Right to Delete Personal Information: Why your enterprise should be concerned today!
With data privacy and consumer data rights becoming the law throughout a growing number of countries, organizations doing business in the US and EU need to take notice of obligations to implement strict privacy protection practices. Customers have the right to know all of their personal data that is collected and how it is used. But more critical is the right to be forgotten – deleted – which permits consumers to request their data be deleted on demand.
Meeting privacy obligations head-on and early by implementing a privacy compliance strategy will ensure that businesses earn consumer trust and set themselves ahead of the privacy curve.
What is the Right to Delete under the major privacy laws?
Privacy professionals realize that the EU’s high privacy and data security requirements, and the ever-growing patchwork of US privacy regulations, place significant obligations on companies that fall within the scope of these laws. Clarip takes a look at each comprehensive privacy law, and how organizations can be ready for them.
GDPR (European Union) – Right to Erasure (the Right to be Forgotten)
The GDPR (General Data Protection Regulation) introduced a right for individuals to have personal data erased, also known as ‘the right to be forgotten’. Data subjects have the right to obtain from the controller (organization that controls the use of data) the erasure of personal data without undue delay where one of the following applies:
- the personal data collected is no longer necessary in relation to the purpose for which they collected or otherwise processed it.
- the data subject withdraws consent of processing.
- the data subject objects to processing.
- the personal data have been unlawfully processed.
- the personal data must be erased for compliance with a legal obligation.
- the personal data pertains to a minor who hasn’t offered valid consent.
See the GDPR Legal Text for exact details.
CCPA/CPRA (California) – Right to Delete
The CCPA (California Consumer Privacy Act) grants California residents the right to have personal information erased. Consumers can exercise the right to delete their personal information if:
- the personal information was collected by the business from the consumer;
- it is no longer necessary for the business or service provider to maintain the personal information.
The CCPA/CPRA regulations provide that a business must comply with a consumer’s request to delete their personal information by:
- permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems;
- deidentifying the personal information; or
- aggregating the consumer information.
See the CCPA Legal Text for exact details.
VCDPA (Virginia) – Right to Delete
The VCDPA (Virginia Consumer Data Protection Act) deletion right is broader than that provided by the CCPA and CPRA in that it applies to personal information that a business has collected from a consumer or that the business has collected about a consumer from another source. The VCDPA permits consumers to request the deletion of personal data, limited only by the limitations in § 59.1-578.
CPA (Colorado) – Right to Deletion
The CPA (Colorado Privacy Act) has a right to delete that is similarly broad to that which is in the VCDPA. It allows consumers to direct businesses to delete their personal data. However, such obligations on businesses do not restrict a controller’s or processor’s ability to do various things, such as process personal data for reasons of public interest in the area of public health, investigate or defend legal claims, or comply with other laws, among other activities.
Successfully Process Requests for Right to Delete
The right to delete personal information is not absolute. There are certain circumstances and obligations to consider in determining whether to delete personal data.
Delete Request Preparation Checklist
- know how to recognize a request for erasure and understand when the right applies.
- Have a policy in place for how requests are processed.
- Implement a process to record requests received.
- Understand when a request can be refused and inform the individual when doing so.
Complying with Requests for Deletion
- Process requests to delete without undue delay and according to privacy regulations (See Clarip’s article on DSR fulfillment deadlines across various data privacy laws).
- Be aware of the circumstances for extending the time limit to respond to requests.
- Understand the handling of sensitive personal information. (See Clarip’s article on how sensitive data is defined among states.)
- Inform recipients if data shared with them has been successfully erased.
With Clarip’s Privacy Impact Assessments, Privacy Intelligence Dashboard, Rules Engine, Vendor Monitor, and Reports Dashboard we can help you track, process, and respond to right to delete in a timely manner. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.