- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Is a business required to delete only 12 months of consumer information in response to a request to be forgotten?
Unlike a request for access,1 a business’s deletion obligation extends to all data held by the business regarding a consumer, unless an exception applies, irrespective of when that data was collected, generated or processed. Neither the statutory text nor the regulations establish a “lookback period” for requests for deletion. That said, a business is not obligated to delete consumer information that it is required to retain to comply with a legal obligation.2 As a consequence, a business may be required to retain data for a period of time under applicable law.
No.