July 25, 2019

CCPA: The (Quali ed) Right to Deletion

Yoni Bard, Scott Bloomberg

Foley Hoag LLP - Privacy & Data Security

+ Follow Contact

The California Consumer Privacy Act (“CCPA”) is expected to become operative on January 1, 2020
and will usher in a new era of data privacy for consumers across the United States. The CCPA
establishes various rights for individuals, most notably the right to know about the collection, sale,
and disclosure of their personal information, the right to opt-out of the sale of their personal
information, and – the subject of today’s post – a limited right to request that their personal
information be deleted.

Under Section 1798.105 of the CCPA, upon receipt of a “verifiable consumer request,” a business
must “delete the consumer’s personal information from its records” and direct all of its service
providers to do the same. And businesses must tell consumers about this right so they know to
invoke it. Easy enough, right? Not really.

The right to deletion has a long list of exceptions. A business does not have to comply with a
deletion request if the business needs the consumer’s personal information for a reason related to
the business:

(1) providing goods or services to the consumer;

(2) detecting and resolving issues related to security or functionality;
(3) complying with legal obligations;
(4) conducting research in the public interest;
(5) exercising free speech or ensuring another’s exercise of free speech; or
(6) using the information for internal purposes that the consumer might expect.

Let’s run through a hypothetical to explore how these exceptions to the right to delete may operate
in practice. Suppose you run an ecommerce website that sells widgets in California. Joe Customer
places an order of widgets and, in doing so, provides you with his personal information, such as his
name, phone number, birthday, email address, IP address,
 home address, and credit card
information. Sometime after Joe Customer places his order, he discovers that he has been the
victim of identity theft and thinks it must have been caused by a breach in your system. Thinking
that your system is unsecure (even if it’s not), he sends you a request to delete all of his personal
information. How much information, if any, do you have to delete? Not as much as Joe might
expect.

First, if you have not yet shipped out the widget, you can retain at least some of Joe’s personal
information to facilitate the sale of goods under the first exception. Furthermore, if your widget
includes a warranty or a return period, you can likely retain Joe’s personal information to be able
to verify his transaction, issue a return, or apply the warranty. You also may be able to keep Joe’s
information under the security-incident detection exception. What if Joe was right, and his
identity theft was caused by a breach in your system? You may need to use his information to
address the security incident. Furthermore, if there was a security incident, you may have a legal
obligation (exception three, above) to notify Joe. You could thus retain his personal information
for notification purposes.

While the free speech and research exceptions probably do not apply to this hypothetical, the
internal use exceptions likely do. This category of exceptions applies broadly. One such exception
allows businesses to use consumers’ personal information for internal uses “that are reasonably
aligned with the expectations of the consumer based on the consumer’s relationship with the
business.” Another allows businesses to use personal information internally “in a lawful manner
that is compatible with the context in which the consumer provided the information.”

In our example, the internal use exceptions may include the uses related to return periods and
warranty periods noted above. But what about other uses? Would it be compatible with the
context in which Joe provided his personal information to use it for market research or analysis?
What if Joe did not just purchase one small widget, but was in fact one of the largest purchasers of
your company’s widgets. Does that change Joe’s expectations or the context in which Joe has
provided you his personal information? These are open questions.

At first glance, the CCPA’s right to deletion appears to be a powerful consumer protection. But, as
the hypothetical above illustrates, it can be significantly diluted by its exceptions, some of which
are vague and expansive. Some clarity, hopefully, will come from the Attorney General’s
anticipated CCPA regulations. Nevertheless, the right to deletion will present difficult decisions—
and operational challenges—for companies doing business in California.

 Send  Print  Report

RELATED POSTS
CCPA Amendments – and a Ballot Initiative on the Horizon

LATEST POSTS
Privacy v. Speech? Supreme Court to Weigh in on TCPA Restrictions on Automated Calls

GDPR, CCPA and Now, the NY SHIELD Act: Additional Data Security Responsibilities for Companies Holding the
Private Information of NY Residents

The Equifax/Massachusetts Attorney General Consent Judgment: A Guide for Privacy and Security Compliance

Privacy and COVID-19 Contact Tracing – Lessons from South Korea?

See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be
acted upon without speci c legal advice based on particular situations.

© Foley Hoag LLP - Privacy & Data Security 2020 | Attorney Advertising

WRITTEN BY:
Foley Hoag LLP - Privacy & Data Security

Contact + Follow

Yoni Bard + Follow

Scott Bloomberg + Follow

PUBLISHED IN:

California Consumer Privacy Act (CCPA) + Follow

Consumer Privacy Rights + Follow

Data Collection + Follow

Data Privacy + Follow

E-Commerce + Follow

Free Speech + Follow

Personally Identi able Information + Follow

Right to Delete + Follow

General Business + Follow

Science, Computers & Technology + Follow

Consumer Protection + Follow

Privacy + Follow

more 

FOLEY HOAG LLP - PRIVACY & DATA SECURITY ON: