Legal Obligation Exceptions to the CCPA Right to Delete
A business does not have to delete the personal information of a consumer after a verifiable request under the California Consumer Privacy Act of 2018 (CCPA) when it is necessary to comply with a legal obligation. Two of the nine exceptions to the right to delete in the CA privacy law deal with this situation.
The first exception applies specifically to compliance with the California Electronic Communications Privacy Act. This law imposes a warrant or other legal requirement on the acquisition of metadata by law enforcement except in emergency situations. How does this exception work? If a business has received a request to delete personal information and gets a government request for information about the individual, then it does not have to delete it.
The second exception applies more generally to “a legal obligation.” This could be construed broadly to include government requirements as part of a regulatory investigation, document retention obligations, discovery in civil lawsuits and other obligations created by the government, its laws and the judicial system (whether in the courts or other systems such as mediation).
These two exceptions will likely be construed in tandem with Section 145. This section indicates that the California Consumer Privacy Act is not intended to restrict the business’s ability to comply with laws, cooperate with government authorities or law enforcement entities, and exercise of defend legal claims.
The General Data Protection Regulation (GDPR) contains a similar exception as part of the right to be forgotten in Article 17. The exception in the GDPR provides for processing that is necessary for compliance with a legal obligation in the EU to which the controller is subject regardless of whether the data subject has requested the erasure of his or her personal data.
There are other legal exceptions to the entire California Consumer Privacy Act which could also serve as exceptions to the right to delete. These exceptions involve the Confidentiality of Medical Information Act, Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Driver’s Privacy Protection Act of 1994. We will be closely looking at these exceptions over the next few months to determine their applicability to the right to delete under the new CA privacy law. The Attorney General also has the authority to make any other exceptions necessary to comply with federal or state law.
Right of Access in CCPA
CCPA Right to Delete
Applying the 9 CCPA Exemptions to Deletion Requests
GDPR Right of Access Under Article 15
Right to Rectification (Correction) Under GDPR Article 16
GDPR Right to Erasure Under Article 17
Right to Data Portability under GDPR Article 20
Data Subject Access Request Management Tools and Procedures
Individual Rights Manager Software
Internal Use Exceptions to the CCPA Right to Delete
Research Exception to the CCPA Right to Delete
Verifiable Consumer Requests in CCPA