CCPA Privacy FAQs: Do the CCPA and the GDPR have the same exceptions to the right to be forgotten?


The scope of the right to be forgotten under the CCPA and the GDPR differ in three important ways.

First, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.1  As a result, if a business obtains information about a consumer from other sources (e.g., third party data brokers) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request.  In comparison, the right to be forgotten under the GDPR extends to data collected from a consumer directly and to data collected about the consumer from third party sources.

Second, under the CCPA a consumer can request that data be forgotten regardless of the purpose for which the data was originally collected.  In comparison, the GDPR extends the right to be forgotten only if one of the following six conditions is present:

  1. The data is no longer necessary.2
  2. The processing was based solely on consent.3
  3. The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.4
  4. The data is being processed unlawfully.5
  5. Erasure is already required by law.6
  6. That data was collected from a child as part of offering an information society service.7

Third, the CCPA and the GDPR both contain exceptions where a business (or a controller in the language of the GDPR) is exempt from the deletion requirement.  As the chart below indicates, while those exceptions are similar, they are not identical:


Exception CCPA GDPR
1. Complete a transaction Y8 Y9
2. Detect wrongdoing Y10 Y/X11
3. Repair errors to data systems Y12 Y/X13
4. Free speech Y14 Y15
5. Exercise legal rights of the business, or establish a legal claim Y16 Y17
6. Research. Y18 Y19
7. Internal uses aligned with consumer expectations. Y20 X
8. Internal uses aligned with the context of collection Y21 X
9. Comply with legal obligations Y22 Y23
10.  Public interest to support public health. X Y24