Applying the 9 CCPA Exemptions to Deletion Requests
The California Consumer Privacy Act (CCPA) provides nine exemptions to a consumer’s right to erasure. The exceptions to deletion are more extensive then are specified in the European Union’s General Data Protection Regulation (GDPR) – which limits requests of data subjects to delete personal data to only five reasons.
We have previously listed the nine exemptions in our overview of the CCPA Right to Delete (also referred to in the context of GDPR as the right to erasure or the right to be forgotten). They can be invoked if it is necessary for the business or service to maintain the personal information pursuant to the exception. However, as businesses look to apply the rules more as part of their compliance efforts in 2019 and 2020, we thought that some additional discussion was warranted.
Transactional
Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
This exemption contemplates the ability of a businesses to maintain the personal information of a current customer that nevertheless submits a right to erasure request. If personal information is needed to perform a contract, complete a transaction, or further the existing business relationship, then the personal information is not subject to the right to be forgotten.
An example of such a case is an eCommerce customer that submits a request to be forgotten before the return/refund or warranty time period has elapsed. Information needed to verify the purchase or exercise these rights could be excluded from the data that is deleted.
The complexity of retaining personal information under this transactional exemption is that it requires a case-by-case examination of the information to determine whether it will be needed in the future. It does not provide a business with carte blanche to keep the customer’s information.
Security
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
The security exemption offers covered businesses the ability to maintain server logs and other information used to detect and prevent security incidents. Note that the information is not limited to cybersecurity data but could extend to information about individuals entering or exiting a building used by facial recognition software.
Errors
Debug to identify and repair errors that impair existing intended functionality.
This exemption permits companies to keep server logs and other data to identify and fix errors in their software programs. Note that the information is only allowed to be kept and used to identify and repair problems with existing functions and it does not provide an exemption for data that could be used to create new functionality.
It is noteworthy that the the CCPA does not restrict the processing of such information to intended functionality if it has a dual role. Nevertheless, the information must be “necessary” for debugging in order to fall within the exemption to the right of erasure.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW …
Free Speech
Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
Free speech and the right to be forgotten have been previously said to be on a collision course. This exemption favors free speech in the conflict. It is expected to protect discourse published online by a company or its users from the requirement to delete it. It appears to be a direct response to the broad European right to be forgotten.
What could be the other rights provided for by law? This might include, for example, freedom of the press to the extent that it is not coterminous with the right to free speech.
CalECPA Compliance
Comply with the California Electronic Communications Privacy Act
This exemption may ultimately be swallowed by the broader exemption for compliance with a legal obligation. However, we will discuss it separately here since the California legislature saw it as worthy of separate inclusion.
This 2015 law requires state law enforcement to get a warrant before they can access certain electronic information. If a business has received a government request for the personal information of an individual under the terms of CalECPA, then it does not have to delete that information.
The information that is covered by a government request under the law is typically specified in a warrant, wiretap order, subpoena or other method as established by the law. To the extent that the request is limited, the business may be obligated to delete the information that is not covered by the scope of the request if it does not meet any of the other exemptions.
CalECPA also permits a service provider to voluntarily disclose electronic communication information or subscriber information when that disclosure is not otherwise prohibited by state or federal law. However, such disclosures do not guarantee the ability to exempt the personal information since it is not “necessary” to “comply” with the law.
The California Attorney General may ultimately issue regulations to clarify the scope of this exemption, but it will likely remain limited as it is likely only to apply when a person appears to be making efforts to delete their information to thwart an ongoing government investigation.
Research in the Public Interest
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
This exemption was likely created in order to be applied in the medical context, although its importance may be diminished as a result of the broadened exemption for medical information provided in the SB-1121 amendments. Depending on the final scope of these exemptions, it may still be needed for certain medical research. As the law only applies to businesses, it is unclear to what extent this exemption needs to apply to research by educational institutions.
Expected Internal Uses
To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
This exemption protects information from deletion that is solely used internally and is aligned with consumer expectations. It is perhaps best interpreted as a type of “legitimate interests” exemption from the right to delete.
Legal Compliance
Comply with a legal obligation.
This could be construed broadly to include government requirements as part of a regulatory investigation, document retention obligations, discovery in civil lawsuits and other obligations created by the government, its laws and the judicial system (whether in the courts or other systems such as mediation).
Other Internal Uses
Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
This catch-all exemption may ultimately be similar in scope to the exemption for solely internal uses. We await additional information and thought on what situations this exception applies to which are different than the above.
CCPA Opportunity to Cure
The CCPA offers companies a 30 day opportunity to cure violations before the Attorney General may file an enforcement action. If an organization incorrectly interprets the law and fails to appropriately delete an individual’s information, the cure provision may nevertheless offer the organization the ability to avoid an enforcement action by subsequently deleting the required information properly.
How do these compare to the CCPA exceptions provided by GDPR Article 17?
Organizations that operate in both California and Europe will need to evaluate different criteria when determining whether to honor right to delete requests. The differences in CCPA vs GDPR need to be carefully evaluated internally and GDPR procedures modified to apply the correct exceptions.
GDPR’s right to erasure specifies five cases in which it is not necessary for an organization to delete the personal data of an individual that has made a DSAR request. The GDPR exemptions (generally) include:
– exercising the right of freedom of expression and information.
– compliance with a legal obligation.
– for certain reasons of public interest in the area of public health.
– for archiving purposes in the public interest, scientific or historical research purposes, or certain statistical purposes.
– for the establishment, exercise or defense of legal claims.
Organizations need to closely follow the interpretation of the CCPA and GDPR exemptions as their scope may not ultimately be the same. For example, GDPR provide the ability to avoid deleting data for “legal claims” in addition to compliance with legal obligations. The text of the CCPA, on the other hand, includes only compliance with a legal obligation.
GDPR also does not provide for an explicit opportunity to cure. However, several data protection authorities (DPAs) in 2018 have provided organizations with the ability to alter their privacy practices to bring them into compliance before deciding to issue penalties for a GDPR violation.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Still working on GDPR compliance? We understand! Our GDPR software tools offers a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.
CONTACT US TO SCHEDULE A DEMO OF THE CLARIP SOFTWARE PLATFORM …
DSAR Software
Right of Access in CCPA
CCPA Right to Delete
GDPR Right of Access Under Article 15
Right to Rectification (Correction) Under GDPR Article 16
GDPR Right to Erasure Under Article 17
Right to Data Portability under GDPR Article 20
Data Subject Access Request Management Tools and Procedures
Individual Rights Manager Software
Legal Obligation Exceptions to the CCPA Right to Delete
Internal Use Exceptions to the CCPA Right to Delete
Research Exception to the CCPA Right to Delete
Verifiable Consumer Requests in CCPA