The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. What do most companies include in a CCPA right to be forgotten policy or procedure?
While the CCPA does not mandate that companies create a written policy or procedure for processing a right to be forgotten request, some companies – particularly those that receive high volumes of such requests – choose to create such a policy.
If a company chooses to create an internal policy or procedure for handling right to be forgotten requests they typically address the following four topics within the policy:
- Data subject verification. Before taking any action, a company should verify that the individual that submitted the right to be forgotten request is the same individual for whom data has been asked to be deleted. How a company verifies a requestor’s identity often depends upon what type of data the company maintains about the individual and might be able to leverage as a verification mechanism. For example, if the company has an individual’s email address and telephone number, it might consider verifying that a requestor is the individual by sending them an email and/or placing an outbound telephone call to them.
- Communicating with consumers. A business is required to respond to a requestor. In order to promote consistency, and to facilitate a timely response, some businesses may choose to include template communications within an internal policy or procedure.
- Evaluating the erasure request. The right to be forgotten is not an absolute right. Some companies choose to include a discussion of when the right does, and does not, have to be granted within their internal policy or procedure.
- Executing an erasure. If a company is able to verify the identity of a requestor, and if a company determines that the right to be forgotten request should be granted, some companies choose to include instructions within their internal policies or procedures concerning what technical steps should be taken in order to erase an individual’s information.
For multinational companies the components of their internal policy or procedure for handling a right to be forgotten request under the CCPA largely track the components that they have in place for handling a similar request under the GDPR.