Understanding The CCPA Right To Deletion

By Ketch / November 10, 2021

The California Consumer Privacy Act (CCPA) is a data privacy law that affords rights to California consumers, giving them control over their personal information. Among these is the CCPA right to deletion, which allows consumers to request that business and their service providers delete the personal information collected from them.

To learn more about CCPA compliance and consent management platform software, contact the privacy experts at Ketch today. 

What Is “Deletion” Under The CCPA?

According to the CCPA, a business complies with deletion by:

  • Completely and permanently erasing someone’s personal information on its active systems
  • De-identifying personal information
  • Aggregating personal information

Businesses that store personal information on archived or backup systems can delay deletion compliance requests until said systems are either restored or re-accessed or used for a disclosure, sale, or commercial purpose.

What Information Needs To Be Deleted?

With some exceptions, the right to deletion applies to all CCPA personal information, which is defined as “information that identifies, relates to, or could reasonably be linked with” a California resident or household. 

This includes, but is not limited to, names, addresses, financial information, educational background, professional data, geo-location, biometrics, browsing and purchasing history, and profiles inferred from consumer preferences. 

What Are The Exceptions To CCPA Right To Deletion?

Businesses and service providers can forego deletion if the retention of personal information is necessary to:

  • Complete a transaction
  • Detect security incidents or protect against illegal activity; or prosecute those responsible for such acts
  • Debug to identify and repair errors
  • Exercise free speech
  • Comply with the California Electronic Communications Privacy Act (ECPA)
  • Engage in research, given that the consumer has provided informed consent
  • Enable solely internal uses aligned with consumer expectations
  • Comply with legal obligations
  • Use in a way that is compatible with the context in which the consumer provided the data

Can I Deny A Request To Delete?

Apart from the exceptions, businesses and service providers can also deny deletion requests if the identity of the individual requesting deletion can’t be verified or if the personal information in question wasn’t collected from the consumer by the business. 

How To Comply With CCPA Right To Deletion

In their regulation, the CCPA details what businesses must do to comply with consumers’ right to delete. These include updating your privacy policy, providing channels through which consumers can request that their data be deleted, and keeping a record of deletion requests.

Privacy Policy

Businesses must review and update their privacy policies to detail consumers’ data privacy rights, as well as explain how these rights can be exercised. A CCPA privacy policy, then, must disclose the right to deletion and describe the method to submit deletion requests.

Data Deletion Requests

Businesses are required to provide two methods to submit data deletion requests. These should fit the way your business interacts with your consumer. 

For example, a clothing shop that has a website can provide both a toll-free number and an online form their customers can use to submit their requests. These avenues should be separate from other contact points such as helplines or customer service emails.

Data Deletion Process

Upon receiving a data deletion request, a business must confirm receipt within ten days and provide information about how the request will be processed. A business must also inform the consumer within forty-five days, regardless of the time required to verify the request, whether it has complied with the request or not.

If the business complies, it has to inform the consumer that a record of the request will be kept to ensure that the data remains deleted.

If the business denies the request under an exemption, it must inform the consumer that it won’t comply, that it won’t delete any information that is subject to the exemption, and that it won’t use the data for any purpose other than the exemption. 

If the request is denied due to failed verification, a business must direct the consumer to proper processing.

Record-Keeping

Businesses must keep a record of CCPA-pursuant requests for at least twenty-four months. These should be maintained, and they can’t be used for any purpose other than those that comply with the law.

Conclusion: Compliance Is Key

The right to deletion is only one of four main rights afforded by the CCPA. Any business that does business in California or with California residents must comply with all of them. 

So it’s good practice to stay informed and to review your business’s current data practices to see if they are in line with the law. Otherwise, you’re at risk of paying hefty fines or losing business in the state.

Share this: