The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. How much time will a company have to respond to a right to be forgotten request under California law?
The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions. (For more on the history of the CCPA, you can find a timeline that illustrates its history and development on page 2 of BCLP’s Practical Guide to the CCPA). Given its hasty drafting there are a number of areas in which the act is intentionally, or unintentionally, ambiguous, or silent. The amount of time that a company has to respond to a right to be forgotten request is one of those areas.
Section 130 of the CCPA purports to provide a 45 day time frame for businesses to use “[i]n order to comply” with Sections 105 of the Act. As Section 105 contains the right to be forgotten some people have assumed that the CCPA imposes a 45 day time period upon businesses to either delete information or to confirm with a consumer whether information will be deleted. The text of Section 130, however, states only that a business must “[d]islcose and deliver the required information to a consumer . . . within 45 days of receiving a verifiable consumer request from the consumer.” As the act of deletion does not “disclose” information to the consumer, read literally Section 130 does not impose any time frame for a business to complete a deletion request. It remains to be seen, however, what (if any) time period courts may read into the requirement that businesses delete information. While it is possible that some courts may disregard the “disclose and deliver” language within Section 130 and interpret the CCPA as imposing a 45 day time period for responding to a deletion request, the better approach would be to find that businesses have not violated the CCPA so long as they respond to consumer deletion requests in a reasonable period of time.
In comparison, the GDPR requires that an organization provide a person that makes a request for their data to be erased with “information on action[s] taken” within one month of receiving the request. The one month time period can be extended two additional months depending upon the “complexity and number” of requests that a person makes. If a company seeks to rely upon the extension it must inform the requestor of that fact within the first month.
Although the GDPR states that an organization must provide “information on actions taken,” it does not specifically state that the request must be fully completed during that time period. As a result, a company might argue that it has complied with the timing requirements of the GDPR if within one month it acknowledges a request and provides an update concerning the progress of the organization’s response (e.g., “We are searching our records for relevant information and, once that information is identified, will determine whether we are required to erase the data”).