- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does a company have to forward a right to be forgotten request to a third party with whom it has shared personal information?
The majority of United States federal privacy laws do not include a right to be forgotten. Those that do – such as the Children’s Online Privacy Protection Act – only require that an organization which receives a right to be forgotten request delete the personal information in its possession and direct that its service providers do the same. COPPA does not require that an organization that receives a right to be forgotten request forward the request to third parties with whom it has shared information.
In California the CCPA requires that (in certain situations) a business “delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”1 In situations in which a business has shared a consumer’s personal information with another business or a third party, the CCPA does not require business A to inform business B that a deletion request has been received. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2
In comparison, under the European GDPR when a controller receives a right to be forgotten request, and determines that it is required to delete information about an individual, the controller must “take reasonable steps” to “inform [other] controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”3 It is unclear based upon the text of the GDPR whether this requirement requires controller A to notify controller B that the data subject has requested controller A to erase data, or whether the requirement requires controller A to notify controller B that a data subject has requested erasure by both controller A and B.