Skip to Content

CCPA Disclose the Right to Request Deletion (105.b)

86  Matthew Burdick September 26, 2022  CCPA Right to Deletion

Overview:
A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information.


Action Items:
1) Review existing methods for submitting deletion requests to your organization to verify that they comply with the CCPA.
2) Review existing policies or procedures for authenticating individuals that make deletion requests.
3) If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests for deletion.
4) Draft a "play book" that provides standard communications that can be sent to individuals that make deletion requests.
5) Train employees on the handling of deletion requests.
6) Verify that the policy in place facilitates the fulfillment of deletion requests within the time period permitted by the statute.
7) Review protocols for deleting personal information.
8) Review technological capabilities for doing a "hard delete" (i.e., an irrevocable deletion) and a "selective deletion" (i.e., deleting one individual's information without corrupting a larger set of data in the information system) from live systems.
9) Create and make available to Consumers the Submission Options noted below: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
10) Establish a process to determine if one of the exceptions to the deletion right noted below applies. Deletion is not required where the Personal Information is necessary to: complete the transaction for which the Personal Information was collected; provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business' ongoing relationship with the Consumer; or otherwise perform a contract between the Business and a Consumer; detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity; debug and to identify and repair errors that impair functionality; exercise or ensure free speech or other legal rights; comply with the California Electronic Communications Privacy Act; engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research, if the Consumer has provided informed consent; undertake internal uses that are reasonably aligned with the expectations of the Consumer's relationship with the Business; comply with a legal obligation; and otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.
11) Create a process to readily access the specific Personal Information the Business has about each Consumer, and develop a means to delete that Personal Information.
12) Provide notice to the Consumer about the right to request deletion and the process for making a request, either in a privacy policy or on the Business' website.
13) Create a tracking system of each deletion request and how it was handled to be able to demonstrate compliance.


Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data


Additional Guidance:
Right to Be Forgotten
The right to be forgotten (sometimes called the right of erasure or the right to deletion) refers to the ability of a person to request that a business delete the personal information that it holds about them. The right to be forgotten is often misinterpreted as being an absolute right when, in reality, it only applies in a limited number of situations.


Notice to Consumers of Deletion Right
The Business must inform Consumers of their right to request the deletion of their Personal Information.


Deletion Notification to Service Providers
The Business must also direct any service provider to delete the applicable Personal Information.


Deletion Exceptions
Deletion is not required where the Personal Information is necessary to:
1) complete the transaction for which the Personal Information was collected; provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business' ongoing relationship with the Consumer; or otherwise perform a contract between the Business and a Consumer
2) detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity
3) debug and to identify and repair errors that impair functionality
4) exercise or ensure free speech or other legal rights
5) comply with the California Electronic Communications Privacy Act
6) engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research, if the Consumer has provided informed consent
7) undertake internal uses that are reasonably aligned with the expectations of the Consumer's relationship with the Business
8) comply with a legal obligation
9) otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.
Not Rated
Secure Code