How to Comply With Consumers’ Right to Delete Their Data Under CCPA

The California Consumer Privacy Act (CCPA) dramatically changed the regulatory landscape for privacy in the United States. Among the CCPA’s many requirements is the right to delete (sometimes called the right of erasure or the right to be forgotten). Businesses must Comply With Consumers’ Right to Delete Their Data

» What is CCPA? Explore California’s data privacy laws

Deleting Consumers’ Data

According to the CCPA, if a customer requests that their personal information be deleted, a business must:

• • Fully and permanently delete all personal data from its existing systems, except for backup or archival systems

• • De-identify any personal information

• • Aggregate the consumer information

Bulleted List

The CCPA classifies deidentified information as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” Therefore, a company must adopt technical protections to prevent consumer reidentification and Comply With Consumers’ Right to Delete Their Data

The following practices can help ensure hassle-free deletion of customer data.

Provide Multiple Request Methods

Businesses must provide customers with two or more ways to submit requests to delete. The acceptable methods are:

• • A toll-free phone number

• • An easily accessible link or web form on the business’s website

• • A designated email address

• • A form to be submitted in person

• • A form to be submitted by mail

Bulleted List

Validate Requests

When a request is received, the company must verify that the person making the request is the customer about whom the company has personal information. Businesses can ask the requester for more details to verify their identity, provided the business clarifies they will only use this information for the specific verification.

» How do customers verify their identity? Discover different methods to verify user identity for DSARs

Establish Data Deletion Method

To comply with the CCPA, companies should review all aspects of their data deletion processes. It’s also a good idea to create a handbook containing the approved ways of communicating a deletion request.

Stay Inside the Timeline

Businesses have ten days to acknowledge a request and 45 days to verify it. This duration may be prolonged by 45 days in case of complexity and volume. They must also notify the consumer within 45 days of accepting the verified request.

Constant and Clear Communication

Companies must ensure they stay in constant contact with the customer throughout the whole process regarding acknowledging receipt of the request, confirming what action will be taken, and informing when the request has been completed. Companies must also inform any third parties that may be affected by this data deletion.

Conclusion

Manually enforcing the right to delete can cost organizations a lot of time and money, especially for those with complicated or outdated systems. There is also the possibility of noncompliance due to human error. Therefore, many businesses opt to use automated solutions and methods like pseudonymization and de-identification for improved compliance.

» Looking for a data privacy solution? Explore PieEye’s products