Do the CCPA and the GDPR have the same exceptions to the right to be forgotten?

No.

The scope of the right to be forgotten under the CCPA and the GDPR differ in three important ways.

First, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.¹  As a result, if a business obtains information about a consumer from other sources (e.g., third party data brokers) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.²

In comparison, the right to be forgotten under the GDPR extends to data collected from a consumer directly and to data collected about the consumer from third party sources.

Second, under the CCPA a consumer can request that data be forgotten regardless of the purpose for which the data was originally collected.  In comparison, the GDPR extends the right to be forgotten only if one of the following six conditions is present:

1. The data is no longer necessary.³
2. The processing was based solely on consent.⁴
3. The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.⁵
4. The data is being processed unlawfully.⁶
5. Erasure is already required by law.⁷
6. That data was collected from a child as part of offering an information society service.⁸

Third, the CCPA and the GDPR both contain exceptions where a business (or a controller in the language of the GDPR) is exempt from the deletion requirement.  As the chart below indicates, while those exceptions are similar, they are not identical: