The CCPA grants consumers the right to request deletion of any personal information which a business has collected from the consumer. Cal. Civ. Code § 1798.105. It also requires a business to fulfill deletion requests, and to direct service providers to do the same, within 45 days of receiving a “verified” or “verifiable” request from the consumer. Cal. Civ. Code § 1798.140(y).
The CCPA’s deletion right can be exercised for almost any reason, subject to several exceptions. Specifically, a business is not required to comply with a consumer deletion request if the business needs the personal information to do any of the following:
- Complete the transaction for which it was collected, provide goods or services requested by the consumer or reasonably anticipated within the context of the relationship with the consumer, or perform the contract between the business and the consumer;
- Detect security incidents and protect against malicious, fraudulent, or illegal activity;
- Debug to identify and repair errors that impair existing intended functionality;
- Exercise free speech or another legal right, or ensure the right of another to exercise free speech;
- Engage in scientific, historical, or statistical research in the public interest;
- Use internally in a way that is “reasonably aligned” with the expectations of the consumer “based on the consumer’s relationship with the business,” or otherwise use in a manner “that is compatible with the context in which the consumer provided the information;” and
- Comply with a legal obligation or applicable laws.
Some of the exceptions are commonsense (e.g., a business retaining a consumer’s shipping information to deliver the product that he or she ordered), but others, like the exception for data use that is “reasonably aligned” with consumers’ expectations, are subjective and less clear cut. It is vital that a business consult with legal counsel to understand if an exception would apply to its particular situation.
Relying on an exception often will come down to risk tolerance, which in today’s environment—with data privacy issues in the spotlight—can be risky business. It is therefore recommended that a business take steps now to implement the appropriate response protocols to consumer deletion requests. To do so, a business must not only identify all personal information it has and where it resides (i.e., conduct a detailed data inventory), but also be able to comply with a deletion request without disrupting data systems or data-based processes, which may be challenging for certain companies (e.g., businesses that utilize personal information to manage a consumer loyalty program, or businesses that employ certain types of blockchain solutions). In such cases, there may be an argument that the consumer’s reasonable expectations serve as an exception to the deletion mandate. However, no legislative guidance has yet been provided.