Ed. Note: This is the tenth installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.
Data privacy has become one of the greatest areas of risk and concern for business. It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020. Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it. The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP. The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business. The following excerpt was reproduced with the permission of the ABA.
What do most businesses include in a deletion request policy or procedure?
Although the regulations implementing the CCPA require that a business document its methodology for verifying individuals that submit deletion requests, the CCPA does not mandate that companies create a formal written policy or procedure for processing deletion requests. That said, some companies—particularly those that receive high volumes of such requests—choose to create such a policy.
If a business chooses to create an internal policy or procedure for handling deletion requests, it should consider including the following four topics within the document:
- Data subject verification. Before taking any action, a company should verify that the individual that submitted a deletion request is the same individual that submitted personal information to the business. How a business verifies a requestor’s identity often depends upon what type of personal information the company maintains about the consumer and, therefore, what types of personal information might be leveraged as a verification mechanism. For example, if the company has an individual’s email address and telephone number, it might consider verifying that a requestor is the individual by sending them an email and/or placing an outbound telephone call to them.
- Communicating with consumers. A business is required to respond to individuals that submit deletion requests. Cal. Code Regs. tit. 11, § 999.313(a) (2021).
- In order to promote consistency, and to facilitate a timely response, some businesses may choose to include template communications within their internal policies or procedures.
- Evaluating the deletion request. The right to deletion is not absolute. Some businesses choose to include a discussion of when the right does, and does not, have to be granted within their internal deletion policies.
- Destroying personal information. If a business is able to verify the identity of a requestor, and if a business determines that the deletion request should be granted, some businesses choose to include instructions within their internal policies concerning what technical steps should be taken in order to erase or deidentify a consumer’s personal information.