Among the challenges presented by the increasing number of state privacy laws are identifying how consumer rights differ under each of the various laws and operationalizing a workflow for responding to rights requests that ensures compliance with each. In this post, we will focus on consumers’ “right to delete” under the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”). We note that the EU General Data Protection Regulation (“GDPR”) and laws around the world that are being adopted following the GDPR model also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.
Statement of the Right- What Must Be Deleted?
Subject to the exceptions described below, the CCPA, CPRA and VCDPA each provide that a consumer has the right to request that a business delete their personal information, but they differ in certain respects, including their scope. The CCPA provides that consumers “… have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer [emphasis added].” The CPRA does not amend the wording of this right.
The VCDPA provides that consumers “… have the right to delete personal data provided by or obtained about the consumer [emphasis added].” The VCDPA’s deletion right is therefore broader than that provided by the CCPA and CPRA, in that it applies to personal information that a business has collected from a consumer or that the business has collected about a consumer from another source.
The CCPA regulations allow a business to present a consumer with the choice to delete select portions of their personal information as long as a global option to delete all personal information collected from them is also offered and more prominently presented than the other choices. The CCPA regulations also provide that a business may use a two-step process for online requests to delete, where the consumer must first submit the request to delete and then, second, separately confirm that they want their personal information deleted. Presumably, the regulations promulgated under the CPRA will contain similar provisions, but they have not yet been published. The VCDPA does not include similar provisions.
The CCPA, CPRA and VCDPA each provide for exceptions to a business’s general obligation to delete personal information that a consumer has requested to be deleted. Below is a chart describing the various uses of personal information that will allow a business to retain the relevant personal information subject to these laws, even when a consumer has requested the business to delete it.
*The CCPA and CPRA provide that the exception is available only if: (a) deletion of the information is likely to render impossible or seriously impair the ability to complete such research; and (b) the consumer has provided informed consent.
**The VCDPA requires that the research be approved, monitored, and governed by an institutional review board, or similar independent oversight entities, that determine whether: (i) the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.
†The CPRA also requires that such uses be compatible with the context in which the consumer provided the information in order to qualify for the exception.
Process for Requesting the Deletion of Personal Information
CCPA. The CCPA regulations provide that a business must provide consumers with two or more designated methods for submitting requests to delete. The CCPA regulations specify that acceptable methods for submitting these requests include a toll-free phone number, a link or webform available online through the business’s website, a designated email address, a form submitted in person, and a form submitted through the mail.
CPRA. The CPRA also requires a business to provide consumers with two or more designated methods for submitting requests to delete, but specifies that one of those methods must be a toll-free number. However, the CPRA also provides that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for deletion.
VCDPA. The VCDPA provides that a controller must establish, and describe in a privacy notice, one or more “secure and reliable means” for consumers to submit a request for deletion. Such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.
Responding to Requests to Delete
Timing. The CCPA and CPRA require businesses to confirm receipt of a deletion request within 10 business days of receiving the request and to respond to requests to delete within 45 calendar days. The VCDPA also requires a response to a consumer’s request be provided within 45 calendar days, but does not require the delivery of a confirmation. Under the CCPA, CPRA and VCDPA, the response period may be extended once by an additional 45 days when reasonably necessary, so long as the business informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension.
Mechanics of Deletion. The CCPA regulations provide that a business must comply with a consumer’s request to delete their personal information by:
- permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems;
- deidentifying the personal information; or
- aggregating the consumer information.
Presumably, the regulations promulgated under the CPRA will contain a similar provision. The VCDPA does not specify how personal information is to be deleted.
Notification of Deletion. The CCPA and the CPRA provide that when a business deletes personal information upon the request of a consumer, it also must notify its service providers (and, for the CPRA, its contractors) of the request to delete. In addition, the CPRA requires such a business to notify all third parties to whom the business sold or shared the personal information of the request to delete, unless this proves impossible or involves disproportionate effort (what constitutes disproportionate effort will be addressed in the regulations promulgated under the CPRA). The VCDPA does not contain a similar provision, but does provide that a processor must adhere to the instructions of a controller and must assist the controller in meeting the controller’s obligations under the VCDPA.
Archived Personal Information. The CCPA regulations provide that if a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose. Presumably, the regulations promulgated under the CPRA will contain a similar provision. The VCDPA does not contain a similar provision.
Data privacy legislation is working its way through legislatures in many states. There will likely be new laws enacted in 2021 that provide for consumer rights that are similar, but not identical, to those in the CCPA, CPRA and VCDPA. Complying with these varying requirements will be challenging, but starts with understanding of how they differ so that standard operating procedures can be developed to help ensure compliance with each.