Locke Lord QuickStudy: Deletion Completion under the CCPA

The effective date for the California Consumer Privacy Act (“CCPA”) is January 1, 2020.  With fewer than 90 days remaining, covered businesses must be ramping up to meet the requirements of the CCPA.  The CCPA affords several rights to California residents (as the term “consumer” is defined by the Act) as to personal information collected by a covered business.  Among these rights is: (1) the right to request disclosure of personal information collected and uses therefor (§ 1798.110(a)); (2) the right to request deletion of personal information collected by the covered business (§§ 1798.105(a) and (c)); and (3) the right to receive that information from the covered business (§ 1798.100(d)).¹

This article focuses on the second – the consumer’s right to request deletion of personal information, often called the “right to be forgotten.”  This right obligates covered businesses, which must obligate their service providers.  Under § 1798.105:

(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

*          *          *

(c)  A business that receives a verifiable consumer request to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.

What must be deleted?

But, what does “delete” mean in the context of the CCPA?  Absent a definition, the CCPA simply requires that a covered business remove from its files the requesting consumer’s personal information.  We stress that the 12-month look back pertaining to requests to identify information that is collected does not apply to the deletion requirement.  Instead, all personal information collected, regardless of when collected, must be deleted in response to a request for deletion.  The language of the CCPA also currently leaves open the issue of the extent to which a covered business must go to its archives and back-ups and delete all personal information from those locations as well.  There may be more guidance in the forthcoming draft regulations to be promulgated by the California Attorney General. 

What are exemptions to the deletion requirement?

There are, however, exceptions to the deletion requirement.  Section 1798.105(d) allows a covered business to forego deletion if the information is necessary to perform any of nine specified activities including, for example, completing the transaction for which the personal information was collected, detecting security incidents, exercising free speech, engaging in public or peer-reviewed scientific, historical, or statistical research, and complying with a legal obligation.

In addition, § 1798.145 identifies other exceptions to the mandates of the CCPA, including the deletion requirement, shall not restrict a business’s ability to perform various tasks including complying with federal, state, and local laws, exercising or defending legal claims, using deidentified or aggregated consumer information, or collecting or selling a consumer’s personal information if every aspect of the commercial conduct takes place whole outside of California.

The definition of “personal information” is also helpful in that it does not include deidentified, aggregated, or pseudonymized information in its definition of “personal information.”  Thus, it appears that only personal information, as defined, must be deleted, but information that does not permit reasonable identification of a consumer—such as, deidentified, aggregated, or pseudonymized information—is not required to be deleted. 

What to do after personal information is deleted?

Once personal information is deleted, then what?  The CCPA does not specifically require a covered business to provide the consumer with any type of confirmation that his/her personal information has been deleted.  As a practical matter, however, we encourage covered businesses to give the consumer a written confirmation and to maintain records of the deletion and confirmation thereof.  Such confirmations may serve business purposes, such as to anticipate or avoid  consumer requests for confirmation,  to satisfy internal audit requirements for documentation that deletion was complete, or to establish compliance for potential litigation, enforcement or regulatory proceedings.  Confirmations should have sufficient information to show that the covered business timely complied with the requirement.  We note, with some irony and in the hope that forthcoming regulations may comment on this issue, however, that any information retained about the deletion of a consumer’s personal information may remain in conflict with the request to delete personal information unless the retained information falls under an exception in § 1798.105(d) or § 1798.145.

----

1. This third right will be addressed in a future publication.‎