One of the standout consumer rights under the California Consumer Protection Act (CCPA) is the right to delete. While in theory the right to delete is a powerful consumer protection measure, this right is not absolute. The CCPA defines several instances where a business or service provider is not required to delete user data. Specifically, a business or service provider is not required to comply with a consumer’s request to delete personal information if it is necessary for the business or service provider to maintain the consumer’s personal information to:
(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(3) Debug to identify and repair errors that impair existing intended functionality.
(4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
(8) Comply with a legal obligation.
(9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
The first element likely allows for web and app functions such as shopping carts, and it may also permit some degree of targeted advertising, such as product recommendations based on previous purchases. Because this element explicitly allows for performance of a contract between organizations and consumers, organizations should write account creation contracts consistent with their data use practices. Doing so should allow for the retention of some consumer data as “necessary” for the business or service provider under the law. The second element likely allows for the retention of IP addresses, MAC addresses and other uniquely identifying information for the sake of network security. Similarly, the third element allows for the retention of data such as browser types, but also potentially things like activity logs for debugging purposes.
The sixth element pertains to research in the public interest. It places a very high bar of not only informed consent, but also only allows for retention of data if the research would be rendered impossible or would be seriously impaired by deletion. The CCPA allows for the retention of data for public interest research only if it is:
(A) Compatible with the business purpose for which the personal information was collected.
(B) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
(C) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(D) Subject to business processes that specifically prohibit reidentification of the information.
(E) Made subject to business processes to prevent inadvertent release of deidentified information.
(F) Protected from any reidentification attempts.
(G) Used solely for research purposes that are compatible with the context in which the personal information was collected.
(H) Not be used for any commercial purpose.
(I) Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
These elements are very restrictive and require extra attention to ensure adequate compliance measures are in place. Element A limits use of data to the “business purpose” it was collected and working alongside element G, underscores that there must be a nexus between the research and the context in which the data was collected. The law defines “business purpose” as the “use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.” The “reasonably necessary and proportionate” constraint means businesses must comply with a request to delete data that does not have a strong nexus to the core operations of the business, such as a flashlight app that collects GPS coordinates.
Elements B, C, D, E, F, and I impose very strong safeguards on data anonymity and security practices. What constitutes anonymized or deidentified data is a raging debate among academics, as data scientists are able to reidentify data by finding unique variables in robust datasets that may appear on the surface to not contain common forms of personal information. The CCPA definition of what constitutes a deidentified dataset does not definitively clarify this definition. The CCPA defines “deidentified” as, “[I]nformation that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” The “reasonably” language here is sure to be debated, as what is reasonably deidentified to a lawyer looking through a dataset is far different than what is reasonably deidenetified to a data scientist familiar with re-identification methods.
The other aforementioned data anonymity and security elements provide the real teeth of the law. Several focus on ensuring that there are robust processes to prevent the data from being reidentified after it is deidentified. Broad language such as “protected from any reidentification attempts” and “business processes that specifically prohibit reidentification” forces businesses to show that they have systems and processes to prevent data scientists who are keen on linking big datasets from exposing the organization to liability. Data dumps are often done carelessly, combining as much data as possible to spot trends, patterns and anomalies that may prove valuable. General counsels and compliance officers need to become more involved in the process of data analysis to ensure the proper safeguards are in place and adhered to. Because there is no specific standard for deidentified data and security practices, businesses should make every attempt to create these systems in good faith and consistent with the latest data science practices--differential privacy among them.
Finally, the most important compliance check in the "right to delete" is whether your organization is collecting a wide swath of data unrelated to the "business purpose" and context in which the data is collected. The CCPA is littered with context specific constraints on data use. Because penalties are enforceable on a per violation basis, casting a wide net and collecting data that cannot be reasonably tied to consumer expectations could expose companies to a significant financial liability. As a result, it is wise to review what data is collected, when it is collected and how it is collected (passively or with user input, for example) to ensure that the collection practices are reasonable within the context. Otherwise, prepare your engineers to segment and tag data which may be subject to delete requests.
Disclaimer: This blog is not intended to provide legal advice or my legal opinion. Any legal references or citations mentioned in these articles may be out-of-date. It is your responsibility to speak with an attorney before relying on any information included in these articles. Should you need a legal opinion on any topic discussed in this blog, please do not hesitate to contact me.