Right to delete under CCPA

Lydia F de la Torre
Jan 5, 2020 · 10 min read
Image from Advisory released by CA AG Mon, 6, 2020

Key points:

CCPA provides California residents the right to have personal information deleted but the right is not absolute and can be denied in some circumstances.

The California right to delete differs in significant ways from the GDPR right to erasure (a.k.a. ‘the right to be forgotten’)

Californians must follow the process established by the business in order to exercise their right to delete. Businesses have 45 days to respond to a request (which may be extended by an additional 45 period in certain circumstances.)

Last updated: 4/6/2020

What is the right to delete under CCPA and why is it important?

CCPA grants California residents the right to have personal information erased. The right is not absolute and only applies in certain circumstances.

Cal. Civ. Code Sec. 1798.105

Consumers can exercise the right to delete their personal information if:

  • the personal information was collected by the business from the consumer
  • it is no longer necessary for the business or service provider to maintain the personal information in order to fulfill one of the purposes identified in Cal. Civ. Code Sec. 1798.105 (d) AND
  • the business is not entitled to retain the personal information under one of the generals exemptions under Cal. Civ. Code Sec. 1798.145

Organizations must inform consumer’s in their CCPA privacy policies of the fact that the consumer has a right to request that information be deleted.

In responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all is also offered and more prominently presented than the other choices. (See, CCPA proposed rules 999.313 (d)(8)

Responding to a request to erase

Central Intelligence Agency photo stream — Vitagum Artists Eraser

Submission methods:

The CCPA does not specify how a valid request to delete shall be made but requires the business to create, at a minimum, two methods for submission of a request.

  • Acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a link or form available online through a business’s website, a designated email address, a form submitted in person, and a form submitted through the mail.

See, CCPA proposed rules 999.312 (b)

A business shall consider the methods by which it interacts with consumers when determining which methods to provide for submitting requests to know and requests to delete.

  • If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form, or a telephone by which the consumer can call the business’s toll-free number.

See, CCPA proposed rules 999.312 (c)

A business may use a two-step process for online requests to delete where the consumer must first, submit the request to delete and then second, separately confirm that they want their personal information deleted.

See, CCPA proposed rules 999.312 (d)

The consumer has to follow the process established by the business to exercise his or her right to delete. If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business can either:

  • Treat the request as if it had been submitted in accordance with the business’s designated manner, OR
  • Provide the consumer with information on how to submit the request or remedy the deficiency.

See, CCPA proposed rules 999.312 (e)

Upon receiving a request, a business shall confirm receipt of the request within 10 business days and provide information about how the business will process the request.

  • The information provided shall describe in general the business’s verification process and when the consumer should expect a response, except in instances where the business has already granted or denied the request.
  • The confirmation may be given in the same manner in which the request was received (E.g. if the request is made over the phone, the confirmation may be given on the phone during the phone call.)

See, CCPA proposed rules 999.313 (a)

If necessary, businesses may take up to an additional 45 calendar days to respond to the consumer’s request, for a maximum total of 90 calendar days from the day the request was received.

  • The business must notify the consumer of the extension and provide an explanation as to the reasons for the delay.

See, CCPA proposed rules 999.313 (b)

A business must verify the identity of the requestor pursuant to Article 4 of the CCPA proposed regulations.

A businesses has 45 calendar days to respond to the request.

  • The 45-day period will begin on the day that the business receives the request, regardless of time required to verify the request.
  • If the business cannot verify the consumer within the 45 day time period, the business may deny the request.

See, CCPA proposed rules 999.313 (b)

In responding to a request to delete, a business shall inform the consumer whether or not it has complied with the request (See, CCPA proposed rules 999.313 (d)(4))

  • If the business complies, the business shall inform that it will maintain a record of the request for the purpose of ensuring that the “information remains deleted from the business’s records.” (See, CCPA proposed rules 999.313 (d)(5) and section below on record keeping)
  • If the business denies the request to delete it must do all of the following:
    (a) Inform the consumer that it will not comply and describe the basis for the denial -including any conflict with federal or state law, or exception to the CCPA- unless prohibited from doing so by law; (b) delete the information that is not subject to the exception; and (c) not use the information retained for any other purpose than provided for by that exception. (See, CCPA proposed rules 999.313 (d)(6))

If a business that refuses a request to delete sells personal information and the consumer has not already made a request to opt out, the business shall ask the consumer if they would like to opt out of the sale and shall include either the contents of, or a link to, the notice of right to opt-out in the response to the request. (See, CCPA proposed rules 999.313 (d)(7))

Erasing the data

A business can comply with a request to delete by:

  • Permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems;
  • Deidentifying the personal information; or
  • Aggregating the consumer information.

See, CCPA proposed rules 999.313 (d)(2)

If a business stores any personal information on archived or backup systems, it may delay compliance with the request to delete until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.

See, CCPA proposed rules 999.313 (d)(3)

A business shall not only delete the consumer’s personal information from its records but also direct any service providers to delete the consumer’s personal information from their records. (See. Cal. Civ. Code Sec. 1798.115(c))

Record keeping

A business shall maintain records of consumer requests made pursuant to the CCPA and how the business responded to said requests for at least 24 months.

  • The business shall implement and maintain reasonable security procedures and practices in maintaining these records.
  • The records may be maintained in a ticket or log format provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial (if applicable.)
  • Information maintained for record-keeping purposes shall not be used for any other purpose except as reasonably necessary to review and modify its processes for compliance with the CCPA.
  • Information maintained for recordkeeping purposes shall not be shared with third parties except as needed to comply with CCPA.

See, CCPA proposed rules 999.317.(b),(c)&(e)

Business that know (or reasonably should know) that it, alone or in combination, buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 10,000,000 or more consumers in a year have additional record keeping and reporting obligations. (See, CCPA proposed rules 999.317.(g))

Request made to a service provider

If a service provider receives a request to know or a request to delete from a consumer, the service provider shall either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider. (See, CCPA proposed rules 999.314(e))

Refusing to comply with a request to delete

A request to delete can be denied where:

  • The identity of the requestor cannot be verified.
  • The information in question was not collected by the business from the consumer or
  • An exception applies.

If a business that refuses a request to delete sells personal information and the consumer has not already made a request to opt out, the business shall ask the consumer if they would like to opt out of the sale and shall include either the contents of, or a link to, the notice of right to opt-out in the response to the request. (See, CCPA proposed rules 999.313 (d)(7))

If a business cannot verify the identity of the requestor, the business may deny the request but must inform the consumer that the identity could not be verified.

See, CCPA proposed rules 999.313 (d)(1)

Under the CCPA, a consumer has the right to request that a business delete personal information “collected from the consumer” but not if the information was collected from other sources (See, Cal. Civ. Code Sec 1798.105(a).) Consequently, a business may deny a request to delete that relates to information collected from sources other than the consumer.

CCPA identifies a number of situations where a business or a service provider is not required to comply with a consumer’s request to delete. Specfically, a request to delete may be denied where retaining the information is necessary for the business or service provider in order to:

  • Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
  • Debug to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
  • To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
  • Comply with a legal obligation.
  • Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

See, Cal. Civ. Code Sec. 1798.105 (d)

In addition, where a general exemption applies a business could deny a request to erase (See, Cal. Civ. Code Sec. 1798.145)

Request to delete regarding household information

Where a household does not have a password-protected account with a business, a business shall not comply with a request to delete unless all of the following conditions are met:

  • All consumers of the household jointly request deletion
  • The business individually verifies all the members of the household; and
  • The business verifies that each member making the request is currently a member of the household.

See CCPA proposed regulations 999.318 (a)

Where a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to delete relating to household information through the business’s existing business practices. See CCPA proposed regulations 999.318 (b)

If a member of a household is a minor under the age of 13, a business must obtain verifiable parental consent before erasing. See CCPA proposed regulations 999.318 (c)

Best practices

IABI — Image from page 15 of “The aquarium” (1897)

If a valid erasure request is received and no exemption applies all necessary steps to ensure erasure must be taken. This includes:

  • erasing the data from backup systems as well as live systems,
  • informing data subjects as to what will happen to the data about them when the erasure request is fulfilled, including backup systems,

If the erasure request can be instantly fulfilled but the data will remain within the backup environment for a certain period of time until it is overwritten, best practices would be to put the backup data ‘beyond use’, even if it cannot be immediately overwritten. If the backup data cannot be immediately erased, it must not be used for any other purpose (i.e. the backup should be simply held on the system until it is replaced in line with an established schedule).

Where there are doubts about the identity of the person making the request it is possible to ask for more information. However, it is important that only the information that is necessary to confirm who they are is requested. The key to this is proportionality.

Finally, it is important to train staff who regularly interact with consumers to identify a request so that they can inform the consumer to the methods for submission. Additionally, it is good practice to:

  • have a policy for recording details of the requests received, particularly those made by telephone or in person;
  • check with the requester to make sure the request is clearly understood, which can help avoid later disputes about how the business has interpreted the request; and
  • keep a log of verbal requests.

Golden Data

Legal blog about data laws

By Golden Data

A newsletter about data laws Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store