- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does the “right to be forgotten” under the California Consumer Privacy Act require that companies delete the same type of information as the “right to be forgotten” under the GDPR?
No.
The GDPR confers a right (albeit a limited one that is subject to exceptions) for individuals to request that a controller erase all of the personal data concerning them. 1 In contrast, the CCPA states only that people have a right to request that a business delete personal information about the consumer “which the business has collected from the consumer.”2 That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.3
As a result, if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that:
- It developed itself (e.g., its prior transactions or experiences with the consumer), or
- It received from third parties (e.g., lead-lists, consumer reports, etc.)