What Data is Exempt from Deletion under the CCPA?
The CCPA paints with broad strokes in defining “personal information” and “consumer,” which means that the consumer personal information access, deletion, and opt out rights afforded by the CCPA can have a deep impact on regulated businesses. However, there are some CCPA deletion exemptions and exceptions built into the law that, if they function as intended, will help businesses find the balance between consumer privacy and being able to gather and use the data they need for both business and compliance purposes.
Several of those exemptions in the CCPA are based on other regulations; for example, data already regulated by the Gramm-Leach-Bliley Act (GLBA) is not subject to the CCPA. However, some of the exceptions are more generally applicable and, absent further direction from the California Attorney General, open to interpretation. The exceptions apply to: completing transactions; upholding legal obligations; maintaining security and existing functionality; protecting free speech; conducting research; and allowing for internal, expected, and lawful uses.
To Complete Transactions
In CCPA 1798.105(d)(1), it states that businesses and service providers do not have to comply with consumer deletion requests if they need to maintain the information in order to “complete the transaction for which the personal information was collected [or] provide a good or service requested by the consumer.” This ensures that the information you rely on to perform direct business activities does not have to be deleted pursuant to a California consumer’s deletion request. If a customer has signed up for monthly deliveries of vitamins or weekly prepared meals, your organization has a statutorily-protected reason for not deleting the personal information you collected in order to provide those goods—names, credit card numbers, shipping and billing addresses, email addresses, preferences, and other account information will be required to continue fulfilling your end of the transaction.
The final piece of section (d)(1) also exempts personal information “reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or [that is needed to] otherwise perform a contract between the business and the consumer.” If, for example, a consumer signed up or entered into a contract for a one-time delivery of goods or services with some sort of guarantee or service policy attached, your organization could make the argument that the consumer not only reasonably anticipated that you would maintain their information related to the purchase but that your organization could only fulfill your end of the ongoing agreement by maintaining certain information.
Your organization should also review records retention laws that apply to your business or industry. CCPA 1798.105(d)(8) establishes that personal information a business has to keep to satisfy a legal obligation is not subject to a consumer deletion requests. This makes an updated records retention policy extremely valuable when you are in the process of becoming CCPA compliant. (See this post on retention policies.)
For example, auto dealers are statutorily required to maintain records of tire purchases for three years. The Home Mortgage Disclosure Act requires a three-year retention period for information regarding race, national origin, and gender of loan applicants. OSHA requires that drug testing records be kept for one year after the test is administered (as currently written, the CCPA applies to employment records; if AB 25 is passed, it will remove employment records from regulation by the CCPA). Federal law also requires telecommunications carriers to retain personal information (name, address, phone number of the caller, number called, date, time, and length of the call) related to toll calls for eighteen months.
Additionally, notice of litigation is also considered a legal obligation that imposes a freeze on record destruction/deletion that is related to the litigation. Your company should ensure that a check for litigation is run before deleting any information pursuant to a consumer request.
In addition to federal records retention requirements, states often have their own records retention or other legal requirements that impact an organization’s legal ability to comply with a deletion request. The CCPA specifically instructs organizations not to delete consumer personal information if it is necessary to maintain that information pursuant to California’s Electronic Communications Privacy Act, which imposes warrant and other requirements on government entities seeking metadata in non-emergency situations (CCPA 1798.105(d)(5)). If a business received a deletion request from an individual about whom it also receives an information request from the government via a warrant or other legally sufficient request, the business does not have to delete the information and instead should comply with the warrant.
Legal obligations in California and other applicable jurisdictions must be considered before deleting information pursuant to a CCPA consumer request. Becoming conversant with those obligations will allow your organization to set in place appropriate rules regarding when to honor a consumer deletion request and when to deny one based on a legal obligation.
Security and Existing Functionality
There is also a data deletion exemption for information retained in order to “detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or [to] prosecute those responsible for that activity” and in order to debug and repair errors that impair existing (not new) functionality (CCPA 1798.105(d)(2)).
The essential security function this protects is an organization’s ability to keep and maintain server logs and other records that are necessary to detect and prevent security breaches. For organizations that operate physical facilities, this exception could also be applied to records of people physically entering or exiting a building or a specific part of a building. Some privacy experts have indicated the exception could also be used to enable an organization to maintain records stored by facial recognition software.
Server logs and other records can also be used to identify and fix errors in programs. The exception only applies to information maintained to identify and repair existing bugs, not to information used to create new functions for the software. However, nothing is said about information that can fulfill a dual role—as long as it is necessary for debugging, the CCPA would not, as currently written, prevent a company from also using the undeleted personal information to create new functionalities.
In Europe, the ‘right to be forgotten’ requires search engines like Google to remove certain results from search requests. A European who was arrested for a crime and then released, for example, might request that Google not direct people searching his name to old news reports of his arrest. Taking a different approach to tensions between privacy and speech, the CCPA protects data against deletion in order to allow the exercise of free speech, ensure the rights of other consumers to exercise free speech, or allow the “exercise of another right provided for by law.”
While many privacy advocates have encouraged states or the federal government to adopt the ‘right to be forgotten’ or broader deletion rights, there are concerns that such deletion could infringe on other fundamental rights. Clearly, California’s legislature is signaling that deletion of personal information is secondary to free speech when it weighs those rights against one another. Freedom of the press is likely to qualify as another “right provided for by law” that would negate a deletion request from a consumer under the CCPA.
Personal information that is collected and maintained for peer-reviewed, scientific, historical, or statistical research, in compliance with the relevant ethics and privacy laws, is also exempted from CCPA deletion requests. The research must be in the public interest to qualify, and even then, the personal information is only exempted from deletion if such deletion would seriously impair the research and the consumer provided informed consent.
The purpose of this exemption is most clearly applicable in the medical context; however, SB 1121 (passed in August 2018) clarified that the CCPA does not apply to information collected as part of a clinical trial. Therefore, this exemption likely remains particularly important only for that medical research not somehow included in the clinical trials covered by SB 1121.
Internal, Expected, and Lawful Uses
Finally, businesses are exempted from honoring deletion requests in order to “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business” (1798.105(d)(7)) This exemption is commonly referred to as the “legitimate interests” exemption and is in many ways mirrored by 1798.105(d)(9), which, until there is guidance from either the Attorney General or a court, appears to cover the same types of uses as subsection (d)(7). Subsection (d)(9) allows for exemption from deletion for other internal uses that are lawful and compatible with the context in which the consumer provided the information.
It has been argued that this exemption may essentially nullify the rule, enabling businesses to find ways to avoid deleting consumer information. Some expect this exemption to change the deletion rule into more of a use limitation rule. If this prediction bears fruit, instead of deleting data, companies may simply limit the ways in which they use it. For example, a business that collects information for one purpose, such as in the context of joining a rewards program, may continue to send those rewards emails and therefore maintain the consumer data for that solely internal purpose even after receiving a deletion request. However, using the information for a different purpose, such as sending a newsletter, would arguably fall outside of the context of the original collection and be an example of a use limitation on the personal information.
At first blush, the CCPA may appear to require the wholesale deletion of California consumer personal information based on a consumer request. However, the nuances of the exemptions are something each business subject to the CCPA should examine closely in light of its own practices of information collection, storage, sharing, and use.
The California Consumer Privacy Act of 2018 is one of the most important privacy laws in the history of the United States. It will affect more businesses in a more profound way than any proceeding privacy statute. Companies should start preparing early to meet the requirements of the new law.
To learn more about how SixFifty can help your company expedite CCPA compliance, visit https://www.sixfifty.com/products/ccpa. To see a helpful timeline for bringing your business into compliance, click here.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.