After learning of the misuse of tens of millions of people’s personal information by Cambridge Analytica in March 2018, Congress was made aware that personal information may be vulnerable to misuse when shared on the Internet, leading to a desire for privacy controls and increased transparency in data practices. A new California law is coming into effect that gives consumers the “right to be forgotten,” which may make help to make these unwanted privacy breaches a thing of the past. The California Consumer Privacy Act (“CCPA”), codified as California Civil Code §§ 1798.100 through 1798.198, grants consumers new rights relating to the access to, deletion of, and sharing of “personal information” collected by “businesses” about them.
When Must My Business Comply?
The CCPA comes into effect on January 1, 2020. This leaves less than 90 days for covered businesses to make plans and ramp up their efforts to be in compliance with the CCPA (also termed “California’s GDPR” – referring to the strict data privacy regulations enacted by the EU in 2018) by the effective date.
Is My Business Covered?
The CCPA defines “business” as a for-profit business or other legal entity that collects and determines the use of consumers’ personal information, and satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000);
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
If your business meets the definition set forth above, you must comply with the CCPA.
What Must My Business Do in Order to Comply?
The CCPA grants several rights to consumers (all California residents are considered “consumers” under the CCPA) as to personal information collected by a covered business.
Such rights include:
- the right to request disclosure of personal information collected and uses therefor (Civil Code § 1798.110(a));
- the right to request deletion of personal information collected by the covered business (Civil Code §§ 1798.105(a) and (c)); and
- the right to receive that information from the covered business (Civil Code § 1798.100(d)).
Any business subject to the CCPA has the responsibility to:
- Obtain parental or guardian consent for minors under 13 in order to collect and share data.
- Provide a “Do Not Sell My Personal Information” link on the homepage of their website that enables the consumer to opt out of the sale of their personal information.
- Provide at least two methods for submitting data access requests, including a toll-free phone number, at a minimum.
- Update their privacy policies with the new required information, including a description of California residents’ rights under the CCPA.
- Avoid requesting opt-in consent for data collection for 12 months after a California resident has opted out.
This post will discuss the consumer’s right to request deletion of personal information. In other words, the “right to be forgotten.”
What is the Right to Be Forgotten?
Civil Code § 1798.105 provides, in pertinent part, that:
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
A business that receives a verifiable consumer request to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
Covered businesses are obligated and must obligate their service providers to comply with this law.
What Must be Deleted?
The CCPA simply requires that a covered business remove from its files the requesting consumer’s personal information. While there is a 12-month look back pertaining to requests to identify information that is collected, this does not apply to the deletion requirement. Instead, all personal information collected, regardless of when collected, must be deleted in response to a request for deletion. The language of the CCPA also currently leaves open the issue of the extent to which a covered business must go to delete personal information from its archives and back-ups. There may be more guidance in the forthcoming draft regulations to be promulgated by the California Attorney General.
Are There Exemptions to the Deletion Requirement?
Yes. Civil Code § 1798.105(d) allows a covered business to forego deletion if the information is necessary to perform any of nine specified activities, including completing the transaction for which the personal information was collected, detecting security incidents, exercising free speech, engaging in public or peer-reviewed scientific, historical, or statistical research, and complying with a legal obligation.
In addition, § 1798.145 identifies other exceptions to the mandates of the CCPA, including the deletion requirement, and provides that such mandates shall not restrict a business’s ability to perform various tasks, including complying with federal, state, and local laws, exercising or defending legal claims, using de-identified or aggregated consumer information, or collecting or selling a consumer’s personal information if every aspect of the commercial conduct takes place wholly outside of California.
What Constitutes “Personal Information” Subject to the Deletion Requirement?
Personal data is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked with a particular consumer or household, such as a:
- Real name;
- Postal address;
- Unique personal identifier;
- Online identifier;
- Internet Protocol address;
- Email address;
- Account name;
- Social security number, driver’s license number, or passport number;
- Biometric data such as a fingerprint, or a retina/iris image.
The definition of “personal information” does not include de-identified, aggregated, or pseudonymized information. Thus, it appears that only personal information, as defined, must be deleted, but information that does not permit reasonable identification of a consumer—such as, de-identified, aggregated, or pseudonymized information—is not subject to the deletion requirement.
PENALTIES FOR VIOLATING THE CCPA
Businesses that have been found to be in violation of the CCPA can be subject to the following:
- Businesses that have been subject to data theft/security breaches as a result of their failure to implement and maintain reasonable security procedures can be subject to class action lawsuits and be ordered to pay between $100-$750 per consumer per incident.
- Businesses are subject to a $7,500 fine per intentional violation of the CCPA and a $2,500 fine per unintentional violation of the CCPA.
*These penalties may apply to businesses overseas who ship items to California.
What Must be Done after Personal Information is Deleted?
Once personal information has been deleted pursuant to a consumer request, the CCPA does not specifically require a covered business to provide the consumer with any type of confirmation of the same. However, as a practical matter, a covered business should give the consumer a written confirmation and maintain records of the deletion and confirmation. Providing confirmations to consumers may serve certain business purposes, including anticipating or avoiding consumer requests for confirmation, satisfying internal audit requirements, or establishing compliance with the CCPA in the event of litigation, enforcement or regulatory proceedings. Confirmations should show that the covered business timely complied with all requirements. The irony is that any information retained about the deletion of a consumer’s personal information is in conflict with the request to delete personal information unless it falls under an exception.
Attorneys at Carmel & Naccasha have experience preparing policies and disclosures necessary to comply with laws such as the CCPA and working to defend businesses in defending claims that consumer protection laws, such as the CCPA, have been violated.