Skip to Content

CCPA Deletion Exception - Research (105.d.6)

93  Matthew Burdick September 26, 2022  CCPA Right to Deletion

Overview:
A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to: Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.


Action Items:
1) Establish a process to determine if one of the exceptions to the deletion right noted below applies. Deletion is not required where the Personal Information is necessary to: complete the transaction for which the Personal Information was collected; provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business' ongoing relationship with the Consumer; or otherwise perform a contract between the Business and a Consumer; detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity; debug and to identify and repair errors that impair functionality; exercise or ensure free speech or other legal rights; comply with the California Electronic Communications Privacy Act; engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research, if the Consumer has provided informed consent; undertake internal uses that are reasonably aligned with the expectations of the Consumer's relationship with the Business; comply with a legal obligation; and otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.


Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
4) List of service providers that consumer information is shared with


Additional Guidance:
Deletion Exceptions
Deletion is not required where the Personal Information is necessary to:
1) complete the transaction for which the Personal Information was collected; provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business' ongoing relationship with the Consumer; or otherwise perform a contract between the Business and a Consumer
2) detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity
3) debug and to identify and repair errors that impair functionality
4) exercise or ensure free speech or other legal rights
5) comply with the California Electronic Communications Privacy Act
6) engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research, if the Consumer has provided informed consent
7) undertake internal uses that are reasonably aligned with the expectations of the Consumer's relationship with the Business
8) comply with a legal obligation
9) otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.
Not Rated
Secure Code