Under CCPA, Californians can request to have their personal data deleted, but there are CCPA data deletion exceptions you should be aware of. Not all personal data needs to be deleted.
Who Must Comply with CCPA?
The California Consumer Privacy Act gave Californians new rights over their personal data. From January 1, 2020, organizations that conduct business in the state of California are required to comply with CCPA if they have annual gross revenues of more than $25 million, handle the personal data of 50,000 or more consumers, or derive more than 50% of their annual revenue from the sale of personal information.
The CCPA Right to Delete
One of the new rights given to consumers is the right to have their personal data deleted. CCPA applies to personal data that identifies, relates to, describes, or can be associated with an individual or household, directly or indirectly.
When consumers exercise the right to delete, organizations are required to comply within 45 days, but there are CCPA data deletion exceptions. If data is not going to be deleted, the consumer must be informed without unreasonable delay and no later than 45 days after the request has been received. This timescale does not apply to data contained in archive or backup systems. The deletion of personal data stored in an archive or backup can be delayed until the next time the archive or backup is accessed or used.
When a data deletion request is received, an organization must take reasonable steps to verify that the request to delete data has been sent by the individual about whom the data relates. All personal data must then be deleted; however, there are 9 CCPA data deletion exceptions.
CCPA Data Deletion Exceptions
Businesses are not required by law to delete data that is required to perform 9 specific activities:
Data does not need to be deleted if it is required to complete the transaction for which the data was collected or to provide goods or services that have been requested by the consumer. Data does not need to be deleted if it is “reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.”
If personal data, such as data contained in server logs, is needed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity to allow prosecution of the persons responsible for those activities, it should not be deleted.
If personal data is needed to debug or identify and repair errors that impair existing functionality.
While the CCPA helps protect the privacy of consumers, it is secondary to free speech. Personal data does not need to be deleted in order to allow the exercise of free speech, and to ensure the right of another consumer to exercise his or her right of free speech, or to exercise another right provided for by law.
Personal data does not need to be deleted if it is required to ensure compliance with the California Electronic Communications Privacy Act (CalECPA).
Personal data is excepted from deletion if it is required to comply with other legal obligations, such as data retention laws.
Research Conducted in the Public Interest
Personal information of consumers that is used for research conducted in the public interest does not need to be deleted. This includes personal data that is collected and maintained for peer-reviewed, scientific, historical, or statistical research in the public interest if deletion of the data would seriously impair the achievement of the research, provided the consumer has previously provided informed consent for their personal data to be used for research.
Expected Internal Uses
Data is exempt from detection requests if it is required to enable solely internal uses reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
Other Internal Uses
Personal data does not need to be deleted if it is required for other internal uses which, in a lawful manner, are compatible with the context in which the consumer provided their personal data.
Enforcement of CCPA Compliance
The California Attorney General is tasked with enforcing compliance with CCPA and has the authority to issue financial penalties for noncompliance up to $2,500 per violation or $7,500 for an intentional violation. Californian consumers are permitted to take legal action against organizations over data breaches and can claim damages between $100 and $750 per data breach.