The Research Exception to the CCPA Right to Delete
A business subject to the California Consumer Privacy Act (CCPA) does not need to delete the personal information of a consumer pursuant to their request if it is engaged in certain research.
When does the research exception apply to consumer right to delete requests?
In order for a business to avoid the requirement to delete a California consumer’s personal information, the research must meet a number of conditions. These conditions are laid out between the definition of the term research and the list of exceptions to the right to delete. Here is a basic overview of the list of conditions below:
Research: The term is limited to scientific, systematic study and observation. The definition of the term includes a non-exclusive list such as basic research, applied research in the public interest that adheres to applicable ethics/privacy laws, and public health studies conducted in the public interest.
Types of Research: The exception is limited to public or peer-reviewed scientific, historical or statistical research.
Public Interest: The research must be in the public interest. The term is not defined in the law so it would be open to interpretation by the Attorney General (through issued rules and regulations) and by the courts.
Compliance: The research must adhere to all other applicable ethics and privacy laws.
Necessity: Deletion of the information must be likely to render impossible or seriously impair the achievement of such research. If the research can still be conducted without requiring the individual’s personal data, then it would likely not apply.
Informed Consent: This clause suggests that the consumer must have previously provided his or her informed consent to the business to carry out the research. In other words, businesses that are conducting research based on data without the permission of the user may not rely on this exception.
When a Business Collects Personal Information for the Research: If the research is using personal information collected from a consumer in the course of interactions with a business’ service or device for other purposes, then nine conditions must be met. This condition is contained in the definition of research. The nine conditions are:
1. Information collected for a compatible business purpose
2. Information pseudonymized and deidentified, or deidentified and in the aggregate.
3. Technical safeguards prohibit reidentification.
4. Business processes prohibit reidentification.
5. Business process prevent inadvertent release of deidentified information.
6. Protected from reidentification attempts
7. Used solely for research purposes compatible with the purpose of the collection.
8. Not used for commercial purposes
9. Security controls limit access to the research data only to necessary individuals.
Thoughts about the Research Exception
This is going to be a difficult exception for most businesses to meet. It is going to be particularly hard for a business to meet the necessity clause in the exception. For example, most health studies plan for a certain number of people to drop out of the study and discontinue participation. If the business planned for such an event, then deleting information when extra study participants request it would not damage the overall integrity and purpose of the study.
Additionally, the exception seems to only apply if there has already been informed consent about the collection and usage of the personal information for the study. So there is in effect an opt in requirement if a person or business conducting research intends to rely on this exception.
Learn more about California’s new law:
Right to Opt Out
Right to Access
Right to Delete
Opt In Consent for Kids
Effective Date for Compliance
Application to non-CA Businesses
Do Not Sell My Personal Information Link
Financial Incentives for Information Sharing
Deidentified and Aggregate Consumer Information
Government Fines and Consumer Damages
Text of AB-375
The Research Exception to the Right to Delete
How to Verify Requests
Other California Privacy Laws
Blog Posts on the Privacy Law:
Will California’s Privacy Law Extend to the Rest of the Country?
Big Day for California Privacy Law
California to Pass New Privacy Law
California Consumer Privacy Act Expected on November Ballot