This is the Data Protection Report’s fifth post in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.
Following Europe’s lead and some recent high profile scandals involving the use of personal information, California passed the California Consumer Privacy Act which goes into effect on January 1, 2020. (You can find our coverage of it here.) The law, the first of its kind in the US, is an omnibus privacy law for the state of California that grants individuals new rights in connection with their data – including, the right to erasure.
The “Right to Erasure” or deletion, or more famously, the “Right to be Forgotten” is not a new right. Its origins stretch back to the pre-GDPR era when Mario Costeja Gonzalez sued Google to suppress search results about him that described his earlier financial troubles. According to Mr. Costeja, the links were irrelevant and damaging to his reputation. The Court of Justice of the European Union (“CJEU”) held Google was generally obligated to remove links that were inaccurate, excessive or irrelevant. This right was later codified in GDPR, with limitations such as when the data is necessary to complete a transaction or needed to comply with legal obligations.
Now, California has enacted its own version this of this right. The relevant portion of CCPA grants consumers the right to request deletion of their personal information. And, entities subject to this law must disclose this right to consumers. Following a recent amendment, this right need only be disclosed to consumers in a “form that is reasonably accessible.” Prior to this amendment, the right had to be disclosed in a privacy policy or on a company’s website.
Like GDPR, the right to deletion under the CCPA is not unlimited. Many of GDPR’s limitations are mirrored in the California law and include grounds on which an entity can refuse a deletion request. Those instances include when the information is:
- Needed to complete the transaction for which it was collected or is needed to provide goods or services requested by the consumer
- Used in the context of the business relationship with the consumer
- Required to perform a contract
- Used to detect security incidents and protect against malicious, fraudulent or illegal activity
- Needed to engage in scientific, historical, or statistical research in the public interest
- Used solely for internal uses that are reasonably aligned with the expectations of the consumer
- Required to comply with a legal obligation or applicable laws
The CCPA also includes an exemption for requests if they interfere with a right to “exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.” This so-called First Amendment exception is a theory not always in play in other data protection laws. Although, something similar did come up in Mr. Costeja’s case, where the CJEU ultimately decided that while it recognized the right to be forgotten, it did not apply to Mr. Costeja because the articles were in the public interest, and thus did not have to be removed. In the US, because of the First Amendment and a legacy of protecting speech above other privacy related interests, this exception may be interpreted broadly.
Our take
When many people consider the right to be forgotten, they first think about consumers deleting information from search engines and web sites. However, the right to deletion is not so narrowly construed and will potentially have significant applications in all organizations as employees and other individuals seek to limit the amount of data companies retain about them. This is already happening under GDPR.
Thus, the right to deletion, along with other rights provided by CCPA, will present operational challenges for companies who do business in California. This right combines all of the problems of identifying a particular subject’s personal data within a company’s IT infrastructure with the unique challenges of destroying that data where it is obligated to do so. A company, therefore, not only needs to identify the right personal data, but then needs to further identify the personal data it is required to destroy then do so in a manner that does not undermine the integrity of the company’s other data. For example, deleting data in complex relational databases can corrupt not only records where that data was found but create indexing and searching irregularities across the system.
The good news for companies with GDPR compliance programs is that those programs can be extended to California. In addition, the right to deletion will drive a greater emphasis on information governance and records retention as companies will need better programs to manage data throughout its lifecycle.
Our other CCPA articles
Article 1: Summary of CCPA’s major provisions
Article 2: CCPA covered entities
Article 3: CCPA definition of personal information
Article 4: CCPA disclosure requirements
Article 5: CCPA “Right to Deletion”
Article 8: GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019
Article 9: CCPA: “Attorney General Amendment” Likely Dead
Article 10: Nevada, New York and other states follow California’s CCPA
Article 12: Back At The Negotiating Table: CCPA Amendments Debate Continues
Article 13: One-Month Countdown to Pass CCPA Amendments Begins
Article 14: CCPA: “Wait and see” is not the right approach
Article 15: And then there were five: CCPA amendments pass legislature
Article 16: Mic Drop: California AG releases long-awaited CCPA Rulemaking
Article 17: California Governor Signs All 5 CCPA Amendments
Article 18: Here We Go Again: Another Ballot Initiative for CCPA in 2020
Article 19: Privacy Officers’ New Year’s Resolutions
Article 20: State of the Untion: CCPA and beyond in 2020
