Ed. NoteThis is the ninth installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.

Data privacy has become one of the greatest areas of risk and concern for business.  It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020.  Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it. The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP.  The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business.  The following excerpt was reproduced with the permission of the ABA. 

****

Question: Do the CCPA and the GDPR have the same exceptions to deletion requests?

No.

The scope of the right to deletion under the CCPA and the right to be forgotten under the European GDPR differ in three important ways.

First, the CCPA states only that a business may have to delete the personal information that it obtained “from” the consumer.1  As a result, if a business obtains information about a consumer from other sources (e.g., data brokers) or develops the information from its own experiences with the consumer (e.g., transactional information) arguably that personal information does not have to be deleted pursuant to a deletion request under the CCPA but may have to be deleted pursuant to a right to be forgotten request under the European GDPR.

Second, under the CCPA a consumer can request that personal information be deleted regardless of the purpose for which the personal information was originally collected.

In comparison, the GDPR extends the right to be forgotten only if one of the following six conditions is present:

  1. The data is no longer necessary.2
  2. The processing was based solely on consent.3
  3. The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.4
  4. The data is being processed unlawfully.5
  5. Erasure is already required by the laws of a European Member State.6
  6. The data was collected from a child as part of offering an information society service.7

Third, the CCPA and the GDPR both contain exceptions to the right of deletion.  As the chart below, which summarizes the main exceptions, indicates while those exceptions are similar, they are not identical:

Notes:

  1. Cal. Civ. Code § 1798.105(a) (West 2021).
  2. GDPR, Article 17(1)(a).
  3. GDPR, Article 17(1)(b).
  4. GDPR, Article 17(1)(c).
  5. GDPR, Article 17(1)(d).
  6. GDPR, Article 17(1)(e).
  7. GDPR, Article 17(1)(f); Article 8(1).
  8. Cal. Civ. Code § 1798.105(d)(1) (West 2021).
  9. GDPR, Article 17(1). Note that while completing a transaction is not considered an exception to the right to be forgotten under the GDPR, the right to be forgotten is not conferred in the first instance where processing is based upon the performance of a contract pursuant to Article 6(1)(b).
  10. Cal. Civ. Code § 1798.105(d)(2).
  11. GDPR, Article 17(1)(c). Note that while detecting wrongdoing is not an explicit exception to the right to be forgotten under the GDPR, controllers often process personal data to detect wrongdoing or illegal conduct pursuant to Article 6(1)(f) (the legitimate interest of the controller). In situations in which processing is based upon Article 6(1)(f), and a deletion request is received, the controller must determine whether their legitimate interest in detecting wrongdoing is an “overriding legitimate grounds” when compared against the data subject’s objection to the ongoing processing.
  12. Cal. Civ. Code § 1798.105(d)(3).
  13. GDPR, Article 17(1)(c). Repairing errors, or debugging a system, is not an explicit exception to the right to be forgotten under the GDPR. To the extent that a controller were to engage in processing for such reasons pursuant to Article 6(1)(f) (the legitimate interest of the controller), the controller would have to determine whether their legitimate interest constituted “overriding legitimate grounds” when compared against the data subject’s request for deletion.
  14. Cal. Civ. Code § 1798.105(d)(4) (West 2021).
  15. GDPR, Article 17(3)(a).
  16. Cal. Civ. Code § 1798.105(d)(4) (West 2021).
  17. GDPR, Article 17(3)(e).
  18. Cal. Civ. Code § 1798.105(d)(6) (West 2021).
  19. GDPR, Article 17(3)(d).
  20. Cal. Civ. Code § 1798.105(d)(7) (West 2021).
  21. Cal. Civ. Code § 1798.105(d)(8) (West 2021).
  22. GDPR, Article 17(3)(b). Note that under the GDPR, the “legal obligation” must be an obligation imposed by the laws of a Member State of the European Union.
  23. GDPR, Article 17(3)(c).