If a business receives a right to be forgotten request from an employee, or a former employee, does it have to delete the requestor’s information?

Not necessarily.

As an initial matter, employees that are residents of California will not qualify as full “consumers” under the law until January 1, 2021.  Pursuant to an amendment to the CCPA enacted in 2019, the title shall not apply to “[p]ersonal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.”¹  As of the date of this writing, this provision will expire on January 1, 2021, and employees will be considered full “consumers” under CCPA on that date.

That said, assuming that employees are consumers, there are a number of exceptions to the consumer’s right to deletion that may be applications.  Specifically, the business may argue that the employee’s request for deletion cannot be granted based on one or more statutory exceptions outlined above.  In particular, the business may argue that it has a legal obligation to retain the data, and that the data is required to carry out a transaction with the employee.² This list is by no means exhaustive. Finally, it should be noted that even apart from the specific exceptions to the consumer’s right to deletion articulated in section 1798.105 of CCPA, the business also is not required to take any action that would violate other state or federal obligations imposed upon it, including federal employment laws.³

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.145(h)(1)(A).

2. CCPA, Section 1798.105(d)(1) and (8).

3. CCPA, Section 1798.145(a).