CCPA Exceptions For Data Subject Requests
The California Consumer Privacy Act is the most critical privacy law enacted in the U.S. to date. Considering the CCPA’s aim to grant consumers extensive rights to access and delete data, it may seem that the only correct response to a verified request would be the immediate deletion of all personal data, or instantly dishing out the data requested. However, exceptions to the CCPA offer nuances that each business should examine carefully before complying with such requests.
When are consumer requests exempt from the CCPA?
Businesses need to strike a balance between honoring consumer privacy and functioning with the data they need to run as a business. Several deletion exceptions have been implemented to the CCPA to achieve this. Other exceptions exist from previously existing regulations, such as data already regulated by the Gramm-Leach-Bliley Act (GLBA). When a business invokes an exception, they are obligated to tell the consumer why they have denied the request.
The CCPA’s Global Exceptions
If any of the following criteria apply, businesses will not be obligated to comply with the CCPA:
The company cannot verify the individual’s identity.
The individual is not a California resident.
The request is unfounded or excessive (including by being repetitive: defined as more than twice per year). In this case, businesses may either deny the claim or require a fee for handling the request.
The request would restrict the business’s ability to collect, use, retain, sell, or disclose consumer information that is de-identified or aggregated consumer information.
The request would adversely affect the rights and freedoms of others.
Compliance with the request would restrict the business’s ability to (i) comply with the law and or legal process (e.g., subpoenas/regulatory inquiries), (ii) cooperate with law enforcement concerning conduct the business reasonably and in good faith believes violates the law, or (iii) exercise or defend legal claims.
The request would force the business to violate a evidentiary privilege under California law.
The business does not collect the personal information that is the subject of the request.
The personal information collected, processed, sold, or disclosed is according to the federal Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations, and if honoring the request conflicts with that law.
The personal information collected, processed, sold, or disclosed under the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), and if honoring the request conflicts with that act.
The CCPA’s Deletion Specific Exceptions
The main deletion exceptions relate to consumer deletion requests about data needed to: complete transactions; fulfill legal obligations; maintain security and functionality; ensure free speech; enact research; or continue internal or lawful uses.
CCPA 1798.105(d)(1) exempts personal information that is “reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or [that is needed to] otherwise perform a contract between the business and the consumer.” It also states that businesses and service providers are not required to comply with consumer deletion requests if the data is needed to “complete the transaction for which the personal information collected [or] provide a good or service requested by the consumer,” meaning information for direct business activities is protected despite a California consumer’s deletion request. For example, if a customer has signed up for a weekly delivery of groceries, the organization is exempt from deleting the personal information they collect to provide the goods—names, credit card numbers, shipping and billing addresses, email addresses, preferences, and other account information that is necessary to complete the transaction.
Security and Functionality
CCPA 1798.105(d)(2) mandates that information retained to “detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or [to] prosecute those responsible for that activity” is not subject to deletion requests. The same goes for information used for debugging or repairing errors in existing functionality. Maintaining server logs is an essential step in fixing errors or removing bugs from programs that are necessary to prevent security breaches. However, as the CCPA currently states, this clause would not allow companies to use undeleted information that is necessary for debugging for new purposes.
CCPA 1798.105(d)(8) states that personal information that a business needs to satisfy a legal obligation is not subject to consumer deletion requests. Companies should review the records retention laws that apply to their business or industry, and update their records retention policy—a valuable asset to companies that are becoming CCPA compliant. Notice of litigation is also considered a legal obligation whereby record deletion should not be carried out upon request. Therefore, businesses should run a check for prosecution before any deletion request. Also, different states often have their own record retention requirements or previous legal requirements that impose on a business’s ability to honor a deletion request. For example, any information that is under California’s Electronic Communications Privacy Act and warrants requirements for government entities seeking metadata should surpass a consumer request.
The CCPA ensures the right of free speech of the requesting consumer and of other consumers. It also allows for the “exercise of another right provided for by law.” The European Court of Justice ruled in favor of Google by limiting the “right to be forgotten” to E.U. member states. Despite the encouragement from privacy advocates to introduce an adoption of the “right to be forgotten” to the CCPA, concerns over the infringement on other fundamental rights, such as free speech and freedom of the press, halted its inclusion.
Public or Peer-reviewed Research
Scientific, peer-reviewed, historical, or statistical research that collects and maintains personal information and are compliant with the relevant privacy laws and ethics are also exempt from CCPA deletion requests. The exception only qualifies if the consumer provided informed consent, the research is in the public interest, and if the deletion request would severely hinder the investigation. Furthermore, SB 1121, clarifies that in medical research, information collected as part of a clinical trial is exempt from CCPA deletion requests.
CCPA 1798.105(d)(7) states the exception to deletion requests about information used to “enable solely internal uses that reasonably align with the expectations of the consumer based on the consumer’s relationship with the business.” Thus, information that is compatible with the context in which the consumer provided it is exempt from CCPA deletion requests. The law also states that if it is necessary for the business to “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information,” the business can deny the deletion request. Some argue these exceptions effectively render the rule invalid, allowing businesses to create workarounds to keep consumer information. Meaning that instead of deleting data, companies may limit the ways in which they use it. For example, if a company collects an email address for a rewards program, they may decide to carry on sending the reward emails before the deletion request. If they were then to use that information for a new purpose outside of the context of the original collection, such as sending a newsletter, that would fall under the scope of the CCPA and would become a use limitation and therefore require opt-in consent from the consumer.
The CCPA’s Specific Information Request Exceptions
In some instances, businesses should never disclose specific personal information:
The request creates a robust, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the safety of the business’s systems or networks.
The request is for a consumer’s: Social Security number; driver’s license number or other government-issued identification number; financial account number; any health insurance or medical identification number; an account password; or security questions and answers.
Note: If a business denies a consumer’s verified request to know specific pieces of personal information—in whole or in part—because of a conflict with federal or state law, or an exception to the CCPA, the business shall inform the requester and explain the basis for the denial. If the request is denied only in part, the company shall disclose the other information sought by the consumer.
Datawallet helps you get compliant with powerful out-of-the box tools in a matter of minutes. We’ve got you covered with our intuitive Data Subject Request web form and DSR-handling workflows, our automated data-exploration and mapping tool, and our Consent Management Platform. If you want to jump right in, start your free trial of our easy-to-use compliance platform here.
Need something tailormade for your organization? Contact us at firstname.lastname@example.orgConsumer PrivacyIndustry Trends CCPA Regulatory Updates