This post does not reflect amendments to the California Consumer Privacy Act (CCPA) enacted on October 11, 2019. Check back for updates or follow this blog.

In our third FAQs installment on the California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), we focus on the following:

For more information on the CCPA, you may visit our previous FAQs on the basics of the Act and the right to know, access, and opt out of the sale of personal information, as well as the alert we drafted shortly after the CCPA’s enactment.

If you would like to jump to a discussion on a particular topic, please click on one of the links above and it will take you to that section. Otherwise, continue reading below.

(4) The Right to Delete Personal Information

Generally speaking, what does the “right to delete” entail

Section 1798.105 of the CCPA obligates a business: (1) to disclose the consumer’s right to request the deletion of his or her personal information[3]; and (2) in response to such a request, to delete a consumer’s personal information in its possession and, if applicable, to direct its service providers to delete information in their possession[4].

What steps must a consumer take to exercise this right?

A consumer that wishes to exercise this right must submit a “verifiable consumer request” to the business by providing sufficient information to allow the business to verify his/her identity. The CCPA does not require businesses to respond unless the business can verify that: (1) the request comes from the consumer or someone acting on the consumer’s legal behalf; and (2) the business has actually collected information on that consumer. Importantly, a business cannot require a consumer to create an account with the business in order to make a request to delete.

The CCPA provides that a consumer can make a request through a method that the business has established for ensuring compliance with the CCPA (e.g., a toll-free telephone number or internet site).[5] If the request is made using a consumer’s password protected account with the business, the CCPA considers that a verifiable consumer request. The CCPA states that a verifiable consumer request is one that a “business can reasonably verify, pursuant to regulations adopted by the Attorney General.”[6] Because businesses must be able to “reasonably verify” the request, the CCPA does not require businesses to take every step possible to verify the request, but rather requires businesses to make a good faith effort.

The Act, however, does not provide any additional guidance regarding what is “verifiable.” Either clarifying legislation or the California Attorney General (“AG”) will need to define what constitutes “verifiable.” As such, we will have to keep an eye out for upcoming regulations and guidance from the AG.

Can consumers “pick and choose” the personal information a business is required to delete?

The Act indicates that consumers have the right to request that a business delete any personal information about the consumer that the business has collected from the consumer.[7] As such, it appears that consumers can require partial deletions.

What happens if a business makes a mistake and does not delete all of a consumer’s personal information, as requested?

On the surface, many people believe that deleting computerized data is a simple process – “click delete” and the data disappears. However, in today’s IT-centric economy, data is cheap and plentiful, and organizations tend to frequently mirror, backup and replicate data (including personal information). As businesses often hold multiple copies of personal information in different locations, a business may not know exactly where all of their personal information resides. The issue is more complicated under the Act because businesses must also ensure that their service providers locate and delete personal information. As such, for many companies mistakes are inevitable.

Unfortunately, such mistakes can lead to penalties of up to $7,500 per violation of the Act.[8] The Act only empowers the AG to bring actions.[9] At this juncture, it unclear whether the AG’s office will use its discretion to impose a “strict liability” standard for Act violations, or impose a more lenient “good faith” or “reasonable compliance” standard when it comes to deletion. Perhaps more troubling is the possibility that the California plaintiff’s bar will attempt to use the Act’s deletion provision to support private causes of action (e.g., negligence claims) in a class action setting.

What must a business do after it receives a request to delete?

 In response to a request to delete, a business should:

  • verify the consumer’s request;
  • delete the requested information; and
  • direct its service providers (if any) to delete the requested information (and ideally obtain appropriate confirmation of the same).

While the Act does not require it, to close the loop on a business’s response to a request to delete, a business should consider providing consumers with a confirmation that indicates that the business deleted the requested information.

How quickly must a business delete the personal data after it receives a verified consumer request?

 The Act does not explicitly indicate a timeframe for deletion. Section 1798.130(a)(2) purports to apply to the right to deletion (as well as the Act’s other rights), and imposes a 45 day deadline. However, this provision appears to relate to the right to access/obtain personal information. This provision requires businesses to “[d]isclose and deliver the required information…” to the consumer within 45 days of receipt of a verifiable request. This language does not appear to correspond to the right to delete because the CCPA imposes no obligation on a business to deliver information to a consumer in response to a request to delete.

 Does the Act specify how businesses must delete personal data?

The CCPA does not specify how a business should delete a consumer’s personal information.[10] We anticipate the Legislature or AG will clarify the compliance requirements and could adopt commonly accepted deletion standards such as the “DoD Standard” or a “NIST” standard for data deletion. If the Legislature or AG mandates a more rigorous deletion standard, the costs to comply with the Act could increase significantly.

Can a business refuse to fulfill a verifiable request to delete personal information?

Generally, the answer is “no,” unless one of the exceptions outlined in the Act applies.[11] A business is not required to comply with a consumer’s deletion request when it is necessary to maintain personal to:

  • complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
  • detect and maintain information security;
  • debug to identify and repair errors;
  • exercise a right provided by law;
  • comply with the California Electronic Communications Privacy Act;
  • engage in public or peer-reviewed scientific, historical, or statistical research in the public interest when deletion would render it impossible or seriously impair the achievement of such research;
  • enable solely internal uses that are reasonably aligned with the consumer’s expectations based on the consumer’s relationship with the business;
  • comply with a legal obligation; or
  • otherwise use the consumer’s personal information internally in a lawful manner that is compatible with the context in which the consumer provided the personal information.[12]

It seems that satisfying deletion requests could get expensive. Can businesses charge consumers for these deletion activities?

Generally, no. However, the CCPA allows a business to charge a reasonable fee for administrative costs associated with responding to a request to delete if a consumer’s requests are manifestly unfounded or excessive.[13] While neither term is defined in the Act, the Act mentions the “repetitive character” of requests as a factor for identifying unfounded or excessive requests. Businesses bear the burden of demonstrating that a verified request meets those standards.

For the first exception to the right to delete, what does the Legislature mean by “reasonably anticipated within the context of a business’s ongoing business relationship with the consumer”?

Putting aside the fact that this exemption does not actually form a proper sentence when read in conjunction with the opening qualifier, this provision, like many other CCPA provisions, leaves room for interpretation. The CCPA does not define the phrase “ongoing business relationship”, and if a consumer wants a business to delete all of his/her personal information, it is not clear how their relationship would be considered “ongoing” (the Act separately provides exemptions for the ongoing provision of goods and services, transaction completion and contract performance). Overall, this exemption illustrates the “Catch-22” inherent in responding to a request to delete when a consumer may still have a “business relationship” with a business.

Does the final exception to the Act’s request to delete “swallow the rule”?

While it does not fully “swallow” consumers’ deletion rights under the Act, the final exception may result in a material carve out. The final exception allows a business to maintain a consumer’s personal data in the face of a deletion request in order to: “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the personal information”[14]. In essence, this exception turns a deletion request into a use limitation. Any internal personal data uses that are consistent with the context of the original personal information transfer are permissible. For example, if a consumer were to sign up to an offer to receive a newsletter from a business (i.e., the context of the disclosure), in the face of a request to delete all personal information, the business arguably may continue to maintain the personal information necessary to provide that newsletter to the consumer (name and email address). Similarly, in this example, the exception suggests that the hypothetical business could no longer use the same email address for a “secondary use” (e.g., to send a marketing email or sell it to a data broker) not part of the context of the original disclosure.

How does the CCPA’s right to delete compare to the European General Data Protection Regulation’s (“GDPR”) right to erasure?

In the background of the CCPA’s enactment, there has been quite a bit of fear generated in the business community that the CCPA is equivalent to the GDPR. While the two rights are similar, as another commentator has noted, the two laws are distinct in some manners. For example, unlike the GDPR, the CCPA does not obligate a business to delete personal information in its possession when the personal information is no longer necessary for the business purpose for which it was obtained or otherwise processed.[15] Further, the CCPA allows a business to maintain personal information for internal purposes so long as such use is: (i) reasonably aligned with the consumer’s expectations based on the consumer’s relationship with the business; or (ii) lawful with the context in which the consumer provided the information.[16] The GDPR does not allow a business to keep the data internally upon receiving a consumer’s request “to be forgotten.”[17]

If a business complies with the GDPR’s right to erase, does it also comply with CCPA’s right to delete?

Unfortunately, differences exist between the GDPR and the CCPA that will require a business to pay acute attention to the laws’ differing operations.   For example, the GDPR allows a business to refuse a request to erase personal data if it is in the interest of public health.[18] Unfortunately, the CCPA contains no functional equivalent. Thus, a business could have different legal obligations as to the request to erase/delete information under the GDPR and CCPA respectively. Another commentator has compared certain GDPR and CCPA aspects to highlight additional differences in the laws.

Do businesses need to delete information in “hardcopy” or other non-electronic formats?

The Act does not differentiate between personal information stored in electronic and non-electronic formats. As such, all businesses subject to the Act must determine how to delete personal information in different storage mediums. This includes data stored for historical, back-up, and disaster-recovery reasons, which can be difficult to find, access and delete. To achieve CCPA compliance, businesses will have to create detailed personal information data inventories and processes to enable data deletion.

We expect businesses to carefully scrutinize and utilize some of the Act’s deletion exceptions (such as internal use only for which the business informed the consumer at the point of collection) to avoid the burden associated with some of these deletion efforts.

How does a business ensure that its service providers delete personal information in their possession?

The CCPA only obligates a business only to direct, as opposed to ensure, that a service provider deletes the information in that service provider’s possession.[19] However, one could envision regulators arguing for a higher standard of due diligence around service provider deletion requests. Moreover, the failure of service providers to actually delete personal information could lead to legal risk or liability for a business. Thus, it will be vital for businesses to contractually specify their service providers’ obligations to assist with and respond to requests to delete. This includes specifying the process and standards for deletion, requiring a confirmation, or certification of deletion and imposing audit rights to allow the business to confirm deletion. In addition, businesses should document their direction to the service provider, the steps taken to achieve compliance with the Act, and any certifications or confirmations received by the service providers.

What steps should a business take to enable it to comply with the right to delete?

To comply with the requirements related to the Act’s right to delete, businesses will have to gain a better understanding of their personal information inventory, and make both organizational (e.g., policies and processes) and technical changes to enable an appropriate response to deletion requests, including:

  • conducting a detailed personal information inventory and mapping to determine the location of personal information that may need to be deleted, which may include various automated solutions designed to locate personal information residing on a network;
  • creating a data classification system in order to identify and track personal information subject to deletion rights;
  • developing legal positions and approaches related to the deletion rights and the scope of the business’s obligations, including determining the applicability and scope of exceptions that may apply, and the “standard of care” a business should strive to achieve;
  • ascertaining the appropriate standard for deletion, and how to operationalize that deletion standard;
  • implementing appropriate information technology solutions to effectuate deletion requests;
  • developing policies and procedures — including employee training[20] — for informing consumers of their right to delete and responding to a consumer’s request to delete; and
  • maintaining two or more designated methods for a consumer to exercise the right to delete, at least one of these methods needs to be a toll-free number at which the consumer can make his/her request and if a business has a website, it will need to provide a contact method on the website. [21]

(5) The Right to Equal Service When a Consumer Exercises a CCPA Right

Generally speaking, what does the “right to equal service” entail?

When a consumer exercises one of his or her rights under the CCPA, subject to certain exceptions, businesses may not “discriminate against” that consumer. Specifically, in response to a consumer’s exercising his/her rights under the CCPA, a business cannot, without limitation:

  • deny goods or services to the consumer;
  • charge different prices or rates for goods or services;
  • provide a different level or quality of goods or services to the consumer; or
  • suggest that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.[22]

For example, if a consumer opts-out of the sale of his/her personal information by his/her internet service provider, the provider arguably cannot then slow data transmission speeds for this consumer.

Are there any exceptions to the obligations imposed by the right to equal service?

 Yes, the Act indicates that businesses can charge a different price or rate, or provide a different quality of goods or services, but only if that difference is “reasonably related to the value provided to the consumer by the consumer’s data.”[23] Under another exception, the Act also allows businesses to treat consumers differently if the difference is “directly related to the value provided to the consumer by the consumer’s data.”[24] At this juncture, it is unclear how to reconcile the different (yet similar) standards in these two exceptions, and we suspect that most businesses will choose to be governed by the broader standard (i.e., “reasonably related”).

In addition, businesses can offer financial incentives (including monetary payments) “for the collection of personal information, the sale of personal information or the deletion of personal information”[25]. The financial incentives, however, cannot be unjust, unreasonable, coercive or usurious in nature[26]. Businesses must provide notice of the material terms of any such financial incentive program and obtain prior “opt-in” consent. The consumer, at any time, may revoke that consent.

It seems that the Act simultaneously prohibits and allows discrimination based on a consumer’s exercising his or her rights under the Act. Which is it?

 As at least one commentator has written, the CCPA provisions on discrimination “are unclear and somewhat contradictory.” As a starting point, however, the Act’s treatment of prices and services are only examples of prohibited discrimination under the Act. The exceptions summarized above only apply to differentiation around the price/rate or quality/different level of goods or services provided to the consumer, as well as opt-in financial incentives for the collection, sale or deletion of personal information. There are no exceptions for other types of discrimination.

The applicability of these exceptions will come down to whether the:

  • price or service difference is difference is “reasonably related to the value provided to the consumer by the consumer’s data” (or directly related depending on the provision one chooses to follow); or
  • consumer has opted in to receive financial incentives that are not unjust, unreasonable, coercive or usurious.How can a price or service quality be “reasonably related to the value provided to the consumer by the consumer’s data”?
  • None of these terms or concepts are further defined or elaborated upon under the Act.

Where price or service-level discrimination is “reasonably related” to the value provided to the consumer (such as for interest-based advertising campaigns), a business may be able to provide different services (such as targeted advertisements).

Does the right to equal service generally prohibit a business from differentiating among consumers based upon their personal information?

Historically, US law has not generally prohibited businesses from offering different goods and services to consumers based on the personal information they do (or do not) provide. The CCPA does not change this general proposition. Here, so long as the discrimination does not arise out of a consumer’s exercise of his or her rights under the Act, price and service differences based on a consumer’s personal information is not prohibited generally.

What obligations, if any, does the CCPA impose on a business that offers financial incentives to a consumer for use of personal data?

In order to provide financial incentives to consumers for the use of their personal information, a business must provide notice to the consumer of the financial incentives.[27] The consumer must opt-in to the financial incentive program with the ability to revoke such consent at any time.[28] The financial incentives may not be “unjust, unreasonable, coercive, or usurious in nature.”[29]

Service Provider and Third-Party Implications

The CCPA appears to make a distinction between “service providers” and “third parties”. What is the difference between the two?

The Act distinguishes between service providers and third parties. Service providers are information processors that receive personal information from the business and process the data in accordance with the terms of a written contract with the business. Service providers are not permitted to retain, use or disclose the personal information for any purpose other than to meet the terms of the contract with the business. Consumers cannot opt out of the transfer of their personal information to service providers, only to third parties. A third party is any person or entity that receives a consumer’s personal information from the business that is not: (a) part of the business or (b) a service provider. In short, third parties are entities that may use personal information for their own means and purposes.

What obligations does the CCPA impose on a business that uses service providers with regard to consumer’s personal information?

The CCPA requires the businesses to contractually prohibit its service providers from retaining, using, or disclosing the consumer’s personal information for any purpose other than performing the services specified in the contract.[30]

 Can a business be liable for its service provider’s misconduct?

If a service provider uses personal information in violation of the Act, a business is not liable for such misconduct under the CCPA if the business: (i) has a written contract with the service provider that complies with the Act; and (ii) at the time it discloses the personal information, does not have actual knowledge or reason to believe that the service provider intends to violate Act[31].

Generally, what are a business’s obligations with respect to selling personal information to a third party?

The Legislative Report associated with the CCPA reveals that the sale of personal information to third parties motivated the Legislature to pass the CCPA. Not surprisingly, the CCPA attempts to address the circumstances under which a business may sell personal information to a third party. For example, prior to selling personal information to a third party under the CCPA, a business must provide notice to the consumer and the option to opt-out of such sale or disclosure.[32]

Can a third party resell personal information about a consumer without providing a separate notice and an independent opportunity to opt-out?

Under the CCPA, a third party can resell personal information it receives from a business when the consumer — whose personal information is at issue — has received explicit notice about the potential resale and is provided an opportunity to exercise the right to opt-out of the resale.[33] The Act appears to indicate that third parties may rely on the original CCPA notice and opt-out provided by the business for the sale of personal information.[34] However, there is some risk for third parties that do not provide their own notice and opt-out opportunity. For example, if the original notice and opt-out provided by a business was not CCPA-compliant, reliance on it may be problematic.   In addition, third parties may have no way of knowing whether an individual has opted out at the time the opt-out is made available or in situations where the opt-out has been made after a business has sold personal information to a third party.

Do any distinctions exist between the GDPR and CCPA’s respective provisions with regard to service providers?

Not surprisingly, businesses and commentators have analyzed and compared the two data privacy regimes in an attempt to understand the overlap and potential interaction between the GDPR and CCPA. Generally, we tend to agree with at least one commentator’s view that the GDPR is more expansive than the CCPA with respect to service provider requirements. For example, the CCPA only requires businesses to contractually prohibit service providers from retaining, using, or disclosing the personal information other than for performing the services for the business as identified in the contract. In contrast, the GDPR is much more comprehensive and mandates several additional contractual obligations (e.g., the parties’ must define the nature, duration, and type of processing; sub-processing obligations; obligations with respect to data subject rights requests; obligations with respect to data breach response; and obligations with respect to responding supervisory authority inquiries).[35] That said, a GDPR-compliant data processing agreement (with perhaps a few tweaks) will likely satisfy the more limited obligations set forth in the CCPA.

Miscellaneous Requirements Related to Transactions

Does the CCPA impose any obligations on a third-party that acquires personal information during a merger, acquisition or other corporate transaction?

The CCPA, absent notice to the consumer, obligates a business acquirer to continue to handle personal information in the same manner as did the selling business.[36] If a business acquirer “materially alters” how it uses or shares a consumer’s personal information in a manner that is “materially inconsistent” with the promises made at the time of collection, the CCPA obligates the business acquirer to provide to the consumer prior notice of the new or changed practice.[37] The transfer of personal information as described above in a mergers and acquisitions context is not considered a “sale” under the CCPA, and therefore consumers do not have a right to opt out of such a transfer.

What does the CCPA mean when a business acquirer makes a “material” change in the mergers and acquisitions context?

The CCPA’s qualifying language allows businesses some breathing room as to personal information processing changes. While the CCPA does not define the term “material,” the term likely is designed to capture changes that do not align with the reason the consumer provided the personal information at the time of collection. For example, if a notice did not indicate that personal information collected about a consumer would be sold to other businesses and a business acquirer begins to sell personal information to other businesses, such a change would likely be “materially inconsistent” with the prior notice. To combat these restrictions on future use, a business should consider drafting broad privacy notices that allow it maximum flexibility in any potential future organizational change.

Can a business share personal information with a third party business acquirer for due diligence purposes prior to a merger or acquisition?

 While the CCPA addresses the disclosure of personal information to a third-party due to a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control, a “sale” under the CCPA, the Act is silent as to a business’s “pre-sale” due diligence activities.[38] Therefore, to reduce legal risks in the mergers and acquisitions context, a business’s privacy notice to the consumer should indicate the potential for such a disclosure.[39]

Is a selling business required to obtain assurances from a business acquirer regarding the latter’s use of personal information?

The CCPA is ambiguous on this point. Specifically, the definition of “sale” under the CCPA does not include the transfer of personal information to an acquiring business (or allow a consumer to opt-out) if the business acquirer “uses or shares” personal information consistently with CCPA’s disclosure requirements, i.e., the selling business’s notices to consumers.[40] At the time of the corporate transaction, however, a business seller generally may not know how a business acquirer will use or share personal information in the future. This creates a “catch-22.” Therefore, as one commentator has noted, it may be incumbent upon the target business to obtain written assurances from a business acquirer that the latter will comply with the CCPA.

Notes

[1] Cal. Civ. Code § 1798.105.

[2] Id. at § 1798.125.

[3] Id. at § 1798.105(b).

[4] Id. at § 1798.105(c).

[5] Id. at § 1798.130(a)(1).

[6] Id. at §1798.140(y).

[7] Id. at § 1798.105(a).

[8] Id. at § 1798.155(b).

[9] Id. at § 1798.155(a).

[10] See generally id. at §§ 1798.105, 1798.130.

[11] Id. at § 1798.105(d).

[12] Id.

[13] Id. at § 1798.145(g)(3).

[14] Id. at § 1798.105(d)(9).

[15] GDPR, Art. 17(1)(a).

[16] Cal. Civ. Code §§ 1798.105(d)(7), (9).

[17] See generally GDPR Art. 17(1).

[18] GDPR, Art. 17(3)(c).

[19] Id. at § 1798.105(c).

[20] Id. at § 1798.135(a)(3).

[21] Id. at § 1798.130(a)(1).

[22] Id. at § 1798.125(a)(1).

[23] Id. at § 1798.125(b)(1).

[24] Id. at § 1798.125(a)(2).

[25] Id. at § 1798.125(b)(2).

[26] Id. at § 1798.125(b)(4).

[27] Id. at § 1798.125(b)(2).

[28] Id. at § 1798.125(b)(3).

[29] Id. at § 1798.125(b)(4).

[30] Id. at § 1798.140(v).

[32] Id. at §§ 1798.110(c)(4), 1798.115(c), 1798.120(b).

[33] Id. at § 1798.115(d).

[34] Id. at § 1798.120(b).

[35] GDPR, Art. 28.

[36] Cal. Civ. Code § 1798.140(t)(2)(D).

[37] Id.

[38] See generally id.

[39] Id. at § 1798.100(b).

[40] Id. at § 1798.140(t)(2)(D).

Contributors

Andrew Epstein

David Navetta

Posted by Cooley