The California Consumer Privacy Act (“CCPA”) is expected to become operative on January 1, 2020 and will usher in a new era of data privacy for consumers across the United States. The CCPA establishes various rights for individuals, most notably the right to know about the collection, sale, and disclosure of their personal information, the right to opt-out of the sale of their personal information, and – the subject of today’s post – a limited right to request that their personal information be deleted.
Under Section 1798.105 of the CCPA, upon receipt of a “verifiable consumer request,” a business must “delete the consumer’s personal information from its records” and direct all of its service providers to do the same. And businesses must tell consumers about this right so they know to invoke it. Easy enough, right? Not really.
The right to deletion has a long list of exceptions. A business does not have to comply with a deletion request if the business needs the consumer’s personal information for a reason related to the business:
(1) providing goods or services to the consumer;
(2) detecting and resolving issues related to security or functionality;
(3) complying with legal obligations;
(4) conducting research in the public interest;
(5) exercising free speech or ensuring another’s exercise of free speech; or
(6) using the information for internal purposes that the consumer might expect.
Let’s run through a hypothetical to explore how these exceptions to the right to delete may operate in practice. Suppose you run an ecommerce website that sells widgets in California. Joe Customer places an order of widgets and, in doing so, provides you with his personal information, such as his name, phone number, birthday, email address, IP address, home address, and credit card information. Sometime after Joe Customer places his order, he discovers that he has been the victim of identity theft and thinks it must have been caused by a breach in your system. Thinking that your system is unsecure (even if it’s not), he sends you a request to delete all of his personal information. How much information, if any, do you have to delete? Not as much as Joe might expect.
First, if you have not yet shipped out the widget, you can retain at least some of Joe’s personal information to facilitate the sale of goods under the first exception. Furthermore, if your widget includes a warranty or a return period, you can likely retain Joe’s personal information to be able to verify his transaction, issue a return, or apply the warranty. You also may be able to keep Joe’s information under the security-incident detection exception. What if Joe was right, and his identity theft was caused by a breach in your system? You may need to use his information to address the security incident. Furthermore, if there was a security incident, you may have a legal obligation (exception three, above) to notify Joe. You could thus retain his personal information for notification purposes.
While the free speech and research exceptions probably do not apply to this hypothetical, the internal use exceptions likely do. This category of exceptions applies broadly. One such exception allows businesses to use consumers’ personal information for internal uses “that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” Another allows businesses to use personal information internally “in a lawful manner that is compatible with the context in which the consumer provided the information.”
In our example, the internal use exceptions may include the uses related to return periods and warranty periods noted above. But what about other uses? Would it be compatible with the context in which Joe provided his personal information to use it for market research or analysis? What if Joe did not just purchase one small widget, but was in fact one of the largest purchasers of your company’s widgets. Does that change Joe’s expectations or the context in which Joe has provided you his personal information? These are open questions.
At first glance, the CCPA’s right to deletion appears to be a powerful consumer protection. But, as the hypothetical above illustrates, it can be significantly diluted by its exceptions, some of which are vague and expansive. Some clarity, hopefully, will come from the Attorney General’s anticipated CCPA regulations. Nevertheless, the right to deletion will present difficult decisions—and operational challenges—for companies doing business in California.