Are businesses required to offer the same methods for submitting DSR requests under the CCPA as they are under the GDPR?

No.

Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.¹

Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.²

The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.

Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.

GDPR

CCPA

There are no specific requirements governing the methods by which a data subject can submit a request.
A business should provide methods for requests to be made electronically, especially where personal data is processed by electronic means.³

Access:

If a business only operates online, it is only required to provide an email address.⁴
If a business is not only online, it must provide, at a minimum, a toll-free number and a website address.⁵
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.⁶

Opt-out:

A business must provide a link on the homepage titled “Do Not Sell My Personal Information.”⁷
A business must provide at least two methods for submitting requests (no exception for online-only).⁸
One of the methods must be an interactive form accessible through the “Do Not Sell” link.⁹
At least one method to opt-out must reflect the manner in which the business primarily interacts with the consumer.¹⁰
The business must treat user-enabled global privacy controls as a valid opt-out request.¹¹
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.¹²

Delete:

A business must provide at least two methods for submitting requests (no exception for online-only).¹³
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.¹⁴

Are the verification requirements for access and deletion requests the same under the CCPA as they are under the GDPR?

No.

Both the CCPA and the GDPR provide individuals with a right to request access to their personal information and a right to request the deletion of their personal information.¹ As a result, businesses that field rights requests are required to ensure that the requestor is indeed the individual he or she is claiming to be. The failure to properly verify an individual, and the subsequent unauthorized disclosure, can trigger data breach provisions under both laws.

While the GDPR provides high-level guidance on how to verify the identity of a requestor, the CCPA and the accompanying Proposed Regulations are more specific in their requirements. ² Below is a comparison of the requirements for verifying the identity of a requestor under the GDPR and under the CCPA.

GDPR

CCPA

General Rules:

There are no specific requirements for the verification of a requestor.
If a business fails to properly verify the identity of a requestor, and ultimately discloses a consumer’s personal information to a third party without the consumer’s authorization, this will trigger the GDPR’s data breach provisions.
If there are doubts concerning the identity of an individual, the controller may request additional information.
The controller must use all reasonable measures to verify the identity of a data subject who requests access to their information.
A business must establish procedures for verifying the identity of a requestor. This implies that the procedures must (or should) be documented and complied with.

General Rules:

If a business fails to properly verify the identity of a requestor, and ultimately discloses a consumer’s personal information to a third party without the consumer’s authorization, this may or may not trigger the CCPA’s data breach provisions.
A business shall avoid requesting new information for verification unless it is necessary to complete the verification.⁵
Any additional information collected for the purposes of verification may only be used to verify the individual.⁶
A business must establish, document, and comply with a reasonable method for the verification of requests.⁷
A business cannot require the consumer to pay a fee for the verification of their identity. This includes requiring a consumer to provide a notarized affidavit (unless the business compensates the consumer for the cost of notarization).⁸
If the consumer maintains an account, the business may verify their identity through that account using the business’ standard verification measures.⁹

Access:

If a specific information-access request is denied, the business must evaluate the request as if it were a category-access request.¹⁰
A business must verify individuals who submit category-level access request to a reasonable degree of certainty, which may include matching at least two data points.¹¹
A business must verify individuals who submit specific-information access requests to a reasonably high degree of certainty, which may include matching at least three pieces of personal information.¹²

Opt-Out:

A request to opt-out does not need to be verifiable.¹³

Deletion:

A business must verify individuals who submit deletion request to a reasonably high degree of certainty, which may include matching at least three pieces of personal information.¹⁴

Does a business have to delete marketing information pursuant to a deletion request?

Maybe not.

While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, depending on a company’s data processing and retention practices, may provide an argument that marketing information does not need to be deleted.

Marketing programs generally fall into one of two categories: 1) value accrual programs (i.e. loyalty programs and paid memberships), and 2) general advertising programs (i.e. email marketing or other coupon-based marketing). Information in value accrual programs, such as loyalty programs, may not need to be deleted as many of the exceptions directly impact these types of programs. For example, there is a strong argument that companies need to retain loyalty program information in order to detect wrongdoing and provide an agreed upon service. General advertising programs, on the other hand, have fewer exceptions due to the fact that they do not provide a reward in recognition of purchasing patterns.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer,¹ if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its communications or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in or assist with the marketing program). As this information was not collected “from” the consumer, it likely does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, responses to emails, etc.), the CCPA allows a company to deny a deletion request if necessary to “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”² This implies that a company who does not share its marketing information, and who publicly describes its internal purposes for retaining such information (e.g. for purposes of analytics or to comply with a retention schedule) may deny a request for deletion of that data. For example, a company whose privacy policy discloses that marketing-related data is retained for “x” amount of time may deny a deletion request to the extent the retention period has not lapsed, as the consumer arguably “expects” the company to follow their published retention schedule.

Note that the retention of marketing information does not mean that a company should continue to send the consumer marketing communications. Presumably a consumer who requests that marketing-relating data be deleted intends that the company unsubscribe them from any marketing communications (if that intent is not clear, the company should consider clarifying the desire of the consumer). It does mean, however, that a company may keep the information that it obtained from the consumer for internal purposes such as analytics concerning the effectiveness of past marketing campaigns, substantiation as to the consumer’s prior opt-in to marketing communications, or substantiation as to the consumer’s historic preferences (e.g., opt-out, unsubscribe, communication frequency, etc.).

Can a service provider refuse a deletion request that it receives directly from a consumer under the CCPA?

Can a service provider refuse a deletion instruction from a business under the CCPA?

Yes.

Unless a service provider has contractually agreed otherwise, they can refuse an instruction to delete personal information that they receive from their client (i.e., the business for whom the service provider was processing personal information).

The CCPA allows a consumer to “request that a business delete any personal information about the consumer.”¹ When a consumer requests that a business delete personal information, the CCPA requires that a business “direct [its] service providers” to delete the information as well.²

Although a business must “direct” its service providers to delete data, the CCPA states that “a service provider shall not be required to comply with a consumer’s request to delete the consumer’s information if it is necessary for the business or a service provider to maintain the consumer’s information” in order to accomplish one of nine exceptions. While some of those exceptions arguably apply only to the business’s use of personal information, other exceptions may apply equally to the service provider’s handling of data. These include:³

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
Debug to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
Comply with a legal obligation.
Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

If a service provider needs the personal information for one of the reasons listed above, it may refuse the deletion request from the business.

What does a Human Resources Director need to know about the CCPA?

CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to honor a deletion request?

No.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”¹ The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to delete personal information about a consumer after receiving a deletion request.²

The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”³ Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”⁴

An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.

The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor deletion requests, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with deletion requests.

CCPA Privacy and Security FAQs: If a company receives a right to be forgotten request, does it have to delete the requestor’s IP address from its weblogs?

Probably not.

The term “personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”¹ While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.² There is a strong argument that a dynamic IP address (which is assigned to different computers at different times) may not fall within the definition of “personal information” under the CCPA as it may not be capable of being reasonably linked with a particular person. There may also be an argument that many static IP addresses may not be “reasonably” linked to a consumer if they are not combined with other information that would permit the easy identification of that consumer.

Assuming that a court or a regulator were to determine that a particular IP address did fall under the definition of “personal information,” and a consumer were to make a right to be forgotten request in connection with that IP address, the right to be forgotten is not absolute.³ The CCPA provides ten exceptions pursuant to which a business can refuse a deletion request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.⁴Of those ten exceptions, the following are most likely to apply to a request that a company delete an IP address from its weblogs:

Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.), it does not need to be deleted.⁵ To the extent that a company maintains a weblog to identify potential malicious activity impacting its website (e.g., hacking, unauthorized attempts to access information, patterns of suspicious activity, possible denial-of-service attacks, etc.), this exception could be asserted to deny a deletion request.
Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality,” it does not need to be deleted.⁶ To the extent that a company maintains a weblog that contains IP addresses as part of its effort to identify and debug errors that may be occurring on its website (e.g., faulty page loads, broken links, etc.), this exception could be asserted to deny a deletion request.
Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law,” it does not need to be deleted.⁷ To the extent that a company maintains a weblog as part of its right to communicate with third parties and/or a right to understand the identity of those third parties that attempt to communicate with it, this exception might be asserted to deny a deletion request.
Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.⁸ Note that, while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, presumably that is the relevant time period, as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they have no continued expectation of use). To the extent that a consumer would expect the company to collect IP addresses (e.g., such collection was disclosed as part of a privacy notice, or such collection has become industry standard practice), this exception might be available to deny a deletion request.
Internal uses aligned with the context of collection. If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.⁹ While this exception is similar to the previous exception, unlike the previous exception, the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection. Again, in the context of IP addresses, if a company uses IP address in a context in which the consumer provided the information (e.g., as disclosed in a privacy notice), this exception might be available to deny a deletion request.
Comply with legal obligations. If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer, a preservation hold issued as part of legal process, or a statute that requires that a company maintain weblogs as part of its overall security), the business is not required to delete the information.¹⁰In the context of IP addresses, if a company is required by law to maintain certain records – such as a weblog for security or audit trail purposes – this exception may be available to deny a deletion request.

CCPA Privacy FAQs: Is a business required to delete loyalty program information if it receives a deletion request from an active member?

Typically no.

Loyalty programs can be, and are, structured in a variety of different ways. Some programs track dollars spent by a consumer, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.

One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”¹ While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program). As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request. Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:

Exception	Description of Exception	Applicability to Loyalty
Complete a Transaction	If personal information is maintained because it is necessary for a business to complete a transaction with the consumer, a business is not required to honor a deletion request.²	✓ Personal information is often needed by a company that offers a loyalty program in order to complete a transaction requested by a consumer in connection with the program. For example, if a consumer were to request to redeem loyalty points, a business may need to keep the consumer’s information in order to fulfill the request (e.g., to send earned products or services).
Provide a good or service	If personal information is maintained because it is necessary for a business to “provide a good or service requested by a consumer,” a business is not required to honor a deletion request.³	✓ Personal information is arguably needed in order to provide the service originally requested by the consumer – i.e., the operation of the loyalty program to which the consumer opted to become a member.
Detect wrongdoing.	If personal information is maintained because it is needed to detect security incidents, or “protect against malicious, deceptive, fraudulent, or illegal activity,” a business is not required to honor a deletion request.⁴	✓ Personal information is often needed by a loyalty program sponsor to protect against deceptive and fraudulent activity such as multiple accounts being created by a single consumer, or attempts to double count purchases or benefits.
Repair errors.	If personal information is maintained because it is necessary for a business to “identify and repair errors that impair existing intended functionality,” a business is not required to honor a deletion request.⁵	✓ Personal information is often needed by a loyalty program sponsor to identify any errors in its process for collecting, maintaining, or tracking accumulated points or value.
Internal uses aligned with consumer expectations.	If personal information is maintained because it is necessary for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” a business is not required to honor a deletion request.⁶	✓ Personal information is often needed by a loyalty program sponsor for numerous uses that are aligned with the expectation of the consumer at the time that they supplied information to the business. These typically include the operation of the rewards program, internal accounting relating to members’ accrued points, internal accounting relating to members’ requested benefits, auditing, and improving the operation of the overall program.
Internal uses aligned with the context of collection.	If personal information is maintained “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” a business is not required to honor a deletion request.⁷	✓ Personal information is often used by a loyalty program in a manner that is compatible with the context in which the consumer provided the information. Such contexts are often disclosed in a loyalty program’s privacy notice and include the operation of the rewards program, internal accounting, auditing, and improving the operation of the overall program.
Comply with legal obligations.	If personal information maintained by a business is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.⁸	✓ Personal information is often maintained in order to comply with tax, escheatment, and corporate accountability laws.

The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.

CCPA Privacy FAQs: Is a business required to provide access to all information about the consumer maintained through a loyalty program?