Requests to Delete
The California Consumer Privacy Act (“CCPA”) (and its updated version called the California Privacy Rights Act (“CPRA”)) and the Virginia Consumer Data Protection Act (“VCDPA”) provide eligible consumers the right to request that a business delete the personal information that the business has collected or obtained from the consumer. This document is designed to provide information about these requests.
Before we jump into it though, please note that this document is only providing general information and is not legal advice.
Privacy laws are complex and compliance is specific to each business owner. Also, privacy laws are always changing, so please confirm that these guidelines are still accurate at the time you are reading.
Before responding to any requests or taking any action, we recommend speaking with an attorney about your website and business.
What is a request to delete?
The CCPA/CPRA provides that consumers “… have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”
The VCDPA provides that consumers “… have the right to delete personal data provided by or obtained about the consumer.”
What does this mean?
This means that if you have collected or obtained personal information about a consumer, you may, under certain circumstances, be obligated to delete that consumer’s information.
What is personal information?
Under CCPA, personal information is “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” For example, it could include a consumer’s name, email address, records of products purchased, internet browsing history, or geolocation data.
Are there any exceptions for these requests?
Sure are! Both the CCPA/CPRA and VCDPA provide exceptions to the request to delete so that a business can decline the request. They include complying with other laws or lawsuits, the ability to provide a requested service to the consumer or complying with an existing agreement, or the exercise of free speech.
These are just examples, so be sure to check out the total list of exceptions for each law because there are many more (too many to list here)!
What does it mean to delete data?
Under CCPA, deleting data means:
permanently and completely erase the personal information on a business’s existing systems with the exception of archived or backup systems;
de-identify the personal information; or
aggregate the consumer information.
VCDPA does not provide any specifications about how to delete data.
I just received a request to delete… now what?
Please don’t ignore it. No matter what, you will need to respond so make sure you set up a procedure to deal with these requests.
Check out this handy sample so you can create your own procedure:
Determine which law applies - CCPA/CPRA or VCDPA (or any other that we don’t mention here).
You can take a look at the location of the person who is making the request, among other things.
Determine the timing of response:
- CCPA/CPRA require that a business confirm receipt of a deletion request within 10 business days. After that, the business must respond to the request within 45 calendar days.
- VCDPA requires a response within 45 calendar days, but no confirmation is required.
Determine your response.
- Confirm the person making the request is the person whose data is being deleted. This is an important step to avoid responding to fraudulent requests.
- Determine what data you have on file (if any) and any other third parties you need to notify about the request.
- If you have data on file, confirm which data the requester would like you to delete.
If you have properly verified the consumer and determined there is data to delete, delete it and notify any other relevant third parties of the request.
- If there is no data to delete or you meet an exemption to the request under the law, you will not need to delete any data.
Respond to the request and let the consumer know what actions you have taken and the reasons for doing so.
Call your privacy lawyer and thank them for helping you with this process.
Remember, these are very general guidelines. We highly recommend you speak with an attorney to confirm you have the right procedures in place.