If a business receives a deletion request, but is required by foreign law to retain the data, can it deny the request without violating the CCPA?

Likely, yes.

A consumer’s right to deletion is subject to a number of exceptions.  One of these exceptions is to “comply with a legal obligation.”1 Thus, where retaining personal information of a consumer is necessary to comply with a legal obligation, the business is not required to honor the data subject request.  The CCPA does not identify, restrict, or qualify the type of legal obligation that triggers the exception.  Thus, it is likely, though not certain, that a requirement to maintain personal data under foreign law would trigger the exception, such that a business would not be obligated to delete the personal data subject to the foreign law.

This is in marked contrast to GDPR’s relationship with United States law.  The GDPR states that a company does not have to honor a request to be forgotten if the processing is necessary for “compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.” Many companies assume that they can use this exception if they are required by United States law to retain data.  Unfortunately, the Article 29 Working party (now the European Data Protection Board) – an influential, independent advisory body to the European Commission on data protection matters that was chiefly comprised of representatives from each Member State’s supervisory authority – has implied that United States law cannot justify ongoing processing.