CCPA Privacy FAQs: If a company receives a right to be forgotten request, does it always have to delete the requestor’s information?

June 27, 2019

No.

Although the CCPA indicates that consumers “have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer,” that right is not absolute.1

As a threshold matter, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.2  As a result, if a business obtains information about a consumer from other sources (e.g., third party data companies) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request. 

Even in situations in which a consumer provides information directly to a business, the CCPA provides ten exceptions pursuant to which a business can refuse a deletion request:

  • Complete a transaction. If personal information is collected because it is necessary for a business to complete a transaction with the consumer, or provide a product or services to the consumer, or is part of the business’s ongoing relationship with the consumer it does not need to be deleted.3
  • Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.) it does not need to be deleted.4
  • Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality” it does not need to be deleted.5  It should be noted that the CCPA, and the legislative history leading up to the CCPA, do not explain what use-cases may fall under this exception.
  • Free speech. If personal information collected from a consumer relates to the free speech of the business, or the free speech of another Californian, it does not need to be deleted.6
  • Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law” it does not need to be deleted.7
  • CalECPA Compliance. If personal information collected from a consumer is needed in order for the business to comply with the California Electronic Communications Privacy Act it does not need to be deleted.8
  • If personal information collected from a consumer is needed to engage in research – whether that research is public, peer-reviewed scientific, historical, or statistical -- it does not need to be deleted.  Note, however, that in order to qualify for this exception the deletion of the information may need to impair the integrity of the research.9
  • Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business,” the information does not need to be deleted.10  Note, that while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, or at the time that they made a deletion request, presumably the relevant time period is when the consumer provided the information to the business as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they had/have no continued expectation of use).  Furthermore there is uncertainty as to whether a California court would evaluate the expectations of the consumer using a subjective standard or an objective standard. 
  • Internal uses aligned with the context of collection.  If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.11 While this exception is similar to the previous exception, unlike the previous exception the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection.
  • Comply with legal obligations.  If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.12

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.105(a).

2. Id.

3. CCPA, Section 1798.105(d)(1).

4. CCPA, Section 1798.105(d)(2).

5. CCPA, Section 1798.105(d)(3).

6. CCPA, Section 1798.105(d)(4).

7. CCPA, Section 1798.105(d)(4).

8. CCPA, Section 1798.105(d)(5).

9. CCPA, Section 1798.105(d)(6).

10. CCPA, Section 1798.105(d)(7).

11. CCPA, Section 1798.105(d)(9).

12. CCPA, Section 1798.105(d)(8).