Possibly.

It is a common practice for employers to ask employees if they would like to be included in a picture or a video, either for product advertisement or internal training.  Typically, when this occurs, the employer asks the employee to sign a release, waiver, or permission for the use of their image.

If an employee whose image was integrated in company material made a right to deletion request, the honoring of such request could cause significant disruption or cost to a company.  For example, posters, mailers, images, or advertisements might need to be recalled, deleted, or destroyed.

It is presently unclear how courts would deal with such a request once employee-deletion rights go into effect in 2021.  While an employer might point to the employee’s consent to have their image used, it’s possible that an employee would refer to a provision in the CCPA which states that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title . . . shall be deemed contrary to public policy and shall be void and unenforceable.”¹  Furthermore, it is not clear whether any of the nine exceptions to deletion within the CCPA would apply to the employee’s request:

Although the CCPA does not itself require that a service provider honor a deletion request that it receives directly from a consumer, a service provider may be contractually obligated to do so by a business.

Many businesses include a contractual provision in their agreement with a service provider requiring the service provider delete personal information that is processed on the business’s behalf at the direction of the business. A less specific “reasonable assistance” provision is also common, which obligates the service provider to reasonably assist the business in fulfilling a deletion request. Although here a service provider retains an argument that facilitating deletion when not required to do so by the CCPA may not be “reasonable assistance,” the existence of this provision signals that a business may be expecting the service provider to honor its deletion requests.

A business may assert that the contractual provisions which are required to meet the definition of “service provider,” imply that a service provider must honor a business’s deletion requests. However, the CCPA specifically allows a service provider to process personal information outside of its relationship to the service provider if such processing is “otherwise permitted by [the CCPA].” ¹ As discussed above, the CCPA permits a service provider to refuse a deletion request for a variety of reasons.²

Beyond CCPA specific provisions, a business may argue that other provisions in the agreement with a service provider require deletion of personal information at a business’s direction. If personal information fits the agreement’s definition of confidential information, the confidentiality provision may require confidential information be deleted or returned at the disclosing party’s direction. A provision where a service provider has agreed to abide by the business’s privacy policy may also create an argument that the service provider must delete personal information, depending on the drafting of the privacy policy. If a data protection agreement containing the GDPR’s required Article 28 processor provisions applies, the definition of “personal data” in those provisions may be broad enough to apply to CCPA personal information and thus require deletion.

Maybe not.

While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, depending on a company’s data processing and retention practices, may provide an argument that marketing information does not need to be deleted.

Marketing programs generally fall into one of two categories: 1) value accrual programs (i.e. loyalty programs and paid memberships), and 2) general advertising programs (i.e. email marketing or other coupon-based marketing).  Information in value accrual programs, such as loyalty programs, may not need to be deleted as many of the exceptions directly impact these types of programs.  For example, there is a strong argument that companies need to retain loyalty program information in order to detect wrongdoing and provide an agreed upon service. General advertising programs, on the other hand, have fewer exceptions due to the fact that they do not provide a reward in recognition of purchasing patterns.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer,¹ if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its communications or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in or assist with the marketing program).  As this information was not collected “from” the consumer, it likely does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, responses to emails, etc.), the CCPA allows a company to deny a deletion request if necessary to “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”² This implies that a company who does not share its marketing information, and who publicly describes its internal purposes for retaining such information (e.g. for purposes of analytics or to comply with a retention schedule) may deny a request for deletion of that data. For example, a company whose privacy policy discloses that marketing-related data is retained for “x” amount of time may deny a deletion request to the extent the retention period has not lapsed, as the consumer arguably “expects” the company to follow their published retention schedule.

Note that the retention of marketing information does not mean that a company should continue to send the consumer marketing communications.  Presumably a consumer who requests that marketing-relating data be deleted intends that the company unsubscribe them from any marketing communications (if that intent is not clear, the company should consider clarifying the desire of the consumer).  It does mean, however, that a company may keep the information that it obtained from the consumer for internal purposes such as analytics concerning the effectiveness of past marketing campaigns, substantiation as to the consumer’s prior opt-in to marketing communications, or substantiation as to the consumer’s historic preferences (e.g., opt-out, unsubscribe, communication frequency, etc.).

Yes.

Unless a service provider has contractually agreed otherwise, they can refuse an instruction to delete personal information that they receive from their client (i.e., the business for whom the service provider was processing personal information).

The CCPA allows a consumer to “request that a business delete any personal information about the consumer.”¹ When a consumer requests that a business delete personal information, the CCPA requires that a business “direct [its] service providers” to delete the information as well.²

Although a business must “direct” its service providers to delete data, the CCPA states that “a service provider shall not be required to comply with a consumer’s request to delete the consumer’s information if it is necessary for the business or a service provider to maintain the consumer’s information” in order to accomplish one of nine exceptions.  While some of those exceptions arguably apply only to the business’s use of personal information, other exceptions may apply equally to the service provider’s handling of data.  These include:³

1. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
2. Debug to identify and repair errors that impair existing intended functionality.
3. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
4. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
5. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
6. Comply with a legal obligation.
7. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

If a service provider needs the personal information for one of the reasons listed above, it may refuse the deletion request from the business.

Likely, yes.

A consumer’s right to deletion is subject to a number of exceptions.  One of these exceptions is to “comply with a legal obligation.”¹ Thus, where retaining personal information of a consumer is necessary to comply with a legal obligation, the business is not required to honor the data subject request.  The CCPA does not identify, restrict, or qualify the type of legal obligation that triggers the exception.  Thus, it is likely, though not certain, that a requirement to maintain personal data under foreign law would trigger the exception, such that a business would not be obligated to delete the personal data subject to the foreign law.

This is in marked contrast to GDPR’s relationship with United States law.  The GDPR states that a company does not have to honor a request to be forgotten if the processing is necessary for “compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.” Many companies assume that they can use this exception if they are required by United States law to retain data.  Unfortunately, the Article 29 Working party (now the European Data Protection Board) – an influential, independent advisory body to the European Commission on data protection matters that was chiefly comprised of representatives from each Member State’s supervisory authority – has implied that United States law cannot justify ongoing processing.

Probably not.

The term “personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”¹  While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.²  There is a strong argument that a dynamic IP address (which is assigned to different computers at different times) may not fall within the definition of “personal information” under the CCPA as it may not be capable of being reasonably linked with a particular person.  There may also be an argument that many static IP addresses may not be “reasonably” linked to a consumer if they are not combined with other information that would permit the easy identification of that consumer.

Assuming that a court or a regulator were to determine that a particular IP address did fall under the definition of “personal information,”  and a consumer were to make a right to be forgotten request in connection with that IP address, the right to be forgotten is not absolute.³  The CCPA provides ten exceptions pursuant to which a business can refuse a deletion request.  That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.⁴Of those ten exceptions, the following are most likely to apply to a request that a company delete an IP address from its weblogs:

• Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.), it does not need to be deleted.⁵  To the extent that a company maintains a weblog to identify potential malicious activity impacting its website (e.g., hacking, unauthorized attempts to access information, patterns of suspicious activity, possible denial-of-service attacks, etc.), this exception could be asserted to deny a deletion request.
• Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality,” it does not need to be deleted.⁶  To the extent that a company maintains a weblog that contains IP addresses as part of its effort to identify and debug errors that may be occurring on its website (e.g., faulty page loads, broken links, etc.), this exception could be asserted to deny a deletion request.
• Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law,” it does not need to be deleted.⁷  To the extent that a company maintains a weblog as part of its right to communicate with third parties and/or a right to understand the identity of those third parties that attempt to communicate with it, this exception might be asserted to deny a deletion request.
• Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.⁸  Note that, while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, presumably that is the relevant time period, as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they have no continued expectation of use).  To the extent that a consumer would expect the company to collect IP addresses (e.g., such collection was disclosed as part of a privacy notice, or such collection has become industry standard practice), this exception might be available to deny a deletion request.
• Internal uses aligned with the context of collection. If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.⁹  While this exception is similar to the previous exception, unlike the previous exception, the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection.  Again, in the context of IP addresses, if a company uses IP address in a context in which the consumer provided the information (e.g., as disclosed in a privacy notice), this exception might be available to deny a deletion request.
• Comply with legal obligations. If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer, a preservation hold issued as part of legal process, or a statute that requires that a company maintain weblogs as part of its overall security), the business is not required to delete the information.¹⁰In the context of IP addresses, if a company is required by law to maintain certain records – such as a weblog for security or audit trail purposes – this exception may be available to deny a deletion request.

Typically no.

Loyalty programs can be, and are, structured in a variety of different ways.  Some programs track dollars spent by a consumer, others track products purchased.  Some programs are free to participate in, others require consumers to purchase membership.  Some programs offer consumers additional products, other programs offer prizes, money, or third party products.  All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.

One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”¹  While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program).  As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request.  Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:

The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.

Typically not.

When investigating a data security incident, companies are often focused on determining whether there has been unauthorized access or acquisition to personal data, and, if so, which data subjects were impacted.  As part of that investigation, companies typically create records that indicate which data subjects were, or were not, impacted by the incident, and attempt to create copies of the records that might have been impacted.

If a company notifies individuals about a data breach, it is not uncommon for some portion of the notified individuals to request that the company delete the information held about them.  Such requests raise an inherent conflict.  On the one hand, the data subject may no longer wish their information to be in the hands of the company – particularly if they perceive that the company’s security may be inadequate or may have contributed to the data breach.  On the other hand, the company has a strong interest in maintaining records relating to the security incident.  For example, if a data subject were to bring an action against a company for damages as a result of the security incident, the company has an interest in being able to refer to its internal records to determine if the data subject’s information was involved in the incident, and, if so, what types of data fields may have been impacted.  Similarly, if a third party is responsible for a data breach, a company may need the evidence (in an unaltered and authenticated state) in order to bring suit against the third party, or to aid in a criminal prosecution against the individual.  The GDPR resolves the conflict by allowing a company to keep personal data – despite a data subject’s request that it be deleted – if data is “necessary . . . for the establishment, exercise or defence of legal claims.”¹

In some circumstances, data relating to a breach may no longer be necessary for the purpose of establishing a claim or defense (e.g., if the attacker has already been prosecuted, or the statute of limitations for a third party to bring a claim relating to the incident has expired).  In such situations, whether a company must comply with a deletion request depends on the context of a particular incident and whether one of the following criteria applies:

1. Companies must delete data upon request if data is no longer necessary.  If the personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.² As a result, if the company no longer needs the data to establish a legal defense or claim, and the data is no longer necessary for the purposes of its original collection, the request to delete should be honored.
2. Companies must delete data upon request if the data was processed based solely on consent.  If a company’s sole basis for processing data was the consent of the individual, the company is typically required to honor a right to be forgotten request, which might for all practical purposes be viewed as a revocation of that consent.  Conversely, if processing is based on an additional permissible purpose (g., performance of a contract) the right to be forgotten request does not necessarily have to be granted.
3. Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights.  When processing is based upon a company’s legitimate interest, a data subject has a right to request deletion unless the interest of a controller or a third party is demonstrably “overriding.”³ Whether or not the company’s interest in continuing to keep the information, or the data subject’s interest in having it deleted, control may depend on the precise reasons both parties have for keeping (or deleting) the information.

Like the GDPR, the CCPA contains an exception that permits a company to refuse a deletion request if the information is needed to “[e]xercise or defend legal claims.”⁴  The CCPA also contains an exception that permits the retention of the information if it is “necessary” to “prosecute those responsible for” a security incident,⁵ if it is needed for “internal uses that are reasonably aligned with the expectations of the consumer,”⁶ or if it is necessary for the business to use it internally in a manner that is “compatible with the context in which the consumer provided the information.”⁷