- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Consumer Rights and Information
Exercise of Consumer Rights/Opt-Outs
Definitions
Other statutes and enforcement
Statutory Construction and Regulation
Miscellaneous Provisions
CPRA Only
Full Text
State Privacy Law Tracker
CCPA Privacy FAQs: Do the CCPA and the GDPR have the same exceptions to the right to be forgotten?
No.
The scope of the right to be forgotten under the CCPA and the GDPR differ in three important ways.
First, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.1 As a result, if a business obtains information about a consumer from other sources (e.g., third party data brokers) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request. In comparison, the right to be forgotten under the GDPR extends to data collected from a consumer directly and to data collected about the consumer from third party sources.
Second, under the CCPA a consumer can request that data be forgotten regardless of the purpose for which the data was originally collected. In comparison, the GDPR extends the right to be forgotten only if one of the following six conditions is present:
- The data is no longer necessary.2
- The processing was based solely on consent.3
- The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.4
- The data is being processed unlawfully.5
- Erasure is already required by law.6
- That data was collected from a child as part of offering an information society service.7
Third, the CCPA and the GDPR both contain exceptions where a business (or a controller in the language of the GDPR) is exempt from the deletion requirement. As the chart below indicates, while those exceptions are similar, they are not identical:
| Exception | CCPA | GDPR |
| 1. Complete a transaction | Y8 | Y9 |
| 2. Detect wrongdoing | Y10 | Y/X11 |
| 3. Repair errors to data systems | Y12 | Y/X13 |
| 4. Free speech | Y14 | Y15 |
| 5. Exercise legal rights of the business, or establish a legal claim | Y16 | Y17 |
| 6. Research. | Y18 | Y19 |
| 7. Internal uses aligned with consumer expectations. | Y20 | X |
| 8. Internal uses aligned with the context of collection | Y21 | X |
| 9. Comply with legal obligations | Y22 | Y23 |
| 10. Public interest to support public health. | X | Y24 |
Does a company have to forward a right to be forgotten request to a third party with whom it has shared personal information?
The majority of United States federal privacy laws do not include a right to be forgotten. Those that do – such as the Children’s Online Privacy Protection Act – only require that an organization which receives a right to be forgotten request delete the personal information in its possession and direct that its service providers do the same. COPPA does not require that an organization that receives a right to be forgotten request forward the request to third parties with whom it has shared information.
In California the CCPA requires that (in certain situations) a business “delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”1 In situations in which a business has shared a consumer’s personal information with another business or a third party, the CCPA does not require business A to inform business B that a deletion request has been received. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2
In comparison, under the European GDPR when a controller receives a right to be forgotten request, and determines that it is required to delete information about an individual, the controller must “take reasonable steps” to “inform [other] controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”3 It is unclear based upon the text of the GDPR whether this requirement requires controller A to notify controller B that the data subject has requested controller A to erase data, or whether the requirement requires controller A to notify controller B that a data subject has requested erasure by both controller A and B.
If a company receives a ‘right to be forgotten’ request from one consumer, does it have to delete information it obtained from other consumers in the same household?
No.
The CCPA states only that a business may have to delete the information that it obtained “from” the consumer that submits the right to be forgotten request.1 That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2 As a result, if a business obtained information from two consumers that reside in the same household, and receives a right to be forgotten request from one of those consumers, it does not need to delete the information that it obtained from the other consumer. As an example, if two individuals in the same household signed up to receive advertising from a retailer by mail, and one of those individuals exercised their right to be forgotten, the retailer could continue to send advertisements to the second individual.
If a Service Provider has already agreed to a Data Processing Addendum that complies with the GDPR, is a business required to renegotiate the contract again for the CCPA?
No.
Article 28 of the GDPR requires that a controller “bind[]” every service provider to approximately thirteen substantive provisions; it also requires that contracts with service providers contain specific disclosures concerning the type of processing that will be covered by the agreement. In order to comply with this requirement many companies put in place data processing addendum or “DPA’s” which were designed to amend master service agreements to conform to the GDPR.
The CCPA requires that a service provider agree to three substantive restrictions involving their retention, use, and disclosure of personal information. While the CCPA does not mandate that a business include any other provisions in an agreement with a service provider, in order for a business to comply with its own obligations under the CCPA it must “push down” certain obligations onto its service providers. For example, if a business is required to delete a consumer’s personal information pursuant to a right to be forgotten request, the business will be unable to comply with that requirement if its service provider is unable to selectively and irrevocably delete data. The following chart compares the requirements that the GDPR imposes upon processors with those that a business should impose upon a service provider pursuant to the CCPA. As the chart indicates, a DPA that complies with all of the GDPR requirements will also satisfy each of the CCPA’s requirements.
Requirement |
GDPR |
CCPA |
Particulars : |
||
| 1. Subject Matter. Description of the subject matter of processing. | ü
Art. 23(3) |
X |
| 2. Duration. Description of the duration of processing. | ü
Art. 23(3) |
X |
| 3. Nature and Purpose. Description of the nature and purpose of processing. | ü
Art. 23(3) |
X |
| 4. Type of Data. Description of the type of personal data to be processed. | ü
Art. 23(3) |
X |
| 5. Categories of Data. Description of the categories of data subjects about which the data relates. | ü
Art. 23(3) |
X |
Restrictions |
||
| 6. Use Restrictions. A service provider can only process personal data consistent with a controller’s documented instructions. | ü
Art. 28(3)(a) |
ü
§ 1798.140(v) |
| 7. Disclosure Restrictions. Confidentiality provision that ensures that persons authorized to process personal data have committed themselves to confidentiality. | ü
Art. 28(3)(b) |
ü
§ 1798.140(v) |
| 8. Delete or return data. Service provider will delete or return data at the end of the engagement. | ü
Art. 28(3)(g) |
ü
§ 1798.140(v) |
Security |
||
| 9. Security. Service provider will implement appropriate technical and organizational measures to secure information. | ü
Art. 28(1) Art. 28(3)(c) Art. 32(1) |
X |
| 10. Assisting Controller In Responding to Data Breach. Service provider will cooperate with controller in the event of a personal data breach. | ü
Art. 28(3)(f) Art. 33 – 34 |
X
(although other California laws apply to data breach response) |
Subprocessing |
||
| 11. Subcontractor selection. A service provider must obtain written authorization before subcontracting, and must inform the Company before it makes any changes to its subcontractors. | ü
Art. 28(2) Art. 28(3)(d) |
X |
| 12. Subcontracting flow down obligations. Service provider will flow down these obligations to any subprocessors. | ü
Art. 28(3)(d) Art. 28(4) |
X |
| 13. Subcontracting liability. A service provider must remain fully liable to the controller for the performance of a sub-processors obligations. | ü
Art. 28(3)(d) |
X |
Data Subject / Consumer Requests |
||
| 14. Responding to data subjects. Service provider will assist the Company to respond to any requests by a data subject. | ü
Art. 28(3)(e) Art. 12 – 23 |
ü
§ 1798.105(c) (relating to deletion) |
Miscellaneous |
||
| 15. Assisting Controller In Creating DPIA. Service provider will cooperate with controller in the event the controller initiates a data protection impact assessment. | ü
Art. 28(3)(f) Art. 35) Art. 35-36 |
X |
| 16. Audit Right. Service provider will allow Company to conduct audits or inspections for compliance to these obligations. | ü
Art. 28(3)(h). |
X |
| 17. Cross-border transfers. Service provider will not transfer data outside of the EEA without permission of Company. | ü
Art. 28(3)(a) Art. 46 |
X |
Does the CCPA exempt businesses from having to disclose privileged communications?
The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Does the CCPA exempt businesses from having to disclose privileged communications?
Yes and no.
The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions. (For more on the history of the CCPA, you can find a timeline on page 2 of BCLP’s Practical Guide to the CCPA). Given its hasty drafting there are a number of areas in which the CCPA intentionally, or unintentionally, is at best ambiguous, or at worst leads to unintended results. One of those areas deals with attorney-client communications.
The CCPA confers an obligation upon businesses (a term which could apply to many law firms and their corporate clients depending upon the factual circumstances) to provide privacy notices to individuals about whom information is collected, to provide individuals with access to information held about them, and, in some instances, to delete information about individuals upon their request. As it is currently written, the CCPA contains an exemption which states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”1 While the exception presumably was intended to ensure that the CCPA did not require a business or an attorney to disclose privileged information, on its face it is limited only to the obligations imposed by “Sections 1798.110 to 1798.135.” More specifically, on its face it does not apply to the obligations imposed by other sections of the CCPA including Sections 1798.100 or 1798.105.
Sections 1798.100 and 1798.105 are particularly relevant when it comes to attorney-client privilege. Section 1798.100 contains within it the requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.2 Section 1798.105 contains within it the requirement that a business must, in response to a valid deletion request, “delete the consumer’s personal information from its records. . . .”3 The net result is that the statute does not on its face prevent a California resident from requesting that an attorney, or a business, disclose privileged information that relates to the California resident, nor does it prevent the California resident from requesting that a law firm (or its client) delete privileged information that relates to the individual.
Judicial interpretation (or intervention) may be needed to clarify whether the access and deletion rights of the CCPA are preempted by another federal, state, or local law that guarantees the confidentiality of attorney-client communications. Similarly courts may need to determine whether an access or deletion request could be refused based upon the exception within the CCPA that none of the “rights afforded to consumers and the obligations imposed on the business” should “adversely affect the rights and freedoms of other consumers.”4