'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on May 26, 2021 AUTHOR - PRIVACY RESEARCH TEAM
Ever since the GDPR came into effect on May 25th, 2018, there were speculations on what sorts of impact it may have on businesses. Nearly 2 years later, with cumulative fines totalling a whopping €466,681,568, there is no doubt about GDPR’s financial impact on non-compliant organizations.
Judging by the impact of GDPR, compliance with CCPA is going to be a critical undertaking for every company falling under its ambit. With respect to fines, GDPR has an upper cap of 4% of global turnover as the highest penalty whereas CCPA has no upper cap and fines can go up to $750 per incident in cases of breach and even higher in cases where the Attorney General of California brings a civil action for violation of the CCPA requirements. Thus the CCPA can potentially cost businesses millions of dollars in penalties.
For example, if the Equifax breach of 2017 that affected 147M people, including approximately 15M Californians, had happened AFTER the implementation of CCPA, Equifax would have had to pay up to $11 Billion in fines and penalties, compared to a paltry $425M that it had to ultimately pay for settlement.
Therefore, compliance is absolutely critical as the CCPA ensures that consumers know everything about their data rights and how they can exercise those rights. These include:
The “Right to Deletion Under CCPA” mandates that if a consumer makes a verified request to the business to delete his or her personal data, the business is legally required to delete the requestor’s personal information from all of its data stores and direct any service providers to delete the personal data as well. In other words, once a consumer requests an organization to delete their data, the organization has a specific period of time to fulfill this request after proper verification. This is true with a few exceptions detailed in the subsequent section.
The CCPA and corresponding requirement to honor the right to deletion only applies to organizations doing business with or providing services to Californians, and meet one of the following conditions:
A business that receives a data deletion request will need to take reasonable actions to accurately verify the authenticity of the request and respond to the consumer if it has accepted or denied the request.
Section 1798.145(g)(1) provides organizations 45 days to respond to a verifiable consumer request. This period may be extended by another 45 days where necessary based on complexity and volume of requests. Organizations must inform the consumer of the extension within 45 days of accepting the verified request. If the organization is not going to delete the information, it must inform the consumer without delay (and under no circumstances beyond the time period permitted for a response), the reason for declining the request along with any information on the right to appeal this decision.
Businesses may only charge a fee to a consumer for the right to delete under CCPA if the consumer’s requests are deemed to be excessive in nature. If a consumer engages in repetitive requests that the business can demonstrate are excessive, it may either charge a reasonable fee or decline the repetitive request(s).
In responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all personal information is also offered and more prominently presented than the other choices.
If a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt-out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out.
There are several exceptions to the right of deletion that organizations can leverage to deny the request. These exceptions can be invoked, for example, if it is necessary for the organization to retain the personal information on the basis of one or of the following:
In cases where a business denies a consumer’s request to delete under a specific exception, the business shall undergo the following process:
Complying with the right to deletion requests under CCPA using manual methods requires a lot of time, resources and capital. Even then, organizations may risk non-compliance because of human error.
This could be a financial disaster for organizations and tarnish their reputation. To avoid non-compliance and fulfill these requests in a cost-effective and productive manner, organizations can deploy privacy management solutions that utilize automation to reduce request fulfillment time, effort, error, and costs.
Securiti is the pioneer in deploying artificial intelligence and robotic automation for privacy compliance. Judged “Most Innovative Startup 2020” by RSA, Securitii offers organizations with a solution that will help them automate their entire privacy compliance ecosystem, including right to deletion requests. Schedule a live demo today and see for yourself how Securitii can get your business ready for compliance with CCPA.