Is a business required to delete only 12 months of consumer information in response to a request to be forgotten?


Unlike a request for access,1 a business’s deletion obligation extends to all data held by the business regarding a consumer, unless an exception applies, irrespective of when that data was collected, generated or processed.  Neither the statutory text nor the regulations establish a “lookback period” for requests for deletion.  That said, a business is not obligated to delete consumer information that it is required to retain to comply with a legal obligation.2 As a consequence, a business may be required to retain data for a period of time under applicable law.