Tags
Read time
5 min read
Last updated
November 6, 2024
🆕 Are hidden website trackers putting your brand at risk? Find out now! 🔎
With the California Consumer Privacy Act (CCPA), and its amendment, the California Privacy Rights Act (CPRA), consumers have gained powerful rights over their data—including the right to delete. Let's walk through what this means for your business, how to handle deletion requests, and the latest legislative updates.
Under the CCPA, consumers have the right to request deletion of personal information your business collects. The CPRA strengthens this right by extending deletion requirements to third-party vendors with whom you’ve shared the consumer's information. This means businesses must ensure not only their own compliance but also the compliance of their service providers.
As a result, a business must comply with deletion by:
Businesses that store personal information on archived or backup systems can delay deletion compliance requests until said systems are either restored or re-accessed or used for a disclosure, sale, or commercial purpose.
Read further: CCPA opt-out
With some exceptions, the right to deletion applies to all CCPA personal information, which is defined as follows:
Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.
Source: California Consumer Privacy Act (CCPA)
The CCPA classifies personal information broadly, covering data that could identify or link to an individual, such as:
The CPRA expands the definition of personal information to include sensitive data, which includes:
Understanding these expanded data categories is essential for meeting CPRA compliance standards, as sensitive information is now treated with added care.
Go further: Understanding the CCPA data subject access request
The CCPA and CPRA outline several situations where data deletion isn’t mandatory, allowing businesses to retain data when necessary for:
By understanding these exceptions, your business can make informed decisions on when deletion requests may be denied and how to communicate these cases to consumers.
Apart from the exceptions, businesses and service providers can also deny deletion requests if the identity of the individual requesting deletion can’t be verified or if the personal information in question wasn’t collected from the consumer by the business.
Read more: Who does the CCPA apply to?
‍
To stay compliant with both the CCPA and CPRA, it’s critical to have a smooth process for handling deletion requests. Here’s a streamlined approach:
Read further: CCPA compliance software
In their regulation, the CCPA details what businesses must do to comply with consumers’ right to delete. These include updating your privacy policy, providing channels through which consumers can request that their data be deleted, and keeping a record of deletion requests.
Businesses must review and update their privacy policies to detail consumers’ data privacy rights, as well as explain how these rights can be exercised. A CCPA privacy policy, then, must disclose the right to deletion and describe the method to submit deletion requests.
Businesses are required to provide two methods to submit data deletion requests. These should fit the way your business interacts with your consumer.
For example, a clothing shop that has a website can provide both a toll-free number and an online form their customers can use to submit their requests. These avenues should be separate from other contact points such as helplines or customer service emails.
Upon receiving a data deletion request, a business must confirm receipt within ten days and provide information about how the request will be processed. A business must also inform the consumer within forty-five days, regardless of the time required to verify the request, whether it has complied with the request or not.
If the business complies, it has to inform the consumer that a record of the request will be kept to ensure that the data remains deleted.
If the business denies the request under an exemption, it must inform the consumer that it won’t comply, that it won’t delete any information that is subject to the exemption, and that it won’t use the data for any purpose other than the exemption.
If the request is denied due to failed verification, a business must direct the consumer to proper processing.
Businesses must keep a record of CCPA-pursuant requests for at least twenty-four months. These should be maintained, and they can’t be used for any purpose other than those that comply with the law.
The 2023 California Delete Act (SB 362) further empowers consumers by allowing them to delete their information across all registered data brokers with a single request. Meanwhile, the CPRA has established a new regulatory agency, the California Privacy Protection Agency (CPPA), which oversees compliance and has the power to issue penalties for non-compliance.
For businesses, this means greater accountability and potential penalties if deletion requests are mishandled or if vendor compliance isn’t ensured. To streamline compliance, consider automated tools that manage both consumer requests and vendor communication.
For comprehensive compliance support or to explore tools that can help manage CCPA and CPRA requests, contact the privacy experts at Ketch. Protect consumer trust and stay ahead of California’s evolving privacy regulations.
The right to delete is only one of four main rights afforded by the CCPA. Any business that does business in California or with California residents must comply with all of them.
So it’s good practice to stay informed and to review your business’s current data practices to see if they are in line with the law. Otherwise, you’re at risk of paying hefty fines or losing business in the state.
To learn more about CCPA compliance and consent management platform software, contact the privacy experts at Ketch today.
‍
Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.
