Does a business have to delete information from their point of sale system pursuant to a deletion request?

Probably not.

Point of sale systems typically collect and retain inherently “personal information” as defined by the CCPA, such as the customer’s name, address, phone number, email, and payment information. 1 While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, together, create a strong argument that point of sale information does not need to be deleted. Although there is no “one size fits all” exception, the chart below outlines how each exception may apply to point of sale information.

Note that retaining point of sale information indefinitely is probably not defensible. Regardless of what exception a business uses, maintaining a current and enforceable record retention schedule can bolster the overarching argument that point of sale information should be retained in lieu of a deletion request.

Exception Application
Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.2 This exception applies to the extent that any portion of a transaction between the consumer and the business is not yet complete. For example, if the product is in transit, has not yet been shipped, has a product return or warranty period that has not yet expired, or has a contract term that has not yet expired, the business may be able to deny a deletion request for personal information stored in the point of sale records.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.3 This exception is primarily relevant to online purchases. To the extent the personal information is necessary to prevent malicious or fraudulent activity through an online storefront; a business may be able to deny a deletion request for personal information stored in the point of sale records.

 

A brick and mortar business may also be able to rely on this exception if it maintains a loyalty program. To the extent personal information is needed by a loyalty program sponsor to protect against deceptive and fraudulent activity such as multiple accounts being created by a single consumer, or attempts to double count purchases or benefits, a strong argument exists for refusing a deletion request.

Debug to identify and repair errors that impair existing intended functionality.4 This exception is primarily relevant to online purchases but may have applicability to brick and mortar stores depending on the type of point of sale system used. To the extent the personal information is necessary to identify bugs or errors in the point of sale system, a business may be able to deny a deletion request for personal information stored in the point of sale records.
Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.5 Likely does not apply.
Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.6 This exception applies if a business has received a government request for the personal information of an individual under the terms of the California Electronic Communications Privacy Act.
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.7 Likely does not apply.
To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.8 This exception allows a business to deny a deletion request if it can show that the consumer expected the continued use of the information. Thus, any continued use that is outlined in the privacy policy or otherwise communicated to the consumer at the point of collection may be used as a defense to deletion under this exception.

 

An argument for this exception becomes exponentially stronger if a business maintains a record retention schedule that is disclosed or referenced in the privacy policy.

 Comply with a legal obligation.9 A business may be able to rely on this exception to comply with financial and tax record retention laws or if an event has triggered a legal hold on document disposal.
Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.10 This exception is extremely broad and arguably encompasses any business use of personal information that is compatible with the context in which the consumer provided the information. “Compatible” is defined as “capable of existing together in harmony,”11 so as long as the business’s continued use is not contradictory to the original collection, a deletion request may arguably denied.