens to a few hundred distinct broker products. In Europe the number is lower, but the people-search and credential-aggregation surface is growing fast. Removing a single record at a single broker reduces exposure marginally. Building suppression records across the full ecosystem is what changes the picture.

This is what the Eraser does. Single-broker opt-outs are the right place to start if you have time and patience; they are not a substitute for systematic ecosystem-level work.

Sources

Melissa primary policies (January 2026)

Statutory references

  • California Consumer Privacy Act / California Privacy Rights Act, Cal. Civ. Code §§ 1798.100 et seq.
  • California Delete Act (SB 362) and CPPA DROP platform
  • EU General Data Protection Regulation (Regulation 2016/679), Articles 15–22

If this is your situation

If you want long-term removal across the broker ecosystem, the Eraser runs the multi-week purge.

See The Eraser

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.