Understanding CPRA Right to Deletion: A Guide for Businesses
The CPRA right to deletion is a right that has many business owners scratching their heads. Some are trying to figure out what it means while others want to know how to comply with it completely.
Luckily, this article will cover the CPRA right to deletion in detail, including who can exercise this right, who is exempt, and more.
Let's dive right in.
What is the CPRA?
The CPRA is a state-wide data privacy bill that builds upon the rights created by the California Consumer Privacy Act (CCPA). The CPRA was passed through a popular vote in November 2020 but became fully effective on January 1, 2023.
CPRA enforcement began on July 1st, 2023 and is enforced by the California Privacy Protection Agency, which will investigate violations made.
Below are consumer rights as enshrined in the CPRA:
- Right to deletion: The right to deletion gives consumers control over their data. It enables consumers to demand that businesses delete all the information they may have about them.
- Right to know: This right enables consumers to request a business to provide personal information they may have about them.
- Right of minors: Guardians are required to give opt-in consent if children's personal information is being collected. Guardians can also request a business to delete the data.
- Right to opt-out: Consumers have a right to instruct businesses not to sell their personal information to third parties.
- Right to data portability: This right enables consumers to access their personal information. The information must be provided in a portable and usable format.
- Right to data minimization and limitation: Businesses should not store sensitive consumer data longer than is reasonably necessary. If the data is not required, it must be deleted.
- Right to limit the use of personal information: This right requires consumers to agree that their geo-location data {Wifi and GPS} be used to identify their location. Consumers can later demand that the data be deleted.
CPRA Right to Deletion in Detail
According to the CPRA right to deletion, consumers can request businesses to delete any personal information they may have about them. According to section 1798.130, businesses that collect consumers' personal information must inform consumers that their data is being collected.
In addition, they must notify consumers that they have a right to delete their personal information.
A consumer must make a verifiable CPRA data deletion request for the data to be deleted.
Shawn Loveland, COO of Resecurity states:
"Businesses are obligated to erase any personal information they have collected about the consumer from their records, and they must also direct any service providers or contractors to do the same."
This California privacy law states that the data must be deleted within 45 days once a verifiable request is made. However, a business can request a 45-day extension with a valid reason.
This can, however, be done once, and the consumer must be notified within the first 45 days.
Though not mandatory, businesses are advised to maintain a confidential record of deletion requests. This ensures that the personal information of the consumer who made the request is not sold. Businesses that fail to comply with the CPRA’s right to deletion will incur fines.
Who Can Request the Right to Deletion?
Under CPRA regulations, the right of deletion is requested by a consumer. A consumer is any natural person who is a legal resident of California.
The term consumer also applies to California residents temporarily living outside California. Businesses and corporate entities are not regarded as consumers.
In addition, non-California residents are also not regarded as consumers. This means that they do not qualify for privacy rights and protection under the CPRA.
The right to deletion applies to the following entities:
- Minors
- Consumers
Exemptions to the Right to Deletion
Consumers have a right to demand that a business delete their data. However, some CPRA exemptions make this impossible.
CPRA exemptions are specific circumstances or situations in which businesses may not be able to fulfill a consumer's request to have their data deleted.
Shawn Loveland says:
"These exceptions include but are not limited to situations like completing transactions, detecting security incidents, complying with legal obligations, conducting research in the public interest, among others."
These circumstances have been put in place to balance the need for data privacy with other external factors of equal importance. So how does this work?
First, the consumer needs to make a formal CPRA request to delete. After the request is made, the business will review and either accept or reject the submission.
When a CPRA deletion request is rejected, the business identifies specific exemptions and communicates to the requester. If the consumers are unhappy with the decision, they can seek legal recourse by filing a complaint with the California Privacy Protection Agency.
Below are some reasons businesses can be exempt from this right:
- Federal and State Laws: Businesses may be exempt if they are required to comply with state and federal laws. This can be in the form of either a subpoena or a court order. It can also include requests from law enforcement agencies as they may have an active investigation.
- To cooperate with government agencies: Government agencies can request a consumer's personal information to be stored if the person is in danger of death or injury. However, this request is only valid if a high-ranking agency officer approves it and is made in good faith.
- Research and public interest: Exceptions apply if the data held by a business is used for research purposes or in the interest of the public.
- Clinical data: Clinical data is exempt from the right to deletion and studies conducted under Common Rule.
- Data on creditworthiness and standing: The rule does not apply to financial information that involves a consumer's creditworthiness, capacity, or standing. However, this only applies if the data is subject to the Fair Credit Reporting Act.
- Not sure if a CPRA exemption applies to your business? Find out over a complimentary consultation.
Your Obligations Under CPRA’s Right to Deletion
Businesses collecting data on California residents should develop a CPRA compliance checklist. The checklist should include important elements of the California Privacy Rights Act. You should strategically position yourself in a way that makes it easy to respond to a CPRA data deletion request.
One of the easiest things to implement is an identification system. For example, if a business sends messages to consumers, the system must be able to identify them. The consumers must be recognized based on their name and email address. This way, it becomes easy to delete the information.
Tracking can become challenging if data is transferred to a downstream system {other servers}. To solve this problem, you should have the option of pseudonymizing or tokenizing data. This way, if a request to delete is made, tracking the consumer’s data becomes uncomplicated.
If you fail to follow CPRA regulations, you risk being fined by the California Privacy Protection Agency. A business can be fined up to 7,500 dollars for each intentional violation.
CPRA regulations should be considered as an opportunity rather than an obligation. It is an opportunity for you to build your brand by showing that the business cares about the rights of its consumers. As consumers learn about their rights, businesses demonstrating a commitment to privacy and data protection will attract more customers in the long run.
So, what are some of the obligations of businesses under the CPRA right to deletion?
Having a Deletion Policy
You are required by law to have a deletion policy. The policy should outline the procedures to be followed when dealing with a consumer’s request for deletion. It must include guidelines on how to process the request, verify the customer, and delete the data.
Responding to Deletion Requests
Businesses must respond to deletion requests promptly and verify the requester's identity. This should be done within 45 days. Once verification is complete, you must permanently delete the requester's personal information.
Inform Third Parties
If you have shared data with third parties, you are legally obligated to inform the parties of the deletion request. In addition, you must record the data shared with third parties and follow up to ensure it's deleted.
Train Staff and Raise Awareness
According to the CPRA, you must train your staff to handle deletion requests. The staff should also be readied to comply with privacy regulations and foster a culture of respecting consumer data.
Privacy Policy
The CPRA requires businesses collecting personal data to have a privacy policy. The privacy policy must include several things, such as an explanation of the type of personal data collected and how it will be used. Businesses must also ensure the privacy policy has a new category known as sensitive personal information. Sensitive personal information includes:
- Personal data such as race/ethnicity, genetics, religion, and union membership
- Data on sexual orientation
- Health data
- Data of government-issued identification numbers such as social security numbers
- Financial account information
- Biometric data
A privacy policy should enable consumers to limit how their information is collected and shared. Businesses are required to have a link, “Limit the Use of My Sensitive Personal Information.” Once the link is clicked, consumers can decide how businesses use their data.
For example, consumers can opt out of targeted advertising based on shared personal information. The link also makes it possible for consumers to restrict the sharing of personal data with third parties.
The policy must also include appropriate steps that need to be taken to correct erroneous data. One of the things that can be done is to provide a toll-free number and an email address. Once the right to correct personal information is invoked, businesses must correct the information within 45 days.
A good privacy policy must also describe how the right to deletion can be applied. The policy must clearly and concisely explain the right to deletion and how a consumer can invoke it. The policy should outline the steps and procedures a consumer should follow and how the business will verify the requester.
- Not sure how to comply with these obligations? Get in touch with us today for a complimentary consultation.
Submitting Deletion Requests
Consumers who want to submit a deletion request should read the business's privacy policy. The policy will have information on how to submit a deletion request.
In most cases, the business will either provide an email or a toll-free number. Most online businesses will have an online data deletion request form.
The data deletion request form will ask the consumer to provide details such as name, contact information, and the personal information they want to be deleted. After submitting the request form, the business must confirm receipt within ten days. It will then investigate whether the request falls within the CPRA.
The business might contact the consumer for additional information for verification purposes. The consumer might be required to provide their government-issued identification or any other relevant document to help with the verification process.
If the request is granted, the data must be deleted within 45 days. If the request is rejected, the consumer should receive an explanation.
Consumers should avoid submitting fraudulent and fake requests, which can result in legal lawsuits. Also, it is unethical, and it delays the processing of valid claims, affecting the legitimacy of the entire deletion process.
Responding to Deletion Requests
CPRA requires that a business provides at least two methods of submitting CPRA deletion requests. One of these methods must be a toll-free number.
However, if the business is exclusively online, it must provide an email address. After a CPRA deletion request is made, a confirmation receipt must be sent within ten days.
So, how should businesses respond to deletion requests??
- Verify the Requester: The businesses must verify the requester's identity after receiving the Cpra right to be forgotten. If their identity can't be verified, the request should be rejected. Verification is done to ensure that the right to deletion is not abused.
- Align the Request With CPRA Laws: Before deleting the data, businesses have a right to determine if it falls within the scope of CPRA’s right to deletion.
- Follow Up with Third Parties: If the personal information has been shared with third parties, the business must inform them of the deletion request. Also, it must follow up to know if the data was deleted.
- Delete the Data: Personal information should be deleted within 45 days. If this is impossible, a business can ask for a 45-day extension. However, this can only be done once.
Ensuring Compliance with the CPRA Right to Deletion
There are several things that a business needs to do to comply with CPRA regulations. One is to notify the consumer of its intent to collect personal information. The intent must be presented in an easy-to-understand format.
If a consumer makes a verifiable request to know, businesses have 45 days to provide the information. This can be extended for another 45 days under exceptional circumstances.
When a consumer submits a verifiable right-to-deletion request, the data must be deleted within 45 days. An extension can be made under exceptional circumstances. The deletion must be permanent and irreversible. This must include information stored in a backup server and sold to third parties.
What steps can a business take to ensure compliance with the right to deletion?
- Update privacy policies to align with CPRA regulations
- Establish clear deletion policies and procedures
- Set up a robust internal data handling protocol
- Develop an effective verification process
- Maintain a record of third parties
- Train your staff on how to handle sensitive personal information
- Document and maintain compliance records
FAQs
What is CPRA?
CPRA is a data privacy bill California residents passed in a 2020 general election. The bill became active on January 1, 2023, and enforcement will begin on July 1, 2023.
When Did CPRA Take Effect?
CPRA was passed in 2020 but became active on January 1st, 2023.
What is the Right to Have Your Information Deleted?
The right to have your information deleted is a privacy right that allows consumers to request businesses to delete sensitive personal information they may have about them. Once a right to deletion is made, a business must delete the data within 45 days.
Why is the CPRA Important?
CPRA is crucial because it advances the policy rights of consumers. The act is also important because it enhances data protection practices and promotes accountability. It does this through an enforcement body known as the California Privacy Protection Agency.
How Long Should a Deletion Request Take?
A deletion request should take 45 days. However, it can take 90 days if there is a 45-day extension.
Can You Force a Company to Delete Your Data?
No, you cannot force a business to delete your data because the right to deletion is not absolute. This right is subject to certain exceptions. For example, a business may reject the request if it cannot verify the requester.
How Can Captain Compliance Help?
Captain Compliance works with businesses by assessing their current privacy practices and aligning the business with relevant privacy regulations.
Captain Compliance can help you with data subject requests like deletion requests and access requests so you can focus on what you do best.