Right to delete under California Consumer Privacy Act (CCPA)

Ever since the GDPR came into effect on May 25th, 2018, there were speculations on what sorts of impact it may have on businesses. Nearly 2 years later, with cumulative fines totalling a whopping €466,681,568, there is no doubt about GDPR’s financial impact on non-compliant organizations.

What is Right to Deletion under CCPA?

Judging by the impact of GDPR, compliance with CCPA is going to be a critical undertaking for every company falling under its ambit. With respect to fines, GDPR has an upper cap of 4% of global turnover as the highest penalty whereas CCPA has no upper cap and fines can go up to $750 per incident in cases of breach and even higher in cases where the Attorney General of California brings a civil action for violation of the CCPA requirements. Thus the CCPA can potentially cost businesses millions of dollars in penalties.

For example, if the Equifax breach of 2017 that affected 147M people, including approximately 15M Californians, had happened AFTER the implementation of CCPA, Equifax would have had to pay up to $11 Billion in fines and penalties, compared to a paltry $425M that it had to ultimately pay for settlement.

Therefore, compliance is absolutely critical as the CCPA ensures that consumers know everything about their data rights and how they can exercise those rights. These include:

• The right to access the personal information that a business holds on them
• The right to know the personal information a business plans on collecting at or before the point of collection
• The right to opt in or out of marketing, analytics, and other similar activities
• The right to equal services without discrimination
• The right to request deletion of personal data

Right to Deletion under CCPA

The “Right to Deletion Under CCPA” mandates that if a consumer makes a verified request to the business to delete his or her personal data, the business is legally required to delete the requestor’s personal information from all of its data stores and direct any service providers to delete the personal data as well. In other words, once a consumer requests an organization to delete their data, the organization has a specific period of time to fulfill this request after proper verification. This is true with a few exceptions detailed in the subsequent section.

Eligibility and Verification

The CCPA and corresponding requirement to honor the right to deletion only applies to organizations doing business with or providing services to Californians, and meet one of the following conditions:

1. Have annual gross revenues in excess of $25 million
2. Handle the personal information of at least 50,000 consumers or devices
3. Derive 50 percent or more in annual revenue from selling consumers’ personal information

A business that receives a data deletion request will need to take reasonable actions to accurately verify the authenticity of the request and respond to the consumer if it has accepted or denied the request.

Timeline to comply

Section 1798.145(g)(1) provides organizations 45 days to respond to a verifiable consumer request. This period may be extended by another 45 days where necessary based on  complexity and volume of requests. Organizations must inform the consumer of the extension within 45 days of accepting the verified request. If the organization is not going to delete the information, it must inform the consumer without delay (and under no circumstances beyond the time period permitted for a response), the reason for declining the request along with any information on the right to appeal this decision.

Fees Charged

Businesses may only charge a fee to a consumer for the right to delete under CCPA if the consumer’s requests are deemed to be excessive in nature. If a consumer engages in repetitive requests that the business can demonstrate are excessive, it may either charge a reasonable fee or decline the repetitive request(s).

Options to Delete

In responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all personal information is also offered and more prominently presented than the other choices.

Opt-out Option

If a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt-out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out.

Exceptions to The Right to Deletion Under CCPA

There are several exceptions to the right of deletion that organizations can leverage to deny the request. These exceptions can be invoked, for example, if it is necessary for the organization to retain the personal information on the basis of one or of the following:

1. Logs, Errors and Cybersecurity: An interesting exemption to the right to deletion granted to businesses by CCPA is the need to maintain server logs of their consumers data in order to prevent and/or detect cybersecurity incidents like malware attacks, spam, phishing, and other fraudulent activities. In addition, consumers’ personal information can be retained if they aid in repair and maintenance of functionalities of various computer programs.
2. Medical Studies & Research: The CCPA also allows organizations to retain personal information of a consumer to primarily aid in medical studies and research that can greatly contribute to a medical cause, provided that:
   • That the impediment caused by erasure of a consumer’s personal information will be substantial
   • That the personal information does not violate a person’s privacy or goes against established societal and cultural norms
   • That the consumer has earlier agreed to have the personal information used for the states purpose
3. Provision of Services: This exemption revolves around a business’s necessity to retain personal information of a consumer that submits a request for deletion to provide a certain level of service that cannot be provided if the person's information is erased. For example, to complete a transaction, perform a contract, or to develop  the existing relationship between a consumer and the business.
4. Searching Personal Online Accounts: In the state of California, if the police want to search an individual’s phone, email or other personal online account, they need to obtain a warrant from the government as per the California Electronic Communication Privacy Act of 2016. The CCPA allows businesses to refuse a right to erase requests of a consumer whose personal online account data has been requested by the police.
5. Miscellaneous: Other exemptions provided to businesses to retain personal information of consumers are to solely use this information for a businesses’ internal processes, to comply with laws and regulations, and for other governmental duties. The key to exemptions is to use personal information in contexts for which the consumer initially consented to and thus are aligned with their expectations.

In cases where a business denies a consumer’s request to delete under a specific exception, the business shall undergo the following process:

• Inform the consumer that it will not comply with the consumer’s request and describe the basis for the denial, including any conflict with federal or state law, or exception to the CCPA, unless prohibited from doing so by law;
• Delete the consumer’s personal information that is not subject to the exception
• Not use the consumer’s personal information retained for any other purpose than provided for by that exception.

Complying with the right to deletion requests under CCPA using manual methods requires a lot of time, resources and capital. Even then, organizations may risk non-compliance because of human error.

This could be a financial disaster for organizations and tarnish their reputation.  To avoid non-compliance and fulfill these requests in a cost-effective and productive manner, organizations can deploy privacy management solutions that utilize automation to reduce request fulfillment time, effort, error, and costs.

Key Takeaway

• CCPA enforcement will likely have a significant financial impact for organizations  that fail to comply
• Organizations have been fined billions of dollars due to non-compliance with GDPR and studies show that this could be the case under the CCPA as well.
• The CCPA gives consumers the right to request deletion of any and all information related to them (apart from the 7 exceptions discussed above).
• Organizations will have 45 days to fulfill this request in order to avoid fines and penalties.
• Adopting modern, purpose-built privacy management solutions that leverage automation to complete data service requests helps organizations reduce time, effort, and costs.

Next Steps

Securiti is the pioneer in deploying artificial intelligence and robotic automation for privacy compliance. Judged “Most Innovative Startup 2020” by RSA, Securiti offers organizations with a solution that will help them automate their entire privacy compliance ecosystem, including right to deletion requests. Schedule a live demo today and see for yourself how Securiti can get your business ready for compliance with CCPA.