The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Does a company have to forward a right to be forgotten request to a third party with whom it has shared personal information?

The majority of United States federal privacy laws do not include a right to be forgotten.  Those that do – such as the Children’s Online Privacy Protection Act – only require that an organization which receives a right to be forgotten request delete the personal information in its possession and direct that its service providers do the same.  COPPA does not require that an organization that receives a right to be forgotten request forward the request to third parties with whom it has shared information.

In California the CCPA requires that (in certain situations) a business “delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”¹  In situations in which a business has shared a consumer’s personal information with another business or a third party, the CCPA does not require business A to inform business B that a deletion request has been received.

In comparison, under the European GDPR when a controller receives a right to be forgotten request, and determines that it is required to delete information about an individual, the controller must “take reasonable steps” to “inform [other] controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”²  It is unclear based upon the text of the GDPR whether this requirement requires controller A to notify controller B that the data subject has requested controller A to erase data, or whether the requirement requires controller A to notify controller B that a data subject has requested erasure by both controller A and B.