Does a business have to delete marketing information pursuant to a deletion request?

Maybe not.

While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, depending on a company’s data processing and retention practices, may provide an argument that marketing information does not need to be deleted.

Marketing programs generally fall into one of two categories: 1) value accrual programs (i.e. loyalty programs and paid memberships), and 2) general advertising programs (i.e. email marketing or other coupon-based marketing).  Information in value accrual programs, such as loyalty programs, may not need to be deleted as many of the exceptions directly impact these types of programs.  For example, there is a strong argument that companies need to retain loyalty program information in order to detect wrongdoing and provide an agreed upon service. General advertising programs, on the other hand, have fewer exceptions due to the fact that they do not provide a reward in recognition of purchasing patterns.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer,1 if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its communications or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in or assist with the marketing program).  As this information was not collected “from” the consumer, it likely does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, responses to emails, etc.), the CCPA allows a company to deny a deletion request if necessary to “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”2 This implies that a company who does not share its marketing information, and who publicly describes its internal purposes for retaining such information (e.g. for purposes of analytics or to comply with a retention schedule) may deny a request for deletion of that data. For example, a company whose privacy policy discloses that marketing-related data is retained for “x” amount of time may deny a deletion request to the extent the retention period has not lapsed, as the consumer arguably “expects” the company to follow their published retention schedule.

Note that the retention of marketing information does not mean that a company should continue to send the consumer marketing communications.  Presumably a consumer who requests that marketing-relating data be deleted intends that the company unsubscribe them from any marketing communications (if that intent is not clear, the company should consider clarifying the desire of the consumer).  It does mean, however, that a company may keep the information that it obtained from the consumer for internal purposes such as analytics concerning the effectiveness of past marketing campaigns, substantiation as to the consumer’s prior opt-in to marketing communications, or substantiation as to the consumer’s historic preferences (e.g., opt-out, unsubscribe, communication frequency, etc.).