The effective date for the California Consumer Privacy Act (CCPA) is January 1, 2020. With fewer than 60 days remaining, covered businesses must be ramping up to meet the requirements of the CCPA. The CCPA affords several rights to California residents (as the term “consumer” is defined by the Act) as to personal information collected by a covered business. Among these rights is: (1) the right to request disclosure of personal information collected and uses therefor (§ 1798.110(a)); (2) the right to request deletion of personal information collected by the covered business (§§ 1798.105(a) and (c)); and (3) the right to receive that information from the covered business (§ 1798.100(d)).1
This article focuses on the second – the consumer’s right to request deletion of personal information, often called the “right to be forgotten.” This right obligates covered businesses, which must obligate their service providers. Under § 1798.105:
(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
* * *
(c) A business that receives a verifiable consumer request to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
If the Proposed Regs are adopted, we note that before any information is deleted, the covered business must acknowledge within 10 days the receipt of the verifiable consumer request to delete. See Proposed Regs § 999.313(a).
What must be deleted?
But, what does “delete” mean in the context of the CCPA? Absent a definition, the CCPA simply requires that a covered business remove from its files the requesting consumer’s personal information. We stress that the 12-month look back pertaining to requests to identify information that is collected does not apply to the deletion requirement. Instead, personal information collected, regardless of when collected, must be deleted in response to a request for deletion. The proposed California Consumer Privacy Act Regulations (“Proposed Regs”), issued by the California Attorney General, note in § 999.313(d)(7) that, if the regulations are adopted as presented, a business may present the consumer with the choice to delete select portions of their personal information but only if an option is available to delete all of the consumer’s personal information.
While the language of the CCPA leaves open the issue of the extent to which a covered business must go to its archives and back-ups and delete all personal information from those locations as well, the Proposed Regs explain that, if the regulations are adopted as presented, personal information stored in archives or backup systems must be deleted but the deletion may be delayed:
If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system is next assessed or used.
Proposed Regs at § 999.313(d)(3).
What are exceptions to the deletion requirement?
There are, however, exceptions to the deletion requirement. Section 1798.105(d) allows a covered business to forego deletion if the information is necessary to perform any of nine specified activities including, for example, completing the transaction for which the personal information was collected, detecting security incidents, exercising free speech, engaging in public or peer-reviewed scientific, historical, or statistical research, and complying with a legal obligation.
In addition, § 1798.145 identifies other exceptions to the mandates of the CCPA, providing that the deletion requirement, shall not restrict a business’s ability to perform various tasks including complying with federal, state, and local laws, exercising or defending legal claims, using deidentified or aggregated consumer information, or collecting or selling a consumer’s personal information if every aspect of the commercial conduct takes place whole outside of California.
The definition of “personal information” is also helpful in that it does not include deidentified, aggregated, or pseudonymized information in its definition of “personal information.” Thus, it appears that only personal information, as defined, must be deleted, but information that does not permit reasonable identification of a consumer—such as, deidentified, aggregated, or pseudonymized information—is not required to be deleted.
What to do after personal information is deleted?
Once personal information is deleted, then what? Although the CCPA, as amended, does not specifically require a covered business to provide the consumer with any type of confirmation that his/her personal information has been deleted, the Proposed Regs shed some light on the subject. If adopted, the covered business must respond to the consumer’s request to delete within 45 days, with the possibility of extending the time to respond by an extra 45 days. See Proposed Regs § 999.313(b). In addition, the Proposed Regs require that upon deletion of the consumer’s personal information the covered business must: (1) specify the manner in which it has deleted the personal information, and (2) disclose that it will maintain a record of the consumer’s request to delete. See Proposed Regs §§ 999.313(d)(2), (4) and (5). As a practical matter, we encourage covered businesses to include a written confirmation that the personal information has in fact been deleted. Such confirmations may serve business purposes, such as to satisfy internal audit requirements for documentation that deletion was complete, or to establish compliance for potential litigation, enforcement or regulatory proceedings. Confirmations should have sufficient information to show that the covered business timely complied with the requirement. Any information retained about the deletion of a consumer’s personal information may remain in conflict with the request to delete personal information unless the retained information falls under an exception in § 1798.105(d) or § 1798.145 or is used solely for record-keeping purposes. We note that Proposed Regs § 999.313(d)(5) require, if adopted as presented, that the covered business “disclose that it will maintain a record of the request pursuant to Civil Code section 1798.105(d).” The records will be maintained for at least 24 months, and the maintenance of such records, where the information is not used for any other purpose, is not a violation of the CCPA. See Proposed Regs. § 999.317(b)-(f).
This third right will be addressed in a future publication.