Right to Erasure Comparison: GDPR vs. CCPA and Data Challenges with Erasure Compliance
By now, you’re thoroughly versed in GDPR and you know all about Art. 17 Right to Erasure (Right to be Forgotten) which can be exercised by the Data Subject under certain conditions. But perhaps on your “to do list” is some effort to compare the RTBF provision in GDPR to the new California Consumer Privacy Act’s (CCPA) version of the same. (Yes, if you didn’t know CCPA has an RTBF right too.) You can check that comparison off your To Do list because I’m doing it for you below. I’m also going to give you a couple of operational matters to ponder.
Compliance Observations. Complying with RTBF requests from a purely data management standpoint will be challenging as illustrated by just a couple of examples.
First, under the CCPA, to identify the consumer and determine whether the request is a verifiable request, Section 1798.30 requires the company to “associate any personal information previously collected by the business about the consumer” to the information contained in the request. Will the company be able to ascertain in the 45 day time period that the requestor, “Liz Reston,” who declares she lives at 123 Main Street, is the same Reston as “Elizabeth Reston” in the company’s marketing database with a different address, or “Lizzie Reston” in the Customer Support database with only a business email, or Elizabeth A. Reston with a prior residence address? The task is compounded when data errors are introduced, e.g., transposed area codes, date of birth, or social security numbers, formatting differences in phone numbers (e.g., +1 (720) 123–1212 v. 720–123–1212), and misspellings.
Second, does the Right to Deletion require continuous monitoring to ensure compliance? It would appear a continuous monitoring obligation is not currently present in the CCPA because Section 1798.130 specifies the disclosure obligation will be over a 12-month period “preceding the business’s receipt of the verifiable request.” (emphasis supplied.) The answer is not so clear under GDPR. There, Art. 17 requires the controller to erase personal data “without undue delay” but, unlike CCPA, it is not retrospective in its reach. It merely sets forth preconditions under which erasure is required. Let’s assume the following scenario: Liz Reston submits an RTBF request of Company A on September 1, 2018 and specifies her principal interest is in having her name removed from “any and all Company marketing lists and revokes her consent for utilizing her personal data for marketing purposes”.
Within thirty days, Company A conducts an internal search to locate Liz Reston’s records to execute the deletion and learns she was on three company marketing lists. Her information is dutifully deleted from those three lists and Liz is so notified. But 15 days later, Company A acquires Company B and all its assets, including marketing lists. One of those lists contains personal data about Liz Reston. Would Company A be in violation of GDPR’s Art. 17 if Liz’s personal were not deleted? Certainly, it would be fair to assume that Liz’s expectation would be that a list procured and held by the Company only 15 days after her request should be subject to her original request. I would think that expectation would be even more founded if Company A re-marketed to her. After all, Recital (65) states, “a data subject should have the right to have his or her personal data erased and no longer processed … where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her” (emphasis added).
But how far should that “look forward” obligation extend? If a company in the marketing business is acquisitive (e.g., acquires more than one marketing company with marketing databases a year), shouldn’t a continuous RTBF monitoring capability (i.e., to ensure fidelity to the requestor’s deletion request) be at least best practice in that case? Something to ponder over your turkey and gravy.