Overview:
A business that receives a verifiable consumer request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records..
Action Items:
1) Review existing methods for submitting deletion requests to your organization to verify that they comply with the CCPA.
2) Review existing policies or procedures for authenticating individuals that make deletion requests.
4) Draft a "play book" that provides standard communications that can be sent to individuals that make deletion requests.
5) Train employees on the handling of deletion requests.
6) Verify that the policy in place facilitates the fulfillment of deletion requests within the time period permitted by the statute.
7) Review protocols for deleting personal information.
8) Review technological capabilities for doing a "hard delete" (i.e., an irrevocable deletion) and a "selective deletion" (i.e., deleting one individual's information without corrupting a larger set of data in the information system) from live systems.
9) Create and make available to Consumers the Submission Options noted below: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
10) Create a process to readily access the specific Personal Information the Business has about each Consumer, and develop a means to delete that Personal Information.
11) Provide notice to the Consumer about the right to request deletion and the process for making a request, either in a privacy policy or on the Business' website.
12) Have the ability to identify service providers who might have received the Personal Information, and develop procedures to effectuate deletion by those providers. Ensure that any agreements with service providers include this obligation. The Business must also direct any service provider to delete the applicable Personal Information.
13) Create a tracking system of each deletion request and how it was handled to be able to demonstrate compliance.
Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
4) List of service providers that consumer information is shared with
Additional Guidance:
Right to Be Forgotten
The right to be forgotten (sometimes called the right of erasure or the right to deletion) refers to the ability of a person to request that a business delete the personal information that it holds about them. The right to be forgotten is often misinterpreted as being an absolute right when, in reality, it only applies in a limited number of situations.
Notice to Consumers of Deletion Right
The Business must inform Consumers of their right to request the deletion of their Personal Information.
Deletion Notification to Service Providers
The Business must also direct any service provider to delete the applicable Personal Information.
Deletion Exceptions
Deletion is not required where the Personal Information is necessary to:
1) complete the transaction for which the Personal Information was collected; provide a good or service requested by the Consumer or reasonably anticipated within the context of a Business' ongoing relationship with the Consumer; or otherwise perform a contract between the Business and a Consumer
2) detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity
3) debug and to identify and repair errors that impair functionality
4) exercise or ensure free speech or other legal rights
5) comply with the California Electronic Communications Privacy Act
6) engage in certain research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair such research, if the Consumer has provided informed consent
7) undertake internal uses that are reasonably aligned with the expectations of the Consumer's relationship with the Business
8) comply with a legal obligation
9) otherwise undertake internal uses in a lawful manner that are compatible with the context in which the Consumer provided the information.
Article ID: 87
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/ccpa-deletion-of-records-after-receipt-of-consumer-request-105-c-87.html