How to Respond to Consumer Requests to "Delete My Data"

Blog post Elena Lovoy 2020-07-02

Many businesses subject to the California Consumer Privacy Act (CCPA) had hoped that final regulations would be in place before the July 1st enforcement date of the CCPA. The CCPA specifically requires the California Attorney General (AG) to “[o]n of before July 1, 2020, … adopt regulations to further the purposes of {the CCPA}.” The enforcement date of the CCPA, however, remains “carved in stone,” even if regulations are not in place by July 1st. The CCPA provides that “[t]he Attorney General shall not bring an enforcement action … until six months after the publication of the final regulations … or July 1, 2020, whichever is sooner.”

The proposed final regulations released by the California Attorney General’s office on June 1, 2020 could still make it through the administrative review process by July 1st, but the clock is ticking down. Although the regulations may not be in place by July 1st, businesses should still review the proposed final regulations and the accompanying “Statement of Reasons” released by the AG as they provide helpful guidance on implementing a number of the CCPA’s requirements, including how to respond to consumer requests to delete any personal information (PI) about the consumer that a business has collected from the consumer.

Background on “Delete My Data” Requests

The CCPA granted consumers new rights regarding their PI, including the right to request that a business delete any PI about the consumer that the business has collected from the consumer (a “delete my data” request). A business that receives a verifiable request from a consumer to delete the consumer’s PI must delete the consumer’s PI from its records and also direct any service providers to delete the consumer’s PI from their records.

A business or service provider is not required to comply with a “delete my data request” if a business or service must maintain the consumer’s PI for any of the following reasons:

Fulfill B2C Transaction - Complete the transaction for which the PI was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

Customary Internal Uses - Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. Debug to identify and repair errors that impair existing intended functionality.

Exercise or Comply with Legal Rights or Requirements - Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law. Comply with the California Electronic Communications Privacy Act pursuant the state’s Penal Code. Comply with a legal obligation.

Research Purposes - Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion of PI is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.

Compatible Uses - To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business. Otherwise use the consumer’s PI, internally, in a lawful manner that is compatible with the context in which the consumer provided the PI.

How to Respond to “Delete My Data” Requests

Takeaways

Although the proposed final regulations may not be approved “as is,” businesses should review the current text of the regulations and begin preparing to update their CCPA compliance programs to incorporate these regulatory requirements.

Similar resources

More resources