- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does a business have to delete marketing information pursuant to a deletion request?
While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, depending on a company’s data processing and retention practices, may provide an argument that marketing information does not need to be deleted.
Marketing programs generally fall into one of two categories: 1) value accrual programs (i.e. loyalty programs and paid memberships), and 2) general advertising programs (i.e. email marketing or other coupon-based marketing). Information in value accrual programs, such as loyalty programs, may not need to be deleted as many of the exceptions directly impact these types of programs. For example, there is a strong argument that companies need to retain loyalty program information in order to detect wrongdoing and provide an agreed upon service. General advertising programs, on the other hand, have fewer exceptions due to the fact that they do not provide a reward in recognition of purchasing patterns.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer,1 if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its communications or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in or assist with the marketing program). As this information was not collected “from” the consumer, it likely does not fall within the gambit of a deletion right.
Note that the retention of marketing information does not mean that a company should continue to send the consumer marketing communications. Presumably a consumer who requests that marketing-relating data be deleted intends that the company unsubscribe them from any marketing communications (if that intent is not clear, the company should consider clarifying the desire of the consumer). It does mean, however, that a company may keep the information that it obtained from the consumer for internal purposes such as analytics concerning the effectiveness of past marketing campaigns, substantiation as to the consumer’s prior opt-in to marketing communications, or substantiation as to the consumer’s historic preferences (e.g., opt-out, unsubscribe, communication frequency, etc.).