California passed the California Consumer Privacy Act (CCPA) to protect its residents against dishonest businesses that sell sensitive and private data about consumers to make a profit. The act ensures that those living in California know what companies intend to do with their data. It also gives consumers in California several rights, including the right to the deletion of their personal information.
As a business owner, you need to understand all the CCPA compliance requirements to avoid incurring fines and other penalties. This article looks at the right to request the deletion of personal data and considers when amendments to the CCPA become effective.
What’s Right To Deletion Under CCPA?
Under the CCPA, the right to deletion gives a consumer the right to request the deletion of whatever personal information you have collected about them. Once the consumer makes a verified request to delete their data, you are legally obligated to clear their personal information from all your data stores. But you need to know what personal information is under CCPA.
The CCPA defines personal information as any information that identifies or describes consumers. Personal information could relate to, associate with, or reasonably link to a consumer. This type of information includes personal details such as a consumer’s contact details, social security number, credit card number, residential address, age, education, gender, etc.
Upon receiving this request, your organization has a specified amount of time to comply. So, you have to verify the request and fulfill it as soon as possible. The right to deletion also mandates that you direct all your service providers acting on your company’s behalf to remove consumer data identified in a request from their databases.
California has made several amendments to the CCPA to include some exceptions and other rights. Some of these amendments will become operational in the next few months. So, it’s essential to know when the amendments to the CCPA become effective.
Verifying Eligibility Of A Deletion Request
First, understand that the CCPA applies to all profit-making organizations that do business with the residents of California. These organizations need to meet one or more of the following criteria:
Have an annual gross revenue of $25 million or more.
Collect personal data of 50,000 consumers or more.
Make 50 percent or more of their annual revenue from selling personal data about consumers.
Verifying the request means checking if the CCPA applies to your organization and ensuring that the request is authentic. It’s only after verification that you can determine if you need to honor or can deny the request. Either way, the consumer expects you to respond to their request promptly.
Timelines For CCPA Compliance
Upon receiving a deletion request from a consumer, your organization has fourty-five days to respond. However, this can be extended depending on the request size and complexity.
If the requests prove to be too large and complex to complete within forty-five days, you must inform the consumer of the anticipated delay before the end of that deadline. If you aren’t obligated under CCPA to honor the request, you must also notify the consumer of your decision within the time period and provide them with concrete reasons for declining their request.
The CCPA offers several instances when you can decline the request to delete personal data. In some cases, you will need to delete certain parts of the consumer’s data. For instance, if you find it necessary to retain the consumer’s data for one or more of the following reasons:
Medical studies and research
Provision of services cannot occur without the consumer’s data
Consumer’s online account is under investigation by police
In brief, the CCPA gives consumers residing in California the right to request that organizations delete their personal information. Your organization has fourty-five days to either honor or decline the request to delete upon verification.