The CCPA has ushered in a new era of data privacy for consumers across California, affording California residents the right to request the deletion of any data that a company, or its associates, holds on them.
We take a closer look at this often confusing legislation, exploring how customers make data deletion requests, how businesses comply with these requests, and the exceptional circumstances under which data deletion is not enforceable.
What is the Right to Delete under the CCPA, and why is it important?
The CCPA came into effect on January 1st, 2020, but enforcement has not yet kicked off in earnest - California Attorney General Becerra intending to begin enforcement by July 1st, 2020. Under Section 1798.105 of the CCPA (California Consumer Privacy Act,) a consumer has the right to request that a business delete their personal information from its records and direct all its service providers to do the same.
These types of subject access rights date back to 2014, when Mario Costeja Gonzalez sued Google to suppress search results about his financial troubles. The outcome of the trial was the ‘right to be forgotten,’ a privacy law that gave citizens the right to have negative private information about them scratched from the online record. Later, the right to be forgotten was replaced by the ‘right to erasure’ under the EU’s GDPR (General Data Protection Regulation,) a sweeping set of data privacy laws which inspired the CCPA.
The importance of the new regulations on data privacy cannot be overstated with over half a million companies in the United States due to be affected. Some businesses (including Microsoft) have pledged to grant CCPA rights to all their customers. The difficulty delineating California residents from other consumers, coupled with the likelihood that other states will follow California’s lead with their own CCPA-type laws, means enacting rights for all consumers could prove to be the sensible option.
What constitutes personal information under CCPA?
‘Personal information’ lies at the heart of the CCPA, especially the right to delete, so what does ‘personal information’ actually mean? Fortunately, the statute is very prescriptive in this regard, with a long list of personal data that could be used to build a customer profile. These include:
Identifiers such as name, alias, postal address, username, password, email address, social security number, driver’s license number or passport number
Characteristics of protected classifications under California or federal law such as race, religion, sex/gender, and sexual orientation
Commercial information such as records of personal property and products purchased, obtained, or considered
Internet browsing history, search history, and information regarding a consumer’s interaction with websites, apps, or ads
Audio, electronic, visual, thermal, olfactory, or similar information
Education data (that’s not publicly available)
Any inference that could be used to create a consumer profile such as preferences, characteristics, predispositions, behavior, intelligence, or aptitudes
Can I ask a company to delete my data in the US?
Unlike the GDPR and its right to erasure, which applies to all businesses, public bodies, institutions, not-for-profits, and even individuals under some circumstances, regardless of their size, the CCPA only covers mid- to large-sized companies which fulfill one of the following criteria:
The business has a gross annual revenue of $25 million or more.
The business annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
The business derives 50% or more of its annual revenues from selling consumers’ personal information.
Furthermore, the CCPA only protects California residents. These are defined as individuals who are in the State “other than for a temporary or transitory purpose” and individuals “domiciled in the State but outside the State for a temporary or transitory purpose.” Under this classification, a California resident who is out-of-state at college, ie, for a temporary purpose, would still be protected.
Assuming the company and the consumer meet the above criteria, a request for data deletion can be submitted. The easiest way to make such a consumer request is through the "Do Not Sell My Personal Information" link that all companies covered by the CCPA are required to feature prominently on their homepage.
Remember, it’s not just companies located in the United States that fall under the CCPA - California is the fifth-largest economy in the world, and merely operating a website that collects California residents’ private data leaves a company subject to the law.
Submitting Deletion Requests
How can a consumer submit a CCPA request? The CCPA doesn’t specify how a deletion request should be submitted, but it does require businesses to create at least two methods for consumers to use.
One such method must be a toll-free phone number unless the business interacts with customers solely online, in which case an email address is sufficient. If the business operates a website (as everyone does), it must have an interactive web-form that can be used for submissions. Other acceptable submission methods are a form submitted in person, and a form submitted through the mail.
Rules on Deadlines and Fees
A business has to confirm receipt of a verifiable consumer request within ten days of it being submitted to ensure CCPA compliance. The confirmation should provide information about how the business intends to handle the request, their verification process, and confirmation of when the consumer will receive a response.
The business must then provide a full response to the consumer within 45 days of the original request. This can be extended to 90 days under certain circumstances, such as if the request is particularly complex or if the business is attempting to handle a high number of requests simultaneously.
Businesses can charge a fee to the consumer for making a deletion request, but only if the consumer engages in repetitive requests for additional information that are deemed to be excessive.
What must be deleted?
A business doesn’t have to delete all of the consumers personal information immediately. It can give the consumer the option to delete only selected portions or categories of personal information, so long as two conditions are met:
The consumer must also be provided with a so-called “global option” to delete everything
The global option has to be presented more prominently than the other choices.
If consumer data is locked away in archived or backup systems, the CCPA allows the deletion to take place on the next occasion the archive or backup system are assessed or used.
Understanding the Limits of the Right to Deletion
Enforcement could prove to be the weakest part of the CCPA. Individuals can’t sue companies for failure to delete a consumer’s personal information, and although a data subject can lodge a complaint with the attorney general if a business isn’t behaving in a lawful manner, the attorney general only has the resources to pursue a handful of cases each year.
Then there’s the issue of the CCPA’s ‘notice and cure’ provision, which Hayley Tsukayama of the EFF has called a “get out of jail free card.” Under this provision, a business or service provider that impinges on a consumer’s rights has 30 days to change their violating policies after they’ve been apprehended. The company’s business relationship with the consumer might be ruined, but it can avoid punishment for illegal practises so long as it acts within the 30 day window - that’s not much of a deterrent.
Another potential limitation lies in the CCPA’s insistence that deletion requests shouldn’t restrict a business’s ability to collect or sell data from commercial activities outside of California, and that a business can still gather, use, retain, sell, or disclose de-identified or aggregated data, so long as it can’t be linked to an individual.
Exceptions to the deletion requirement
If a business wants to keep a consumer’s personal information on file, there are several exceptions that it can invoke. These include:
Transactional: The personal information is required to complete the transaction for which the personal information was initially provided.
Security: The personal information is required to protect against security incidents, and prosecute those who are responsible for malicious or illegal activity.
Errors: The personal information is required to identify and fix errors in software programs.
Free speech: The personal information is required to exercise free speech or ensure that another consumer can exercise their free speech.
CalECPA Compliance: The personal information is required to comply with the California Electronic Communications Privacy Act.
Research in the Public Interest: The personal information is required to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest.
Expected Internal Uses: The personal information is required to be used solely internally to fulfill the expectations of the consumer based on the consumer’s relationship with the business.
Legal compliance: The personal information is required to comply with a legal obligation.
What to do if the Deletion Request is Denied
If a business denies a consumer’s request for deletion for one or more of the exceptions outlined above (including to comply with federal law), there are a number of steps the business must take, which are summarised below:
Notify the consumer that it will not comply;
Describe the basis for the denial;
Delete the consumer’s personal information that is not subject to the exception;
Refrain from using the consumer’s personal information for any purpose other than provided for by any exception
What to do after personal information is deleted?
So you’ve deleted a consumer’s personal information, then what? Again, there are several steps that a covered business has to take. First, it must specify how it has deleted the personal information and keep a record of the consumer’s request to delete.
Businesses are then encouraged to write a letter confirming that the information has been deleted on time, the written confirmation satisfying internal audit requirements and establishing compliance for potential litigation, enforcement, or regulatory proceedings, in the future.
All records should then be maintained for at least 24 months, which might seem to be in conflict with the original deletion request, but is permitted under the CCPA so long as the information is not used for any other business purposes.