The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive - and complex - data privacy regulation in the United States. The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects. As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute. While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects. As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.
Quick Overview
The right to be forgotten (sometimes called the right of erasure or the right to deletion) refers to the ability of a person to request that a company delete the personal information that the company holds about them. The right to be forgotten is often misinterpreted as being an absolute right when, in reality, it only applies in a limited number of situations.
Comparison to Other Privacy Laws
The right to be forgotten is not a new concept and has long been a cornerstone of European data privacy law. Indeed, the right was included within the Privacy Directive which was put into place in 1995 and carried over into the current GDPR. Like the CCPA, the GDPR confers a limited right to be forgotten. The following compares the exceptions to the exercise of the right under both laws:
Situations in which a company is not required to delete information
|
|
CCPA
|
GDPR
|
|
Information is necessary to complete a transaction requested by the data subject or to perform a contract.
|
Deletion is not required.
|
Deletion is not required.
|
|
Information is necessary to detect security incidents.
|
Deletion is not required.
|
Deletion may be required in some circumstances; may not be required in other circumstances.
|
|
Information is necessary to protect against deceptive, fraudulent or illegal activity.
|
Deletion is not required.
|
Deletion may be required in some circumstances; may not be required in other circumstances.
|
|
Information is necessary to identify and repair errors.
|
Deletion is not required.
|
Deletion may be required in some circumstances; may not be required in other circumstances.
|
|
Information is necessary to promote free speech.
|
Deletion is not required.
|
Deletion is not required.
|
|
Information is necessary for scientific, historical or statistical research in the public interest.
|
Deletion is not required.
|
Deletion is not required.
|
|
Information is necessary for internal uses of a company, if those uses are reasonable expected by consumers.
|
Deletion is not required.
|
Deletion may be required in some circumstances; may not be required in other circumstances.
|
|
Information is necessary to comply with a legal obligation.
|
Deletion is not required.
|
Deletion may be required in some circumstances; may not be required in other circumstances.
|
|
Information is used internally in a manner that is compatible with the context of the collection.
|
Deletion is not required.
|
Deletion may be required in some circumstances; may not be required in other circumstances.
|
While the majority of United States data privacy laws do not include a right to be forgotten, the Children’s Online Privacy Protection Act (“COPPA”) has an analogous provision. COPPA regulates the online collection of information from children under the age of 13. Pursuant to the rules implementing COPPA, parents have a right to review “or have deleted the child’s personal information.” In addition to COPPA, California previously enacted what is often referred to as the “Eraser Button Law” that permits children under the age of 18 to delete or de-identify information that they posted online.
To Do List
To comply with the CCPA companies should:
-
Review existing methods for submitting deletion requests to verify that they comply with the CCPA.
-
Review existing policies or procedures for authenticating individuals that make deletion requests.
-
If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests.
-
Draft a “play book” that provides standard communications that can be sent to individuals that make deletion requests.
-
Train employees on how to handle deletion requests.
-
Verify that the policies in-place facilitate the fulfillment of deletion requests within the time period permitted by the statute.
-
Review protocols for deleting personal information.
-
Review technological capability for doing a “hard delete” (i.e., an irrevocable deletion) and a “selective deletion” (i.e., deleting one individual’s information without corrupting a larger information system).
Cross References
CCPA Provisions
|
GDPR Provisions
|
|
Cal. Civil Code 1798.105(a), (d)(1)-(9)
|
Recital 66
Article 17
|
[View source.]
