CCPA offers Right to Delete Personal Information to California Consumers
Data Subject Access Rights like this one started in Europe with the right to be forgotten and were subsequently included in the European Union General Data Protection Regulation (GDPR) as the right to erasure. They have been a popular aspect of GDPR and data shows that EU citizens have been exercising their right since it went into effect in May. The California Consumer Privacy Act (CaCPA or CCPA) provides for the right to access, the right to delete, and limited data portability.
What businesses are covered?
The law applies to people and organizations doing business in the State of California that (a) have annual gross revenues in excess of $25 million, (b) handle the personal information of at least 50,000 consumers or devices, or (c) derive 50 percent or more in annual revenue from selling consumers’ personal information.
What steps will businesses need to take to offer this subject access right?
A business that receives a request will need to reasonably verify that the request was made by the consumer about which the information will be deleted (or their authorized representative).
How Long Do Businesses Have?
Section 1798.145(g)(1) provides for 45 days to respond to a verifiable consumer request. The period may be extended up to 90 additional days where it is necessary due to complexity and the number of requests. Businesses must inform the consumer of the extension within 45 days. If the business is not going to delete the information, it must inform the consumer without delay (and in no event longer than the time period permitted for response) the reason for refusal and any right to appeal.
Can Businesses Charge Consumers?
Businesses may only charge a fee to a consumer for the right to delete if the consumer’s requests are excessive. In the event that a consumer engages in repetitive requests that the business can demonstrate are excessive, a business may either charge a reasonable fee or notify the consumer of the reason to refuse the request.
Exceptions to California Consumer’s Right to Delete
There are nine exceptions to the right of the consumer to delete information. They can be invoked if it is necessary for the business or service to maintain the personal information pursuant to the exception.
– Transactional: Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
– Security: Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
– Errors: Debug to identify and repair errors that impair existing intended functionality.
– Free Speech: Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
– CalECPA Compliance: Comply with the California Electronic Communications Privacy Act
– Research in the Public Interest: Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
– Expected Internal Uses: To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
– Legal Compliance: Comply with a legal obligation.
– Other Internal Uses: Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
What is considered personal information under the CA privacy law that will need to be deleted?
The new privacy law has an extensive definition of personal information which will need to be disclosed to consumers if it has been collected. The covered personal information includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Here is a partial list of personal information specified by the law:
– Identifiers: Real name, postal address, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
– Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interactions online.
– Geolocation data.
– Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
– Biometric information.
– Characteristics of protected classifications under California or federal law.
– Professional or employment-related information.
– Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.
– Audio, electronic, visual, thermal, olfactory, or similar information.
– Inferences drawn from any of the protected information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
– Any categories of personal information described in subdivision (e) of Section 1798.80.
The law also provides an exception for publicly available information. Publicly available means information that is lawfully made available from federal, state, or local government records. However, information is not publicly available if that data is used for a purpose that is not compatible with the purpose for which the data is maintained.
Learn more about California’s new law:
Applying the 9 CCPA Exemptions to Deletion Requests
GDPR Right of Access Under Article 15
Right to Rectification (Correction) Under GDPR Article 16
GDPR Right to Erasure Under Article 17
Right to Data Portability under GDPR Article 20
Data Subject Access Request Management Tools and Procedures
Individual Rights Manager Software
Legal Obligation Exceptions to the CCPA Right to Delete
Internal Use Exceptions to the CCPA Right to Delete
Research Exception to the CCPA Right to Delete
Verifiable Consumer Requests in CCPA
Last Updated: April 22, 2019