Updated: Dec 7, 2020
Since the law became applicable in January 2020, almost a third of all consumer requests under the California Data Privacy Law (CCPA) relates to data deletion (the right to be forgotten).
In this post, we will discuss:
Part I: What is the 'right to deletion' under CCPA;
Part II: What are the best practices for organizations to comply with deletion requests.
Changing the regulatory landscape and new rights, the boom in deletion requests
Just as its European counterpart GDPR, California Consumer Privacy Law (CCPA) restores control over consumer data to individuals by introducing extensive rights and imposing stringent requirements on businesses dealing with personal data.
By providing new data subject rights such as the right to access, right to data portability, right to opt-out of sale, and right to deletion, CCPA enables individuals to exert more control over the collection, use, and sale of their personal information such as social security number, driver's license number or home addresses.
Since the new law came into force, data subjects have swamped businesses with requests to delete, access, or stop selling their private data by exercising their respective rights under the CCPA.
Following the 'do not sell my personal information' requests, which comprised 50% of all claims made under the CCPA in 2020, deletion requests are the second most common type: 31% of all data subject requests were related to deleting personal data.
What is the time limit to answer deletion requests?
According to section 1798.105 CCPA, a consumer can demand that an organization delete her personal information from its records.
CCPA allows 45-days to accept or deny the deletion request, starting on the day the business receives the request.
Once a deletion request is received, an organization can conduct a verification check on the person that requests fulfilling the deletion request. If the data subject's identity is not verified, the receiver can refuse the request per CCPA.
Cybercriminals are taking advantage.
Since the entry into force of the CCPA, an increasing number of fraudsters have attempted to access personal information by impersonating consumers: 40% of all data subject requests are estimated to be non-verified, a scary statistic.
Depending on the degree of data sensitivity in question, businesses will have to establish either a reasonable or high degree of certainty to verify the identity.
Will Third-Party service providers have to delete data as well?
An organization that receives a deletion request will have to direct a partner service provider to do the same. Service providers that store personal data may include web-hosting and CRM providers. If, for instance, an e-commerce business stores the credit card details of a consumer on a cloud service provider's server, it will have to notify the relevant cloud provider of the deletion request received.
Once a service provider such as a cloud solution provider receives such a direction from a party with a direct customer relationship, it also has to delete personal data as per the original deletion request.
What type of data is covered by 'right to deletion'?
Every business collects personal data from various sources such as directly from the consumer, via cookies, scraping data from public records, or buying data from data brokers. Contrary to the EU's General Data Protection Regulation(GDPR), which does not distinguish between personal data sources regarding the right to deletion, CCPA adopts a different position. The right to have personal data deleted only applies to personal data that a consumer provided. Data collected from other sources such as data brokers are outside the reach of deletion requests under California Data Privacy Law.
Let's illustrate. Companies such as Facebook and Amazon that directly collect personal data from consumers are subject to CCPA's right to deletion. However, any company scraping address details from public records (white pages) or purchasing credit reports from data brokers are not affected by deletion requests.
Do you have to delete all data permanently?
Data is usually scattered across so many different systems, databases, and more often than not on multiple third-party servers (AWS, Azure). The situation is further exacerbated by the fact that data is also stored on back-up systems and archived.
When GDPR came into force, the right to deletion required thoroughgoing erasure of personal data from every system where it could reside, and this includes erased from back-up and archives. Furthermore, the erasure must be irreversible.
CCPA imposes a more relaxed obligation because an organization only has to delete personal data from active systems. Personal data can stay in a back-up system as long as it is not disclosed, used, or sold.
BEST PRACTICES TO COMPLY WITH RIGHT TO DELETION REQUESTS
Failure to fulfill deletion requests may expose an organization to fines as high as '$2,500 per violation or $7,500 for each "intentional" violation'. In addition to financial risks, not satisfying consumer requests erodes consumer trust in the business, lessens consumer satisfaction, and may even harm its reputation.
Implementing the following steps will help compliance efforts with data deletion requests:
Know your data
If you do not have a complete picture of what personal data you collect and where it is stored, you cannot fulfill deletion requests according to the rules specified in CCPA.
Personal data can be easily copied and often scattered across multiple IT systems, in structured and sometimes even unstructured databases, third-party servers, and devices. Storing sale order details on Amazon servers or sharing the previous employment history of a job applicant with various internal departments are a few examples of where it is hard to keep track of someone's personal data.
Suppose you don't have a data inventory and have not implemented data mapping software for personal data you hold. In that case, you are unlikely to have the capability to fulfill deletion requests as per CCPA. If personal data stays active even only on one location, the deletion request is deemed incomplete, and you run the risk of facing penalties.
Some of the processes that solid data governance requires are all about understanding the data you have.
Establishing a data inventory and data mapping enables you to:
Determine which channels your data originates from, e.g., online forms, applications, data brokers, on-premise CCTVs, or call center records;
Identify the types of data your organization has about individuals such as IP information, biometrics, address details, and purchase history;
Have a complete overview of where your data assets are stored, whether on-premise systems or third-party clouds.
Adopt policies for identity verification
There is a delicate line between implementing appropriate processes to verify identity and making it overly burdensome to handle the right to deletion. The latter may even lead to violating the right to deletion and facing fines.
Considering that cyber-criminals are increasingly exploiting the data subject access requests via impersonation, verifying the requesting party's identity has become a central issue.
Setting up systems such as two-factor authentication and logging may be effective at preventing fraudulent activities.
Implement policies to check if the deletion request is valid
The right to request personal data deletion is not absolute and limited under nine exemptions specified in CCPA. These exceptions to data deletion include 'completing a transaction,' 'freedom of speech' and 'legal compliance.'
Among those nine exceptions, only a few of them may apply to business. By determining standard exceptions, you can rely on to reject deletion requests; you can adopt a standard policy across your organization and automate the process.
For instance, if you sell vacuum cleaners via an e-commerce store, you may reject requests to delete personal data because you have a 6-month warranty period. You will not be able to honor this warranty policy without keeping personal data during this period. Therefore, it is essential to have a clear roadmap for handling deletion requests and deciding on the validity of deletion requests. Who will be authorized to judge a deletion request? Who will complete it and document it?
By setting up a robust policy to determine the validity of the request, you are better able to avoid unnecessarily deleting data and applying exemptions correctly.
Review your Privacy policies and set up methods to submit deletion requests
Moreover, CCPA also imposes on organizations the obligation to offer at least two different methods to make data deletion requests. One of these must be a toll-free phone number. Updating your existing privacy policies and auditing the existing mechanisms to submit deletion requests can facilitate the process and shield you from non-compliance.
Keeping proper records of deletion requests, creating a logging system, and establishing communication channels are also essential to eliminate the risk of future disputes and violating consumer rights.
Review your technical capacity to complete the deletion request
CCPA does not mandate a hard deletion - where all personal data must be erased - from your records permanently. On the contrary, you can fulfill the deletion request by aggregating personal data or applying de-identification techniques. Ensuring that you can use those alternative technologies instead of 'hard deletion' can ensure that you satisfy deletion requests within the prescribed 45 days.
Another technical concern you should have relates to the granular character of deletion requests. Deleting personal data of just one data subject from multiple databases or even only a few available data about an individual may break your system or cause discrepancies across your datasets.
Ensuring that you have the technological solutions working properly is thus vital. See our article about Privacy-by-design for more on this subject.
Compliance with data deletion requests under the California Data Privacy Law requires implementing robust policies and technologies. Failure to fulfill deletion requests not only exposes you to regulatory action by the Attorney General but also tarnish your reputation and erodes consumer trust.