The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Does the CCPA require companies to create a policy or procedure for processing right to be forgotten requests?
No. While some companies may decide to create a written policy or procedure for processing right to be forgotten requests, other companies may decide that such a policy is unneeded. The CCPA does not mandate that a written policy or procedure exist.
Similarly the GDPR also does not mandate that a company create a written policy or procedure for processing requests to be forgotten. The GDPR requires that controllers “be able to demonstrate compliance” with the core principles espoused by the regulation.1 The obligation to demonstrate compliance is sometimes referred to as the “accountability principle.”
Several of the core principles tangentially relate to the right to be forgotten. For example, one of the core principles is that a controller must not keep personal data for “longer than is necessary for the purposes for which the personal data [is] processed.”2 The principle relates closely to an individual’s right to request that personal data be erased if it is “no longer necessary in relation to the purposes for which [it was] collected.”3
While a controller may have an obligation to “demonstrate compliance” with certain aspects of the right to be forgotten doing so does not necessarily require that a company have a specific written policy or procedure discussing how they handle such requests. For example, if a company rarely receives right to forgotten requests, and if such requests are effectively handled on an ad hoc basis, it may be able to demonstrate that the fact that individuals are notified how to submit such a request through the company’s privacy notice, and the fact that such requests are appropriately handled in practice, is sufficient to satisfy any obligation that the GDPR imposes to “demonstrate compliance.” On the other hand companies that receive high volumes of right to be forgotten requests may find it difficult to handle such requests on an ad hoc basis – particularly if the volume necessitates that multiple people within the organization are responsible for responding to such requests (e.g., hundreds of call center representatives). In such a case, a company may find that the only effective way to process requests consistently is through the creation of written processes and procedures.
1. GDPR, Article 5(2).
2. GDPR, Article 5(1)(e).
3. GDPR, Article 17(1)(a).
[View source.]
