- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Are businesses required to offer the same methods for submitting DSR requests under the CCPA as they are under the GDPR?
Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.1
Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.2
The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.
Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.
Are the verification requirements for access and deletion requests the same under the CCPA as they are under the GDPR?
Both the CCPA and the GDPR provide individuals with a right to request access to their personal information and a right to request the deletion of their personal information.1 As a result, businesses that field rights requests are required to ensure that the requestor is indeed the individual he or she is claiming to be. The failure to properly verify an individual, and the subsequent unauthorized disclosure, can trigger data breach provisions under both laws.
While the GDPR provides high-level guidance on how to verify the identity of a requestor, the CCPA and the accompanying Proposed Regulations are more specific in their requirements. 2 Below is a comparison of the requirements for verifying the identity of a requestor under the GDPR and under the CCPA.
Does a business have to delete marketing information pursuant to a deletion request?
While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, depending on a company’s data processing and retention practices, may provide an argument that marketing information does not need to be deleted.
Marketing programs generally fall into one of two categories: 1) value accrual programs (i.e. loyalty programs and paid memberships), and 2) general advertising programs (i.e. email marketing or other coupon-based marketing). Information in value accrual programs, such as loyalty programs, may not need to be deleted as many of the exceptions directly impact these types of programs. For example, there is a strong argument that companies need to retain loyalty program information in order to detect wrongdoing and provide an agreed upon service. General advertising programs, on the other hand, have fewer exceptions due to the fact that they do not provide a reward in recognition of purchasing patterns.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer,1 if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its communications or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in or assist with the marketing program). As this information was not collected “from” the consumer, it likely does not fall within the gambit of a deletion right.
Note that the retention of marketing information does not mean that a company should continue to send the consumer marketing communications. Presumably a consumer who requests that marketing-relating data be deleted intends that the company unsubscribe them from any marketing communications (if that intent is not clear, the company should consider clarifying the desire of the consumer). It does mean, however, that a company may keep the information that it obtained from the consumer for internal purposes such as analytics concerning the effectiveness of past marketing campaigns, substantiation as to the consumer’s prior opt-in to marketing communications, or substantiation as to the consumer’s historic preferences (e.g., opt-out, unsubscribe, communication frequency, etc.).
Can a service provider refuse a deletion request that it receives directly from a consumer under the CCPA?
A consumer may incorrectly direct a deletion request to a service provider rather than to the business for which the service provider processes personal information. Service providers are permitted to refuse deletion requests that they receive directly from a consumer, as the CCPA only allows consumers to request deletion from a business.1
Can a service provider refuse a deletion instruction from a business under the CCPA?
Unless a service provider has contractually agreed otherwise, they can refuse an instruction to delete personal information that they receive from their client (i.e., the business for whom the service provider was processing personal information).
The CCPA allows a consumer to “request that a business delete any personal information about the consumer.”1 When a consumer requests that a business delete personal information, the CCPA requires that a business “direct [its] service providers” to delete the information as well.2
Although a business must “direct” its service providers to delete data, the CCPA states that “a service provider shall not be required to comply with a consumer’s request to delete the consumer’s information if it is necessary for the business or a service provider to maintain the consumer’s information” in order to accomplish one of nine exceptions. While some of those exceptions arguably apply only to the business’s use of personal information, other exceptions may apply equally to the service provider’s handling of data. These include:3
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
If a service provider needs the personal information for one of the reasons listed above, it may refuse the deletion request from the business.
What does a Human Resources Director need to know about the CCPA?
- Privacy notices. Under the CCPA, employers are required to provide California employees with privacy notices that, among other things, itemize the categories of personal information collected, shared, and sold about the employee.1
- Access rights. Under the CCPA, California employees are permitted to request access to the personal information that the employer has collected about the employee.2
- Deletion rights. Under the CCPA, California employees are permitted to request the deletion of the personal information that the employer has collected from the employee.3 Note that the CCPA does not require that employers grant such requests in all situations.
- HR benefits providers. Under the CCPA, an employer must stake steps to verify that by providing personal information about California employees to benefits providers it is not “selling” personal information as that term is defined in the statute. If a sale does occur, the employer must disclose the sale to the employee and offer them the ability to opt-out of the sale through a “Do Not Sell” mechanism.
- Data security breach. Under the CCPA, if the sensitive information of a California employee (e.g., Social Security Number) is breached as a result of the employer’s inadequate data security, an employee may be able to initiate suit to recover statutory liquidated damages.4
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to honor a deletion request?
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to delete personal information about a consumer after receiving a deletion request.2
The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor deletion requests, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with deletion requests.
CCPA Privacy and Security FAQs: If a company receives a right to be forgotten request, does it have to delete the requestor’s IP address from its weblogs?
The term “personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.2 There is a strong argument that a dynamic IP address (which is assigned to different computers at different times) may not fall within the definition of “personal information” under the CCPA as it may not be capable of being reasonably linked with a particular person. There may also be an argument that many static IP addresses may not be “reasonably” linked to a consumer if they are not combined with other information that would permit the easy identification of that consumer.
Assuming that a court or a regulator were to determine that a particular IP address did fall under the definition of “personal information,” and a consumer were to make a right to be forgotten request in connection with that IP address, the right to be forgotten is not absolute.3 The CCPA provides ten exceptions pursuant to which a business can refuse a deletion request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.4Of those ten exceptions, the following are most likely to apply to a request that a company delete an IP address from its weblogs:
- Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.), it does not need to be deleted.5 To the extent that a company maintains a weblog to identify potential malicious activity impacting its website (e.g., hacking, unauthorized attempts to access information, patterns of suspicious activity, possible denial-of-service attacks, etc.), this exception could be asserted to deny a deletion request.
- Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality,” it does not need to be deleted.6 To the extent that a company maintains a weblog that contains IP addresses as part of its effort to identify and debug errors that may be occurring on its website (e.g., faulty page loads, broken links, etc.), this exception could be asserted to deny a deletion request.
- Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law,” it does not need to be deleted.7 To the extent that a company maintains a weblog as part of its right to communicate with third parties and/or a right to understand the identity of those third parties that attempt to communicate with it, this exception might be asserted to deny a deletion request.
- Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.8 Note that, while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, presumably that is the relevant time period, as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they have no continued expectation of use). To the extent that a consumer would expect the company to collect IP addresses (e.g., such collection was disclosed as part of a privacy notice, or such collection has become industry standard practice), this exception might be available to deny a deletion request.
- Internal uses aligned with the context of collection. If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.9 While this exception is similar to the previous exception, unlike the previous exception, the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection. Again, in the context of IP addresses, if a company uses IP address in a context in which the consumer provided the information (e.g., as disclosed in a privacy notice), this exception might be available to deny a deletion request.
- Comply with legal obligations. If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer, a preservation hold issued as part of legal process, or a statute that requires that a company maintain weblogs as part of its overall security), the business is not required to delete the information.10In the context of IP addresses, if a company is required by law to maintain certain records – such as a weblog for security or audit trail purposes – this exception may be available to deny a deletion request.
CCPA Privacy FAQs: Is a business required to delete loyalty program information if it receives a deletion request from an active member?
Loyalty programs can be, and are, structured in a variety of different ways. Some programs track dollars spent by a consumer, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.
One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”1 While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program). As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.
In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request. Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:
|Exception||Description of Exception||Applicability to Loyalty|
|Complete a Transaction||If personal information is maintained because it is necessary for a business to complete a transaction with the consumer, a business is not required to honor a deletion request.2
|✓ Personal information is often needed by a company that offers a loyalty program in order to complete a transaction requested by a consumer in connection with the program. For example, if a consumer were to request to redeem loyalty points, a business may need to keep the consumer’s information in order to fulfill the request (e.g., to send earned products or services).|
|Provide a good or service||If personal information is maintained because it is necessary for a business to “provide a good or service requested by a consumer,” a business is not required to honor a deletion request.3||✓ Personal information is arguably needed in order to provide the service originally requested by the consumer – i.e., the operation of the loyalty program to which the consumer opted to become a member.|
|Detect wrongdoing.||If personal information is maintained because it is needed to detect security incidents, or “protect against malicious, deceptive, fraudulent, or illegal activity,” a business is not required to honor a deletion request.4
|✓ Personal information is often needed by a loyalty program sponsor to protect against deceptive and fraudulent activity such as multiple accounts being created by a single consumer, or attempts to double count purchases or benefits.|
|Repair errors.||If personal information is maintained because it is necessary for a business to “identify and repair errors that impair existing intended functionality,” a business is not required to honor a deletion request.5
|✓ Personal information is often needed by a loyalty program sponsor to identify any errors in its process for collecting, maintaining, or tracking accumulated points or value.|
|Internal uses aligned with consumer expectations.||If personal information is maintained because it is necessary for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” a business is not required to honor a deletion request.6||✓ Personal information is often needed by a loyalty program sponsor for numerous uses that are aligned with the expectation of the consumer at the time that they supplied information to the business. These typically include the operation of the rewards program, internal accounting relating to members’ accrued points, internal accounting relating to members’ requested benefits, auditing, and improving the operation of the overall program.|
|Internal uses aligned with the context of collection.||If personal information is maintained “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” a business is not required to honor a deletion request.7||✓ Personal information is often used by a loyalty program in a manner that is compatible with the context in which the consumer provided the information. Such contexts are often disclosed in a loyalty program’s privacy notice and include the operation of the rewards program, internal accounting, auditing, and improving the operation of the overall program.
|Comply with legal obligations.||If personal information maintained by a business is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.8||✓ Personal information is often maintained in order to comply with tax, escheatment, and corporate accountability laws.|
The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.
CCPA Privacy FAQs: Is a business required to provide access to all information about the consumer maintained through a loyalty program?
Some of the rights conferred by the CCPA are limited to data collected “from the consumer,”1 whereas other rights apply to data “collected about” a consumer.2 Access rights are part of the latter category. As a result, if a business receives an access request from a member of a loyalty program, the CCPA requires that the business disclose “the specific pieces of personal information it has collected about that consumer.”3 This may be interpreted by courts as indicating that information must be disclosed regardless of whether the information was collected from the consumer directly, was received from a third party (e.g., a retailer, or a commercial partner), or was generated internally by a business.