The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide , and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Pursuant to the CCPA, when a business receives a verified consumer request to delete personal information it generally should “delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”1 The “right to be forgotten,” however, is not an absolute right. The CCPA includes more than nine exceptions where a business can refuse a deletion request.2 Of those exceptions, four may apply to data evidencing a consumer’s opt-in, or opt-out, preferences:
In comparison to the CCPA, the European GDPR states that a company does not have to honor a request to be forgotten if the processing is necessary for “compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.”9 Many companies assume that they can use this exception if they are required by United States law to retain data. Unfortunately, the Article 29 Working party – the organization that preceded the European Data Protection Board – has implied that United States law cannot justify ongoing processing. In guidance issued under the Privacy Directive, which predated the GDPR, the Article 29 Working party stated:
It is . . . important to emphasise that Article 7(c) [Article 6(1)(c) under the GDPR] refers to the laws of the European Union or of a Member State [of the European Union]. Obligations under the laws of third countries (such as, for example, the obligation to set up whistleblowing schemes under the Sarbanes-Oxley Act of 2002 in the United States) are not covered by this ground. To be valid, a legal obligation of a third country would need to be officially recognized and integrated in the legal order of the Member State concerned, for instance under the form of an international agreement.10
According to the Article 29 Working Party, when a foreign law (e.g., a law of the United States) requires the processing of information, an organization should base that processing upon Article 6(1)(f) which requires the organization to balance whether the legitimate interests of the organization in complying with the foreign law outweighs the interests of the data subject.11
In situations in which processing is based upon Article 6(1)(f), and a company receives a right to be forgotten request, the GDPR functionally treats the right to be forgotten request as an objection to ongoing processing that is based upon the legitimate interest of the controller.12 When such an objection is received the controller is obligated to determine whether there is an “overriding legitimate grounds” for the processing to continue.13 In essence, the organization is required to conduct a balancing test to determine whether it can “demonstrat[e] compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.”14
In the context of a United States marketing law that requires an organization to maintain data, the balancing test envisioned by the GDPR will presumably come out in favor of the organization (i.e., it will permit the organization to retain the data over the data subject’s objection). Similarly in the context of a United States marketing law that requires opt-in consent, but does not expressly mandate that the consent be maintained as a record, the balancing test will also typically come out in favor of the organization.
1. CCPA § 1298.105(c).
2. CCPA § 1798.105(d)(1)-(9); 1798.145.
3. CCPA, § 1798.105(d)(7).
4. CCPA, § 1798.105(d)(8).
5. 47 CFR 64.1200(d).
6. 47 CFR 64.1200(d)(6).
7. CCPA § 1798.105(d)(9).
8. CCPA § 1798.145(A)(4).
9. GDPR, Article 17(3)(b).
10. Article 29 Working Party, WP 217: Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC at 19 (April 9, 2014).
12. GDPR, Article 17(1)(c).
13. GDPR, Article 17(1)(c); 21(1).
14. GDPR, Article 21(1).