California and European Privacy FAQs: Does the “right to be forgotten” under the California Consumer Privacy Act require that companies delete the same type of information as the “right to be forgotten” under the GDPR?

January 30, 2019

The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. 

Q. Does the “right to be forgotten” under the California Consumer Privacy Act require that companies delete the same type of information as the “right to be forgotten” under the GDPR? 

No. 

The GDPR confers a right (albeit a limited one that is subject to exceptions) for individuals to request that a controller erase all of the personal data concerning them. 1  In contrast, the CCPA states only that people have a right to request that a business delete personal information about the consumer “which the business has collected from the consumer.”2  As a result, if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that:

  • It developed itself (e.g., its prior transactions or experiences with the consumer), or
  • It received from third parties (e.g., lead-lists, consumer reports, etc.)

1. GDPR, Article 17(1).

2. CCPA, 1798.105(a).