CCPA Privacy FAQs: Do the CCPA and the GDPR have the same exceptions to the right to be forgotten?

August 16, 2019

No.

The scope of the right to be forgotten under the CCPA and the GDPR differ in three important ways. 

First, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.1  As a result, if a business obtains information about a consumer from other sources (e.g., third party data brokers) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request.  In comparison, the right to be forgotten under the GDPR extends to data collected from a consumer directly and to data collected about the consumer from third party sources.

Second, under the CCPA a consumer can request that data be forgotten regardless of the purpose for which the data was originally collected.  In comparison, the GDPR extends the right to be forgotten only if one of the following six conditions is present:

  1. The data is no longer necessary.2
  2. The processing was based solely on consent.3
  3. The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.4
  4. The data is being processed unlawfully.5
  5. Erasure is already required by law.6
  6. That data was collected from a child as part of offering an information society service.7

Third, the CCPA and the GDPR both contain exceptions where a business (or a controller in the language of the GDPR) is exempt from the deletion requirement.  As the chart below indicates, while those exceptions are similar, they are not identical:

 

Exception

CCPA

GDPR

1. Complete a transaction

Y8

Y9

2. Detect wrongdoing

Y10

Y/X11

3. Repair errors to data systems

Y12

Y/X13

4. Free speech

Y14

Y15

5. Exercise legal rights of the business, or establish a legal claim

Y16

Y17

6. Research.

Y18

Y19

7. Internal uses aligned with consumer expectations.

Y20

X

8. Internal uses aligned with the context of collection

Y21

X

9. Comply with legal obligations

Y22

Y23

10.  Public interest to support public health.

X

Y24

 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1.  Id.

2. GDPR, Article 17(1)(a).

3. GDPR, Article 17(1)(b).

4. GDPR, Article 17(1)(c).

5. GDPR, Article 17(1)(d).

6. GDPR, Article 17(1)(e).

7. GDPR, Article 17(1)(f); Article 8(1).

8. CCPA, Section 1798.105(d)(1).

9. GDPR, Article 17(1).  Note that while completing a transaction is not considered an exception to the right to be forgotten under the GDPR, the right to be forgotten is not conferred in the first instance where processing is based upon the performance of a contract pursuant to Article 6(1)(b).

10. CCPA, Section 1798.105(d)(2).

11. GDPR, Article 17(1)(c).  Note that while detecting wrongdoing is not an explicit exception to the right to be forgotten under the GDPR, controllers often process personal data to detect wrongdoing or illegal conduct pursuant to Article 6(1)(f) (the legitimate interest of the controller).  In situations in which processing is based upon Article 6(1)(f), and a deletion request is received, the controller must determine whether their legitimate interest in detecting wrongdoing is an “overriding legitimate grounds” when compared against the data subject’s objection to the ongoing processing.

12. CCPA, Section 1798.105(d)(3).

13. GDPR, Article 17(1)(c).  Repairing errors, or debugging a system, is not an explicit exception to the right to be forgotten under the GDPR.  To the extent that a controller were to engage in processing for such reasons pursuant to Article 6(1)(f) (the legitimate interest of the controller), the controller would have to determine whether their legitimate interest in was an an “overriding legitimate grounds” when compared against the data subject’s request for deletion.

14. CCPA, Section 1798.105(d)(4).

15. GDPR, Article 17(3)(a).

16. CCPA, Section 1798.105(d)(4).

17. GDPR, Article 17(3)(e).

18. CCPA, Section 1798.105(d)(6).

19. GDPR, Article 17(3)(d).

20. CCPA, Section 1798.105(d)(7).

21. CCPA, Section 1798.105(d)(9).

22. CCPA, Section 1798.105(d)(8).

23. GDPR, Article 17(3)(b).  Note that under the GDPR, the “legal obligation” must be an obligation imposed by the laws of a Member State of the European Union.

24. GDPR, Article 17(3)(c)