The CCPA does not specifically state that a right to be forgotten request is, itself, exempt from the obligation to delete a consumer’s information, but maintaining the right to be forgotten request would arguably fall under one of the following exceptions:
In comparison, the GDPR sets forth five exceptions to the right to be forgotten.4 One of those exceptions is where personal data is “necessary: . . . for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.”5 Article 5(2) of the GDPR requires that a controller “be able to demonstrate compliance with” the GDPR’s principles for processing data. One of those principles is that the controller process data “lawfully, fairly, and in a transparent manner in relation to the data subject.”6 Another principle is that personal data be kept “for no longer than is necessary for the purposes for which the personal data [was] processed.” 7 A company could argue that retaining a right to be forgotten request, and a log of the actions taken in response to that request, is necessary to comply with the requirement within the GDPR that the company be able to demonstrate its lawful processing. Another exception exists where “processing is necessary: . . . for the establishment, exercise or defense of legal claims.”8 A company also could argue that retaining a right to be forgotten request, as well as its response to such request, is necessary to defend against a claim by the data subject that the company failed to comply with the right to be forgotten.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, Section 1798.105(d)(2).
2. CCPA, Section 1798.105(d)(7).
4. GDPR, Article 17(3)(a)-(e).
5. GDPR, Article 17(3)(b).
6. GDPR, Article 5(1)(a).
7. GDPR, Article 5(1)(e).
8. GDPR, Article 17(3)(e).