Can a service provider refuse a deletion instruction from a business under the CCPA?

Yes.

Unless a service provider has contractually agreed otherwise, they can refuse an instruction to delete personal information that they receive from their client (i.e., the business for whom the service provider was processing personal information).

The CCPA allows a consumer to “request that a business delete any personal information about the consumer.”1 When a consumer requests that a business delete personal information, the CCPA requires that a business “direct [its] service providers” to delete the information as well.2

Although a business must “direct” its service providers to delete data, the CCPA states that “a service provider shall not be required to comply with a consumer’s request to delete the consumer’s information if it is necessary for the business or a service provider to maintain the consumer’s information” in order to accomplish one of nine exceptions.  While some of those exceptions arguably apply only to the business’s use of personal information, other exceptions may apply equally to the service provider’s handling of data.  These include:3

  1. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
  2. Debug to identify and repair errors that impair existing intended functionality.
  3. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
  4. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
  5. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
  6. Comply with a legal obligation.
  7. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

If a service provider needs the personal information for one of the reasons listed above, it may refuse the deletion request from the business.