If a company receives a ‘right to be forgotten’ request, does it have to delete the request itself?

Probably not.

The CCPA does not specifically state that a right to be forgotten request is, itself, exempt from the obligation to delete a consumer’s information, but maintaining the right to be forgotten request would arguably fall under one of the following exceptions:

  • Detect wrongdoing. The CCPA states that information does not need to be deleted if it is necessary to “protect against malicious, deceptive, fraudulent, or illegal activity.”1  To the extent that maintaining records of individuals that have submitted right to be forgotten requests is needed in order to protect against deception, the request, itself, can be maintained.  For example, many retailers may need to keep a notation of who has submitted a right to be forgotten request in order to ensure that bad actors that are later suspected of illegal activity (e.g., identity theft, misdirection of orders, etc.) have not covered their tracks via the submission of deletion requests.
  • Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.2  Arguably the retention of a right to be forgotten request may align with the consumer’s expectation that the business not only processed the request, but keeps the amount of records necessary to be accountable for the request in the future.  It’s important to note, however, that the statute does not state whether a California court should evaluate the expectations of the consumer using a subjective standard or an objective standard.  If a court were to apply the latter standard than whether or not this exception applies could differ depending upon the expectations of each individual that submits a deletion request.
  • Internal uses aligned with the context of collection.  If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.3 While this exception is similar to the previous exception, unlike the previous exception the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection.  An argument could be made that maintaining records demonstrating when a deletion request was received, and how a business responded to the request, is inherently “compatible with the context” of the request itself.

In comparison, the GDPR sets forth five exceptions to the right to be forgotten.4  One of those exceptions is where personal data is “necessary: . . . for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.”5  Article 5(2) of the GDPR requires that a controller “be able to demonstrate compliance with” the GDPR’s principles for processing data.  One of those principles is that the controller process data “lawfully, fairly, and in a transparent manner in relation to the data subject.”6  Another principle is that personal data be kept “for no longer than is necessary for the purposes for which the personal data [was] processed.” 7  A company could argue that retaining a right to be forgotten request, and a log of the actions taken in response to that request, is necessary to comply with the requirement within the GDPR that the company be able to demonstrate its lawful processing.   Another exception exists where “processing is necessary: . . . for the establishment, exercise or defense of legal claims.”8  A company also could argue that retaining a right to be forgotten request, as well as its response to such request, is necessary to defend against a claim by the data subject that the company failed to comply with the right to be forgotten.