The CCPA does not specify how many deletion requests a consumer can send to a business each year. However, it does permit businesses to “refuse to act on” a deletion request if a consumer’s requests become “unfounded or excessive.”1 The Act specifically calls out “repetitive” requests as an example of an excessive practice.2 If a dispute arises between a business and a consumer regarding whether a particular quantity of requests is, or is not, excessive, the CCPA states that the “business shall bear the burden of demonstrating” that the quantity received is “manifestly . . . excessive.”3 One method that businesses may consider adopting when determining whether deletion requests are excessive, or in demonstrating that excessiveness, is to compare the quantity of deletion requests received from a particular consumer, with the quantity of deletion requests received from other consumers. To the extent that a particular consumer’s quantity of requests significantly departs from the behavior of most (or all) other consumers, a strong argument could be made that the requests have become repetitive and excessive.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, Section 1798.145(i)(3). Note that the Second Modified Proposed Regulations did not clarify what quantity of deletion requests might constitute excessive or repetitive.
2. CCPA, Section 1798.145(i)(3).
3. CCPA, Section 1798.145(i)(3).
[View source.]