Do the CCPA and the GDPR have the same exceptions to the right to be forgotten?


The scope of the right to be forgotten under the CCPA and the GDPR differ in three important ways.

First, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.1  As a result, if a business obtains information about a consumer from other sources (e.g., third party data brokers) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2

In comparison, the right to be forgotten under the GDPR extends to data collected from a consumer directly and to data collected about the consumer from third party sources.

Second, under the CCPA a consumer can request that data be forgotten regardless of the purpose for which the data was originally collected.  In comparison, the GDPR extends the right to be forgotten only if one of the following six conditions is present:

  1. The data is no longer necessary.3
  2. The processing was based solely on consent.4
  3. The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.5
  4. The data is being processed unlawfully.6
  5. Erasure is already required by law.7
  6. That data was collected from a child as part of offering an information society service.8

Third, the CCPA and the GDPR both contain exceptions where a business (or a controller in the language of the GDPR) is exempt from the deletion requirement.  As the chart below indicates, while those exceptions are similar, they are not identical:


Exception CCPA GDPR
1. Complete a transaction Y9 Y10
2. Detect wrongdoing Y11 Y/X12
3. Repair errors to data systems Y13 Y/X14
4. Free speech Y15 Y16
5. Exercise legal rights of the business, or establish a legal claim Y17 Y18
6. Research. Y19 Y20
7. Internal uses aligned with consumer expectations. Y21 X
8. Internal uses aligned with the context of collection Y22 X
9. Comply with legal obligations Y23 Y24
10.  Public interest to support public health. X Y25