Requests to Delete
The California Consumer Privacy Act (“CCPA”) (and the ballot initiative that amends and expands CCPA, called its updated version called the California Privacy Rights Act (“CPRA”)) and the Virginia Consumer Data Protection Act (“VCDPA”) provide eligible consumers the right to request that a business delete the personal information that the business has collected or obtained from the consumer. This document is designed to provide information about these requests.
Before we jump into it though, please note that this document is only providing general information and is not legal advice.
Privacy laws are complex and compliance is specific to each business owner. Also, privacy laws are always changing, so please confirm that this information in these guidelines are still accurate at the time you are reading.
Before responding to any requests or taking any action, we recommend speaking with an attorney about your website and business.
What is a request to delete?
Both the CCPA/CPRA and VCDPA provide certain consumers with the right to request the deletion of their personal information. This right is not absolute, so please refer to each law to understand the relevant exceptions.
What does this mean?
This means that if you have collected or obtained personal information about a consumer, you may, under certain circumstances, be obligated to delete that consumer’s information. Each law has different requirements for deletion, so please check the relevant law to see your obligations.
I just received a request to delete… now what?
Please don’t ignore it. No matter what, you will need to respond so make sure you set up a procedure to deal with these requests.
Check out this handy sample so you can create your own procedure:
Call your privacy lawyer for assistance in responding and thank them for being a great resource. Lawyers need love too.
Determine which law applies - CCPA/CPRA or VCDPA (or any other that we don’t mention here).
You can take a look at the location of the person who is making the request, among other things.
Determine the timing of response.
- CCPA/CPRA require that a business confirm receipt of a deletion request within 10 business days. After that, the business must substantively respond to the request within 45 calendar days, unless the business requests an extension.
- VCDPA requires a response within 45 calendar days.
Determine your response.
- Verify the request. This is an important step to avoid responding to fraudulent requests.
- Determine what data you have on file (if any) and any other third parties/service providers that you need to notify about the request.
- If you have data on file, confirm which data the requester would like you to delete.
If you have properly verified the consumer and determined there is data to delete, delete it and notify any other relevant third parties of the request.
- If there is no data to delete or you meet an exemption to the request under the law, you will not need to delete any data.
Either way, respond to the request within the required timeframe and let the consumer know what actions you have taken (or not) and the reasons for doing so.
Remember, this is just information and not legal advice. We like to leave the legal advice to the professionals. We highly recommend you speak with an attorney to confirm you have the right procedures in place.