CCPA Privacy FAQs: Can a company decide whether to deidentify information or delete information if it receives a ‘right to be forgotten’ request?

August 19, 2019

Yes.

The CCPA states that people have a right to request that a business “delete any personal information about the consumer which the business has collected from the consumer.”1  Although the CCPA does not define what it means to “delete” information or specify how a business must carry out a deletion request, California courts are likely to accept at least two approaches to deletion. 

First, a business that receives a deletion request may choose to erase, shred, or irrevocably destroy the entirety of a record that contains personal information.  As part of that destruction, any personal information contained within the record will, necessarily, be “deleted.” 

Second, California courts are likely to accept the anonymization or de-identification of information as a form deletion.  Among other things, a separate California statute (the “California data destruction statute”), which predates the CCPA, requires that businesses take “reasonable steps” to dispose of customer records that “contain[] personal information.”2  That statute recognizes that a customer record can be “dispos[ed]” of without its complete erasure by “modifying the personal information within the record to make it unreadable or undecipherable through any means.”3  As a result, if a business maintains a record, but modifies the portion of the record that contains “personal information” (e.g., deletes, redacts, replaces, or anonymizes name, address, Social Security Number, etc.), its actions conform to the California data destruction statute.  A strong argument can be made that a business that complies with the destruction standard under the California data destruction statute should be deemed to be in compliance with the deletion requirements of the CCPA, and, as a result, the removal of the portion of a record that contains personal information is sufficient to “delete” such information.  This approach is further supported by the fact that the CCPA expressly states that it does not impose any restriction on a business that “retain[s]” information that is “deidentified.”4  As a result, if a business de-identifies a record by modifying the personal information within it such that the personal information is no longer associated with an identified individual, the further retention of the record (i.e., the record absent the personal information) is not prohibited by the CCPA.5

It is worth noting that the use of de-identification or anonymization techniques to remove personal information from a record is also consistent with other California consumer protection statutes.  Specifically, in 2015, California enacted a statute that required operators of websites and mobile apps directed towards minors to “remove” content that a minor posted on a website if requested (the California “Erasure Button Law”).6  The Erasure Button Law specifically states that a company is not required to “erase or otherwise eliminate” such information if “the operator anonymizes the content or information” such that it “cannot be individually identified.”7 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1.  CCPA, 1798.105(a).

2. Cal. Civil Code 1798.81.

3. Cal. Civil Code 1798.81.

4. CCPA, Section 1798.145(a)(5).

5. It should be noted that while the California data destruction statute refers to the modification of the personal information so as to make it unreadable, the CCPA defines “deidentified” as meaning that the personal information “cannot reasonably identify, relate to, describe, be capable of being associated with or be linked, directly or indirectly, to a particular consumer,” so long as the business has processes in place for preventing reidentification attempts.  California courts have not indicated whether these two standards diverge.

6. Cal. Bus. & Prof. Code 22581(a)(1).

7. Cal. Bus. & Prof. Code 22581(b)(3).