Internal Use Exceptions to the CCPA Right to Delete
The California Consumer Privacy Act of 2018 provides two exceptions for internal uses to the right to delete personal information. The internal use exceptions allow a business to retain the personal information of a consumer despite a verifiable request to delete it when necessary.
The first exception in the CCPA requires the personal information to be necessary to enable solely internal uses reasonably aligned with the consumer’s expectations based on their relationship with the business. There really isn’t a great explanation in the text of the types of internal uses that would permit the use of this exception. However, when looking at the types of problems that businesses had in preparing for compliance with the European Union’s General Data Protection Regulation (GDPR), a few possibilities arise.
Backups that contain personal information have been a problem for many businesses exercising the right to erasure under GDPR. The maintenance of electronic backups which contain the personal information of consumers could qualify as an internal use. It would also align with the expectations of consumers not to lose information that they provided to the company as part of their account. If it would be difficult to delete this personal information from the backup, then such retention might be considered necessary depending on the ultimate interpretation of the term.
Another possible application of this internal use exception based on the expectation of the consumer are the internal server logs created by a company. These files typically have the pages visited and the IP address of a consumer. This address could be used to isolate an individual or household, so it would be considered personal information. Nevertheless, since most businesses maintain these logs and it could be hard to delete information from them (since it is not segregated by account to be easily manipulated), it might be considered necessary for an internal use.
The second exception is a catch-all for the internal use of personal information in a lawful manner compatible with the context in which the consumer provided the information. There really isn’t an explanation of what it means to be compatible, but this exemption could also create room for the maintenance of backups and server logs.
The real question here will be how broadly the Attorney General and the judicial system interprets the word “necessary” in the law. If it interprets it narrowly, then the exceptions will be limited and businesses will have to undertake the expense of changing how it handles these systems. If it interprets it broadly to include business processes that would be expensive to delete the personal information of an individual, then these internal use exceptions could greatly aid companies in addressing the right to delete personal information under the law.
We will continue to monitor changes to the California Consumer Privacy Act and any regulations issued by the CA Attorney General in order to keep the Clarip software in line with the exceptions to the right to delete.
Right of Access in CCPA
CCPA Right to Delete
Applying the 9 CCPA Exemptions to Deletion Requests
GDPR Right of Access Under Article 15
Right to Rectification (Correction) Under GDPR Article 16
GDPR Right to Erasure Under Article 17
Right to Data Portability under GDPR Article 20
Data Subject Access Request Management Tools and Procedures
Individual Rights Manager Software
Legal Obligation Exceptions to the CCPA Right to Delete
Research Exception to the CCPA Right to Delete
Verifiable Consumer Requests in CCPA