CCPA 12-Month Compliance Series Part 6: Retaining and Deleting Data

The CCPA grants consumers the right to request deletion of any personal information which a business has collected from the consumer. Cal. Civ. Code § 1798.105. It also requires a business to fulfill deletion requests, and to direct service providers to do the same, within 45 days of receiving a "verified" or "verifiable" request from the consumer. Cal. Civ. Code § 1798.140(y). The CCPA's deletion right can be exercised for almost any reason, subject to several exceptions. Specifically, a business is not required to comply with a consumer deletion request if the business needs the personal information to do any of the following:

• Complete the transaction for which it was collected, provide goods or services requested by the consumer or reasonably anticipated within the context of the relationship with the consumer, or perform the contract between the business and the consumer;
• Detect security incidents and protect against malicious, fraudulent, or illegal activity;
• Debug to identify and repair errors that impair existing intended functionality;
• Exercise free speech or another legal right, or ensure the right of another to exercise free speech;
• Engage in scientific, historical, or statistical research in the public interest;
• Use internally in a way that is "reasonably aligned" with the expectations of the consumer "based on the consumer's relationship with the business," or otherwise use in a manner "that is compatible with the context in which the consumer provided the information;" and
• Comply with a legal obligation or applicable laws.