Per §1798.105(a) of the CCPA statute, “[a] consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” However, (and in contrast to the approach in the GDPR) this is subject to multiple exceptions for both businesses and service providers:
1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
3) Debug to identify and repair errors that impair existing intended functionality.
4) Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law.
5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
7)To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
8) Comply with a legal obligation.
9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
Some of these exceptions are to be expected, given the nature of a relationship between the consumer and the business or service provider. Examples include the necessity to complete an underlying transaction between/among the parties or to comply with legal obligations. Others are somewhat vague, such as the exception for “solely internal uses that are reasonably aligned with the expectations of the consumer” or for internal uses that are “compatible with the context in which the consumer provided the information.” Applying these latter exceptions will almost certainly require clarification by the Attorney General.
The CCPA Regulations add some context for businesses responding to a request to delete:
- If a business cannot verify the identity of the requestor, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified. 1
- A business shall comply with a consumer’s request to delete their personal information by:
- Permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems [however, when the backup or achieve is restored or becomes active, the business must then erase];
- Deidentifying the personal information; or
- Aggregating the consumer information. 2
One additional noteworthy mandate from the Regulation is the following:
- When a business denies a consumer’s request to delete the business shall do all of the following:
- Inform the consumer that it will not comply with the consumer’s request and describe the basis for the denial, including any conflict with federal or state law, or exception to the CCPA, unless prohibited from doing so by law;
- Delete the consumer’s personal information that is not subject to the exception; and
- Not use the consumer’s personal information retained for any other purpose than provided for by that exception.
1. The CCPA Regulations §999.313(d)(1).
2. The CCPA Regulations §999.313(d)(2).