Responding to Requests to Delete

Morgan Lewis Practical Advice on Privacy: Guide to the CCPA

November 20, 2019

The recently proposed regulations implementing the California Consumer Privacy Act (CCPA) “establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.”[1] This article focuses on the consumer’s right to request deletion of the consumer’s personal information collected by the business, and outlines the best practices for responding to such requests to delete under the CCPA, including some information on the exceptions to deletion request.[2]

Timing of the Response

Confirmation of Receipt. The proposed regulations require that a business confirm receipt of a request to delete within 10 days of receiving the request.[3] Such confirmation must include information about how the business will process the request, including the business’s verification process and the timing as to when the consumer should expect a response from the business (unless the business has already granted or denied the request).[4] As discussed in more detail in our earlier article relating to the verification of consumer requests, the proposed regulations require that requests to delete be made through a “two-step process” pursuant to which a consumer first “clearly” submits a request to delete, and the business separately confirms the consumer’s request for deletion of the consumer’s personal information.[5]

Response. Both the CCPA and the proposed regulations require that the business respond to a request to delete within 45 days – beginning on the day the business receives the request, regardless of the time required to verify the request.[6] That response may be a denial because of the exceptions to the deletion request or it may be a confirmation that the deletion has occurred. A business may take up to an additional 45 days, if necessary, to respond to a consumer’s request (for a maximum of 90 days from the date the business receives the request) if the business provides the consumer with notice that includes an explanation of the reason that the business needs more than 45 days to respond to the request.[7]

As discussed in our earlier article regarding requests to know, these response timelines are also applicable to a response to a request to know.

Requirements When Responding to Requests to Delete

Methods of Compliance. Upon verification of a consumer’s request to delete, the business must either (a) respond and explain that it is not deleting personal information because of an exception, and thereafter limit use to that exception; (b) permanently and completely erase the consumer’s personal information on its existing systems (except for archived or backup systems, discussed below); or (c) de-identify or aggregate the personal information (such that the information is anonymized).[8]

Response and Recordkeeping. In response to the request to delete, the business must either give the details of any exception it is relying upon to decline the request or specify the method by which it has deleted the consumer’s personal information. In addition, the proposed regulations clarify that the business must maintain a record of the request to delete, and inform the consumer in its response that the business will maintain such record. Businesses must maintain records of consumer requests to delete and how they responded to the requests. These records must be maintained for at least 24 months.[9]

Deletion of Select Portions. A business may give the consumer the option to delete only select portions of the consumer’s personal information so long as the consumer is also offered the “global option” to delete all of the consumer’s personal information (and more prominently presented than the other choices). The proposed regulations specifically require that the consumer be able to confirm the selection pursuant to the two-step confirmation process discussed above.[10]

Personal Information Stored on Archived or Backup Systems. To the extent the personal information is stored on archived or backup systems, the business may delay its compliance with the request to delete with respect to such personal information until the archived or backup system is next accessed or used by the business.[11]

Unable to Verify a Request to Delete. A business may decline a request to delete if it cannot verify the identity of the consumer making the request pursuant to the verification process set forth in Article 4 of the proposed regulations.[12] That process is discussed in detail in our earlier article regarding the proposed regulations applicable to the verification of consumer requests. In cases where the requestor’s identity cannot be verified, the business must (a) inform the consumer that the consumer’s identity cannot be verified; and (b) treat the request as a request to opt out of sale.[13] The requirements of the proposed regulations relating to requests to opt out will be discussed in an upcoming article.

Denying a Request to Delete. The CCPA provides a number of exceptions to the deletion requirement. A business can deny a deletion request to keep information that is covered by an exception. Those exceptions include where the business currently does use or anticipates using information to

  1. complete the transaction for which that personal information was collected, to providegoods/service requested by the consumer or that may be requested given the nature of the business relationship, or to otherwise perform its obligations under a contract with the consumer;
  2. detect security incidents and protect against malicious, fraudulent, or illegal activity;
  3. exercise free speech or another right provided by law;
  4. comply with legal obligations; or
  5. enable internal uses that are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” and to otherwise use internally, the personal information in a lawful manner that is “compatible with the context in which the consumer provided the information.”[14]

The proposed regulations do not provide guidance regarding the scope of activities that may be “reasonably aligned” with consumer expectations or “compatible with the context” in which information was provided, raising important, and often difficult, questions of interpretation for businesses.

In cases where a business denies a consumer’s request to delete, and regardless of the basis for such denial, the business must (a) notify the consumer that it will not comply with the request to delete; (b) describe the basis for such denial, including any statutory and regulatory exception the business is relying on; (c) delete the consumer’s personal information that is not subject to any such exception; and (d) refrain from using the consumer’s personal information retained for any other purpose than provided for by any such exception.[15]

Service Providers

The proposed regulations require that if a service provider receives a consumer’s request to delete regarding personal information that the service provider collects, maintains, or sells on behalf of the business it services, and does not provide that information, it shall explain the basis for the denial.[16] If the information is only available from the business on whose behalf the service provider processes the information, the service provider should advise the consumer and provide the consumer with contact information for that business, if feasible.[17] In addition, a service provider that is subject to the CCPA must comply with the CCPA and the proposed regulations with respect to any personal information that it collects, maintains, or sells outside of its role as a service provider.[18]

Recommendations and Next Steps

Businesses should implement or modify existing processes to respond to a consumer’s request to delete, particularly given that such responses must be individualized in most cases. A critical first step for businesses is evaluating the extent to which the CCPA’s exceptions to the deletion might apply. In connection with responding to requests to delete (and consumer requests under the CCPA in general), it may be beneficial to run internal tests to assess whether the business will be able to verify requests and provide individualized responses within the required response times and, if not, develop systems and procedures to enable full compliance. Related to the foregoing, businesses should also evaluate their practices and procedures for collecting, storing, and deleting personal information to confirm that personal information can be segregated and completely and permanently destroyed on an individualized basis (or de-identified or aggregated), in compliance with the prescribed methods for addressing a request to delete.

Persons responsible for responding to requests to delete must be informed about all of the requirements in the CCPA and the proposed registrations related to such requests, and able to respond to consumers’ questions about them. Socializing these requirements and training personnel as to how to address these types of requests will help ensure a controlled implementation of these requirements.

The California attorney general issued proposed regulations for the CCPA on October 10, 2019. The proposed regulations are pending public comment through December 6, 2019. As part of the rulemaking process, the California attorney general will then decide whether any modifications should be made to the proposed regulations before they become final. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which takes effect on January 1, 2020.

Please visit our CCPA Resource Center for more information and the latest updates.

How We Can Help

The Morgan Lewis privacy team is providing practical advice on privacy to more than 100 businesses on compliance with CCPA, the newly proposed regulations, and how to accept, verify and respond to requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Carla Oakley
Michelle Park Chiu
Gene Park

Los Angeles
Joseph Duffy

Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams

New York
Martin Hirschprung

Washington, DC
Ronald Del Sesto
Dr. Axel Spies

[1] California Attorney General, Background on the CCPA and the Rulemaking Process.

[2] In general, the CCPA applies to for-profit organizations or legal entities that do business in California, collect California consumers’ personal information (directly or indirectly), and determine the purposes and means of processing of consumers’ personal information (alone or jointly with others), and that also satisfy one of three annual thresholds: (1) $25 million gross revenue, (2) 50,000-person data volume, or (3) 50% of revenues from sale of personal information. Covered entities include those that control or are controlled by a business with which they share common branding. See the Morgan Lewis CCPA Checklist for more details on whether the CCPA applies to a given business.

[3] CCPA Proposed Regulations, Section 999.313(a).

[4] Id.

[5] CCPA Proposed Regulations, Section 999.312(d).

[6] CCPA Proposed Regulations, Section 999.313(b).

[7] Id.

[8] CCPA Proposed Regulations, Section 999.312(d)(2).

[9] CCPA Proposed Regulations, Section 999.317.

[10] CCPA Proposed Regulations, Sections 999.312(d) and 999.313(d)(7).

[11] CCPA Proposed Regulations, Section 999.312(d)(3).

[12] CCPA Proposed Regulations, Section 999.312(d)(1).

[13] Id.

[14] CCPA Civil Code Section 1798.105(d).

[15] CCPA Proposed Regulations, Section 999.312(d)(6).

[16] CCPA Proposed Regulations, Section 999.314(d).

[17] Id.

[18] CCPA Proposed Regulations, Section 999.314(e).