We all know how frustrating it is to ask to be removed from a mailing list or distribution list, only to continue to get mail from the same company as if we have no choice in the matter. A new California law is coming into effect that gives consumers the “right to be forgotten,” which may make help to make these unwanted communications a thing of the past. The California Consumer Privacy Act (“CCPA”), codified as California Civil Code §§ 1798.100 through 1798.198, grants consumers new rights relating to the access to, deletion of, and sharing of “personal information” collected by “businesses” about them.
When Must My Business Comply?
The CCPA comes into effect on January 1, 2020. This leaves less than 90 days for covered businesses to make plans and ramp up their efforts to be in compliance with the CCPA (also termed “California’s GDPR” – referring to the strict data privacy regulations enacted by the EU in 2018) by the effective date.
Is My Business Covered?
The CCPA defines “business” as a for-profit business or other legal entity that collects and determines the use of consumers’ personal information, and satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000);
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
If your business meets the definition set forth above, you must comply with the CCPA.
What Must My Business Do in Order to Comply?
The CCPA grants several rights to consumers (all California residents are considered “consumers” under the CCPA) as to personal information collected by a covered business.
Such rights include:
- the right to request disclosure of personal information collected and uses therefor (Civil Code § 1798.110(a));
- the right to request deletion of personal information collected by the covered business (Civil Code §§ 1798.105(a) and (c)); and
- the right to receive that information from the covered business (Civil Code § 1798.100(d)).
This post will discuss the consumer’s right to request deletion of personal information. In other words, the “right to be forgotten.”
What is the Right to Be Forgotten?
Civil Code § 1798.105 provides, in pertinent part, that:
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
A business that receives a verifiable consumer request to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
Covered businesses are obligated and must obligate their service providers to comply with this law.
What Must be Deleted?
The CCPA simply requires that a covered business remove from its files the requesting consumer’s personal information. While there is a 12-month look back pertaining to requests to identify information that is collected, this does not apply to the deletion requirement. Instead, all personal information collected, regardless of when collected, must be deleted in response to a request for deletion. The language of the CCPA also currently leaves open the issue of the extent to which a covered business must go to delete personal information from its archives and back-ups. There may be more guidance in the forthcoming draft regulations to be promulgated by the California Attorney General.
Are There Exemptions to the Deletion Requirement?
Yes. Civil Code § 1798.105(d) allows a covered business to forego deletion if the information is necessary to perform any of nine specified activities, including completing the transaction for which the personal information was collected, detecting security incidents, exercising free speech, engaging in public or peer-reviewed scientific, historical, or statistical research, and complying with a legal obligation.
In addition, § 1798.145 identifies other exceptions to the mandates of the CCPA, including the deletion requirement, and provides that such mandates shall not restrict a business’s ability to perform various tasks, including complying with federal, state, and local laws, exercising or defending legal claims, using de-identified or aggregated consumer information, or collecting or selling a consumer’s personal information if every aspect of the commercial conduct takes place wholly outside of California.
What Constitutes “Personal Information” Subject to the Deletion Requirement?
The definition of “personal information” does not include de-identified, aggregated, or pseudonymized information in its definition of “personal information.” Thus, it appears that only personal information, as defined, must be deleted, but information that does not permit reasonable identification of a consumer—such as, de-identified, aggregated, or pseudonymized information—is not subject to the deletion requirement.
What Must be Done after Personal Information is Deleted?
Once personal information has been deleted pursuant to a consumer request, the CCPA does not specifically require a covered business to provide the consumer with any type of confirmation of the same. However, as a practical matter, a covered business should give the consumer a written confirmation and maintain records of the deletion and confirmation. Providing confirmations to consumers may serve certain business purposes, including anticipating or avoiding consumer requests for confirmation, satisfying internal audit requirements, or establishing compliance with the CCPA in the event of litigation, enforcement or regulatory proceedings. Confirmations should show that the covered business timely complied with all requirements. The irony is that any information retained about the deletion of a consumer’s personal information is in conflict with the request to delete personal information unless it falls under an exception.
Attorneys at Carmel & Naccasha have experience preparing policies and disclosures necessary to comply with laws such as the CCPA and working to defend businesses in defending claims that consumer protection laws, such as the CCPA, have been violated.
Click Contact Us or call 805-546-8785 to speak with an attorney about the CCPA.