Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 5 of a Series
Consumer Rights: Deletion, Do Not Sell, Non-Discrimination
The California Consumer Privacy Act obligates covered businesses to disclose the categories of personal information, the sources of personal information and uses of personal information collected in the course of their operations. In addition, the CCPA gives consumers specific rights not just to know what data is being collected, but also whether and how that data can be used. Compliance with the CCPA requires an understanding of these rights, and adoption of procedures to comply with them.
The right to delete is not absolute. Businesses are also not required to delete information “if it is necessary” to:
- Complete the transaction for which it was collected.
- Provide a good or service the consumer has requested.
- Perform a contract between the business and the consumer.
- Detect security incidents.
- Protect against “malicious, deceptive, fraudulent, or illegal” activities.
- Prosecute people responsible for “malicious, deceptive, fraudulent, or illegal” activities.
- “Debug to identify and repair errors that impair existing intended functionality.”
- Ensure the exercise of free speech by another customer.
- Ensure the company’s exercise of “another right provided for by law.”
- Comply with a legal obligation, in particular, those of the California Electronic Communications Privacy Act.
These exceptions give businesses a broad range of reasons to keep information. For example, a business may continue to use a consumer’s personal information that has been the subject of a deletion request “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” A similar exception is carved out for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”
Opt-out of Sales
The CCPA gives consumers two related rights regarding the sale of personal information: 1) a “right to opt out” of the sale of personal information, and 2) for consumers under the age of 16, a “right to opt in”. Continue reading