- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Is a business required to delete only 12 months of consumer information in response to a request to be forgotten?
Unlike a request for access,1 a business’s deletion obligation extends to all data held by the business regarding a consumer, unless an exception applies, irrespective of when that data was collected, generated or processed. Neither the statutory text nor the regulations establish a “lookback period” for requests for deletion. That said, a business is not obligated to delete consumer information that it is required to retain to comply with a legal obligation.2 As a consequence, a business may be required to retain data for a period of time under applicable law.
If a business receives a right to be forgotten request from an employee, or a former employee, does it have to delete the requestor’s information?
As an initial matter, employees that are residents of California will not qualify as full “consumers” under the law until January 1, 2021. Pursuant to an amendment to the CCPA enacted in 2019, the title shall not apply to “[p]ersonal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.”1 As of the date of this writing, this provision will expire on January 1, 2021, and employees will be considered full “consumers” under CCPA on that date.
That said, assuming that employees are consumers, there are a number of exceptions to the consumer’s right to deletion that may be applications. Specifically, the business may argue that the employee’s request for deletion cannot be granted based on one or more statutory exceptions outlined above. In particular, the business may argue that it has a legal obligation to retain the data, and that the data is required to carry out a transaction with the employee.2 This list is by no means exhaustive. Finally, it should be noted that even apart from the specific exceptions to the consumer’s right to deletion articulated in section 1798.105 of CCPA, the business also is not required to take any action that would violate other state or federal obligations imposed upon it, including federal employment laws.3
Can an employee make a right to be forgotten request in relation to their employer’s use of their image in a picture, or video?
It is a common practice for employers to ask employees if they would like to be included in a picture or a video, either for product advertisement or internal training. Typically, when this occurs, the employer asks the employee to sign a release, waiver, or permission for the use of their image.
If an employee whose image was integrated in company material made a right to deletion request, the honoring of such request could cause significant disruption or cost to a company. For example, posters, mailers, images, or advertisements might need to be recalled, deleted, or destroyed.
It is presently unclear how courts would deal with such a request once employee-deletion rights go into effect in 2021. While an employer might point to the employee’s consent to have their image used, it’s possible that an employee would refer to a provision in the CCPA which states that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title . . . shall be deemed contrary to public policy and shall be void and unenforceable.”1 Furthermore, it is not clear whether any of the nine exceptions to deletion within the CCPA would apply to the employee’s request:
|1. Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.2||An employer might argue that the use of an employee’s image is the completion of a contract between the business and the consumer (i.e., the permission release). The strength of such argument might depend, however, on whether the release is viewed as a stand-alone contract.|
|2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.3||It is unlikely that this exception would apply.
|3. Debug to identify and repair errors that impair existing intended functionality.4||It is unlikely that this exception would apply.|
|4. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.5||It is possible that the employer could argue that rights that it has to the material in which the image was included would be interfered with if the deletion request were granted. As businesses do not qualify as “consumers” under the CCPA it is unclear how a court would respond to such an argument.|
|5. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.6||This exception applies if a business has received a government request for the personal information of an individual under the terms of the California Electronic Communications Privacy Act.|
|6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.7||This exception likely does not apply.|
|7. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.8||This exception is unlikely to apply if the material (e.g., photo or video) will be used external to the company.
|8. Comply with a legal obligation.9||This exception is unlikely to apply.|
|9. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.10||This exception is unlikely to apply if the material (e.g., photo or video) will be used external to the company.|
What type of contractual provisions are included within service provider agreements in connection with consumer deletion requests?
Although the CCPA does not itself require that a service provider honor a deletion request that it receives directly from a consumer, a service provider may be contractually obligated to do so by a business.
Many businesses include a contractual provision in their agreement with a service provider requiring the service provider delete personal information that is processed on the business’s behalf at the direction of the business. A less specific “reasonable assistance” provision is also common, which obligates the service provider to reasonably assist the business in fulfilling a deletion request. Although here a service provider retains an argument that facilitating deletion when not required to do so by the CCPA may not be “reasonable assistance,” the existence of this provision signals that a business may be expecting the service provider to honor its deletion requests.
A business may assert that the contractual provisions which are required to meet the definition of “service provider,” imply that a service provider must honor a business’s deletion requests. However, the CCPA specifically allows a service provider to process personal information outside of its relationship to the service provider if such processing is “otherwise permitted by [the CCPA].” 1 As discussed above, the CCPA permits a service provider to refuse a deletion request for a variety of reasons.2
Does a business have to delete marketing information pursuant to a deletion request?
While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, depending on a company’s data processing and retention practices, may provide an argument that marketing information does not need to be deleted.
Marketing programs generally fall into one of two categories: 1) value accrual programs (i.e. loyalty programs and paid memberships), and 2) general advertising programs (i.e. email marketing or other coupon-based marketing). Information in value accrual programs, such as loyalty programs, may not need to be deleted as many of the exceptions directly impact these types of programs. For example, there is a strong argument that companies need to retain loyalty program information in order to detect wrongdoing and provide an agreed upon service. General advertising programs, on the other hand, have fewer exceptions due to the fact that they do not provide a reward in recognition of purchasing patterns.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer,1 if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its communications or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in or assist with the marketing program). As this information was not collected “from” the consumer, it likely does not fall within the gambit of a deletion right.
Note that the retention of marketing information does not mean that a company should continue to send the consumer marketing communications. Presumably a consumer who requests that marketing-relating data be deleted intends that the company unsubscribe them from any marketing communications (if that intent is not clear, the company should consider clarifying the desire of the consumer). It does mean, however, that a company may keep the information that it obtained from the consumer for internal purposes such as analytics concerning the effectiveness of past marketing campaigns, substantiation as to the consumer’s prior opt-in to marketing communications, or substantiation as to the consumer’s historic preferences (e.g., opt-out, unsubscribe, communication frequency, etc.).
Can a service provider refuse a deletion instruction from a business under the CCPA?
Unless a service provider has contractually agreed otherwise, they can refuse an instruction to delete personal information that they receive from their client (i.e., the business for whom the service provider was processing personal information).
The CCPA allows a consumer to “request that a business delete any personal information about the consumer.”1 When a consumer requests that a business delete personal information, the CCPA requires that a business “direct [its] service providers” to delete the information as well.2
Although a business must “direct” its service providers to delete data, the CCPA states that “a service provider shall not be required to comply with a consumer’s request to delete the consumer’s information if it is necessary for the business or a service provider to maintain the consumer’s information” in order to accomplish one of nine exceptions. While some of those exceptions arguably apply only to the business’s use of personal information, other exceptions may apply equally to the service provider’s handling of data. These include:3
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
If a service provider needs the personal information for one of the reasons listed above, it may refuse the deletion request from the business.
If a business receives a deletion request, but is required by foreign law to retain the data, can it deny the request without violating the CCPA?
A consumer’s right to deletion is subject to a number of exceptions. One of these exceptions is to “comply with a legal obligation.”1 Thus, where retaining personal information of a consumer is necessary to comply with a legal obligation, the business is not required to honor the data subject request. The CCPA does not identify, restrict, or qualify the type of legal obligation that triggers the exception. Thus, it is likely, though not certain, that a requirement to maintain personal data under foreign law would trigger the exception, such that a business would not be obligated to delete the personal data subject to the foreign law.
This is in marked contrast to GDPR’s relationship with United States law. The GDPR states that a company does not have to honor a request to be forgotten if the processing is necessary for “compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.” Many companies assume that they can use this exception if they are required by United States law to retain data. Unfortunately, the Article 29 Working party (now the European Data Protection Board) – an influential, independent advisory body to the European Commission on data protection matters that was chiefly comprised of representatives from each Member State’s supervisory authority – has implied that United States law cannot justify ongoing processing.
CCPA Privacy and Security FAQs: If a company receives a right to be forgotten request, does it have to delete the requestor’s IP address from its weblogs?
The term “personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.2 There is a strong argument that a dynamic IP address (which is assigned to different computers at different times) may not fall within the definition of “personal information” under the CCPA as it may not be capable of being reasonably linked with a particular person. There may also be an argument that many static IP addresses may not be “reasonably” linked to a consumer if they are not combined with other information that would permit the easy identification of that consumer.
Assuming that a court or a regulator were to determine that a particular IP address did fall under the definition of “personal information,” and a consumer were to make a right to be forgotten request in connection with that IP address, the right to be forgotten is not absolute.3 The CCPA provides ten exceptions pursuant to which a business can refuse a deletion request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.4Of those ten exceptions, the following are most likely to apply to a request that a company delete an IP address from its weblogs:
- Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.), it does not need to be deleted.5 To the extent that a company maintains a weblog to identify potential malicious activity impacting its website (e.g., hacking, unauthorized attempts to access information, patterns of suspicious activity, possible denial-of-service attacks, etc.), this exception could be asserted to deny a deletion request.
- Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality,” it does not need to be deleted.6 To the extent that a company maintains a weblog that contains IP addresses as part of its effort to identify and debug errors that may be occurring on its website (e.g., faulty page loads, broken links, etc.), this exception could be asserted to deny a deletion request.
- Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law,” it does not need to be deleted.7 To the extent that a company maintains a weblog as part of its right to communicate with third parties and/or a right to understand the identity of those third parties that attempt to communicate with it, this exception might be asserted to deny a deletion request.
- Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.8 Note that, while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, presumably that is the relevant time period, as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they have no continued expectation of use). To the extent that a consumer would expect the company to collect IP addresses (e.g., such collection was disclosed as part of a privacy notice, or such collection has become industry standard practice), this exception might be available to deny a deletion request.
- Internal uses aligned with the context of collection. If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.9 While this exception is similar to the previous exception, unlike the previous exception, the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection. Again, in the context of IP addresses, if a company uses IP address in a context in which the consumer provided the information (e.g., as disclosed in a privacy notice), this exception might be available to deny a deletion request.
- Comply with legal obligations. If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer, a preservation hold issued as part of legal process, or a statute that requires that a company maintain weblogs as part of its overall security), the business is not required to delete the information.10In the context of IP addresses, if a company is required by law to maintain certain records – such as a weblog for security or audit trail purposes – this exception may be available to deny a deletion request.
CCPA Privacy FAQs: Is a business required to delete loyalty program information if it receives a deletion request from an active member?
Loyalty programs can be, and are, structured in a variety of different ways. Some programs track dollars spent by a consumer, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.
One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”1 While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program). As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.
In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request. Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:
|Exception||Description of Exception||Applicability to Loyalty|
|Complete a Transaction||If personal information is maintained because it is necessary for a business to complete a transaction with the consumer, a business is not required to honor a deletion request.2
|✓ Personal information is often needed by a company that offers a loyalty program in order to complete a transaction requested by a consumer in connection with the program. For example, if a consumer were to request to redeem loyalty points, a business may need to keep the consumer’s information in order to fulfill the request (e.g., to send earned products or services).|
|Provide a good or service||If personal information is maintained because it is necessary for a business to “provide a good or service requested by a consumer,” a business is not required to honor a deletion request.3||✓ Personal information is arguably needed in order to provide the service originally requested by the consumer – i.e., the operation of the loyalty program to which the consumer opted to become a member.|
|Detect wrongdoing.||If personal information is maintained because it is needed to detect security incidents, or “protect against malicious, deceptive, fraudulent, or illegal activity,” a business is not required to honor a deletion request.4
|✓ Personal information is often needed by a loyalty program sponsor to protect against deceptive and fraudulent activity such as multiple accounts being created by a single consumer, or attempts to double count purchases or benefits.|
|Repair errors.||If personal information is maintained because it is necessary for a business to “identify and repair errors that impair existing intended functionality,” a business is not required to honor a deletion request.5
|✓ Personal information is often needed by a loyalty program sponsor to identify any errors in its process for collecting, maintaining, or tracking accumulated points or value.|
|Internal uses aligned with consumer expectations.||If personal information is maintained because it is necessary for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” a business is not required to honor a deletion request.6||✓ Personal information is often needed by a loyalty program sponsor for numerous uses that are aligned with the expectation of the consumer at the time that they supplied information to the business. These typically include the operation of the rewards program, internal accounting relating to members’ accrued points, internal accounting relating to members’ requested benefits, auditing, and improving the operation of the overall program.|
|Internal uses aligned with the context of collection.||If personal information is maintained “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” a business is not required to honor a deletion request.7||✓ Personal information is often used by a loyalty program in a manner that is compatible with the context in which the consumer provided the information. Such contexts are often disclosed in a loyalty program’s privacy notice and include the operation of the rewards program, internal accounting, auditing, and improving the operation of the overall program.
|Comply with legal obligations.||If personal information maintained by a business is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.8||✓ Personal information is often maintained in order to comply with tax, escheatment, and corporate accountability laws.|
The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.
CCPA Privacy FAQs: If a company experiences a data security breach, and receives a “Right to be Forgotten” request from a data subject whose information was involved, does the company have to delete the information that they have about the individual?
When investigating a data security incident, companies are often focused on determining whether there has been unauthorized access or acquisition to personal data, and, if so, which data subjects were impacted. As part of that investigation, companies typically create records that indicate which data subjects were, or were not, impacted by the incident, and attempt to create copies of the records that might have been impacted.
If a company notifies individuals about a data breach, it is not uncommon for some portion of the notified individuals to request that the company delete the information held about them. Such requests raise an inherent conflict. On the one hand, the data subject may no longer wish their information to be in the hands of the company – particularly if they perceive that the company’s security may be inadequate or may have contributed to the data breach. On the other hand, the company has a strong interest in maintaining records relating to the security incident. For example, if a data subject were to bring an action against a company for damages as a result of the security incident, the company has an interest in being able to refer to its internal records to determine if the data subject’s information was involved in the incident, and, if so, what types of data fields may have been impacted. Similarly, if a third party is responsible for a data breach, a company may need the evidence (in an unaltered and authenticated state) in order to bring suit against the third party, or to aid in a criminal prosecution against the individual. The GDPR resolves the conflict by allowing a company to keep personal data – despite a data subject’s request that it be deleted – if data is “necessary . . . for the establishment, exercise or defence of legal claims.”1
In some circumstances, data relating to a breach may no longer be necessary for the purpose of establishing a claim or defense (e.g., if the attacker has already been prosecuted, or the statute of limitations for a third party to bring a claim relating to the incident has expired). In such situations, whether a company must comply with a deletion request depends on the context of a particular incident and whether one of the following criteria applies:
- Companies must delete data upon request if data is no longer necessary. If the personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.2 As a result, if the company no longer needs the data to establish a legal defense or claim, and the data is no longer necessary for the purposes of its original collection, the request to delete should be honored.
- Companies must delete data upon request if the data was processed based solely on consent. If a company’s sole basis for processing data was the consent of the individual, the company is typically required to honor a right to be forgotten request, which might for all practical purposes be viewed as a revocation of that consent. Conversely, if processing is based on an additional permissible purpose (g., performance of a contract) the right to be forgotten request does not necessarily have to be granted.
- Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights. When processing is based upon a company’s legitimate interest, a data subject has a right to request deletion unless the interest of a controller or a third party is demonstrably “overriding.”3 Whether or not the company’s interest in continuing to keep the information, or the data subject’s interest in having it deleted, control may depend on the precise reasons both parties have for keeping (or deleting) the information.
Like the GDPR, the CCPA contains an exception that permits a company to refuse a deletion request if the information is needed to “[e]xercise or defend legal claims.”4 The CCPA also contains an exception that permits the retention of the information if it is “necessary” to “prosecute those responsible for” a security incident,5 if it is needed for “internal uses that are reasonably aligned with the expectations of the consumer,”6 or if it is necessary for the business to use it internally in a manner that is “compatible with the context in which the consumer provided the information.”7