Data Protection Report - Norton Rose Fulbright

Following Europe’s lead and some recent high profile scandals involving the use of personal information, California passed the California Consumer Privacy Act which goes into effect on January 1, 2020. (You can find our coverage of it here.) The law, the first of its kind in the US, is an omnibus privacy law for the state of California that grants individuals new rights in connection with their data – including, the right to erasure.

The “Right to Erasure” or deletion, or more famously, the “Right to be Forgotten” is not a new right. Its origins stretch back to the pre-GDPR era when Mario Costeja Gonzalez sued Google to suppress search results about him that described his earlier financial troubles. According to Mr. Costeja, the links were irrelevant and damaging to his reputation. The Court of Justice of the European Union (“CJEU”) held Google was generally obligated to remove links that were inaccurate, excessive or irrelevant. This right was later codified in GDPR, with limitations such as when the data is necessary to complete a transaction or needed to comply with legal obligations.

Now, California has enacted its own version this of this right. The relevant portion of CCPA grants consumers the right to request deletion of their personal information. And, entities subject to this law must disclose this right to consumers. Following a recent amendment, this right need only be disclosed to consumers in a “form that is reasonably accessible.” Prior to this amendment, the right had to be disclosed in a privacy policy or on a company’s website.

Like GDPR, the right to deletion under the CCPA is not unlimited. Many of GDPR’s limitations are mirrored in the California law and include grounds on which an entity can refuse a deletion request. Those instances include when the information is:

  • Needed to complete the transaction for which it was collected or is needed to provide goods or services requested by the consumer
  • Used in the context of the business relationship with the consumer
  • Required to perform a contract
  • Used to detect security incidents and protect against malicious, fraudulent or illegal activity
  • Needed to engage in scientific, historical, or statistical research in the public interest
  • Used solely for internal uses that are reasonably aligned with the expectations of the consumer
  • Required to comply with a legal obligation or applicable laws

The CCPA also includes an exemption for requests if they interfere with a right to “exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.” This so-called First Amendment exception is a theory not always in play in other data protection laws. Although, something similar did come up in Mr. Costeja’s case, where the CJEU ultimately decided that while it recognized the right to be forgotten, it did not apply to Mr. Costeja because the articles were in the public interest, and thus did not have to be removed. In the US, because of the First Amendment and a legacy of protecting speech above other privacy related interests, this exception may be interpreted broadly.

Our take

When many people consider the right to be forgotten, they first think about consumers deleting information from search engines and web sites. However, the right to deletion is not so narrowly construed and will potentially have significant applications in all organizations as employees and other individuals seek to limit the amount of data companies retain about them. This is already happening under GDPR.

Thus, the right to deletion, along with other rights provided by CCPA, will present operational challenges for companies who do business in California. This right combines all of the problems of identifying a particular subject’s personal data within a company’s IT infrastructure with the unique challenges of destroying that data where it is obligated to do so. A company, therefore, not only needs to identify the right personal data, but then needs to further identify the personal data it is required to destroy then do so in a manner that does not undermine the integrity of the company’s other data. For example, deleting data in complex relational databases can corrupt not only records where that data was found but create indexing and searching irregularities across the system.

The good news for companies with GDPR compliance programs is that those programs can be extended to California. In addition, the right to deletion will drive a greater emphasis on information governance and records retention as companies will need better programs to manage data throughout its lifecycle.