The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide , and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. If a company receives a right to be forgotten request, is it required to delete records that show whether an individual opted-in or opted-out from marketing?
Pursuant to the CCPA, when a business receives a verified consumer request to delete personal information it generally should “delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”1 The “right to be forgotten,” however, is not an absolute right. The CCPA includes more than nine exceptions where a business can refuse a deletion request.2 Of those exceptions, four may apply to data evidencing a consumer’s opt-in, or opt-out, preferences:
- Internal uses of the business. The CCPA states that a business is not required to delete personal information if it is necessary for “solely internal uses” that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”3 Businesses often maintain documentation of opt-in and opt-out preferences / consents for the following internal uses which, arguably, should be expected by a reasonable consumer: Auditing, record keeping, and defending against allegations that the business’s marketing activities did, or did not, align with the consumer’s preferences at any specific point in time. As a result, businesses have a strong argument that they are not required to delete documentation of marketing opt-ins or opt-outs as that information is needed for internal use.
- Complying with legal obligations. The CCPA states that a business is not required to delete personal information if the information is necessary for the business to comply “with a legal obligation.”4 For example, the rules implementing the Telephone Consumer Protection Act (“TCPA”) state that a business may not initiate a telemarketing message to a residential telephone subscriber unless the business “has instituted procedures for maintaining a list of persons who request not to receive telemarketing calls made by or on behalf of that person or entity.”5 The business is required to “maintain a record of a consumer’s request not to receive” telemarketing for a minimum of five years from “the time the request is made.”6 As a result, businesses have a strong argument that they are not required to delete documentation of marketing opt-ins or opt-outs to the extent that a statute or regulation mandates that such information be kept.
- Uses compatible with the context of collection. The CCPA states that a business is not required to delete personal information if the information is necessary for a “use” that is “internal” and that “is compatible with the context in which the consumer provided the information.7 In situations in which consent is required in order to transmit marketing (e.g., text message marketing), but there may not be an express legal mandate that a business maintain the consent for a certain duration of time, a business would be justified in retaining those records as evidence that historical marketing communications were sent with the consent of the individual. Such retention and use would be compatible with the context in which the consumer provided the information (e.g., to obtain marketing), and may be needed as part of ongoing auditing and compliance review. It is worth noting that this exception may justify retention of the records beyond the limitations period for which an action could be brought to the extent that the company’s auditing and compliance review has a greater time horizon.
- Exercise or defend legal claims. The CCPA provides an exemption from any of its provisions (including the obligation to delete personal information) if the information is needed to “[e]xercise or defend legal claims.”8 In situations in which consent is required in order to transmit marketing (e.g., text message marketing), and where there may not be an express legal mandate that the business maintain documentation of the consent for a certain duration, a business would be justified in retaining those records in order to defend itself against the possible claim that marketing communications had been sent absent consent. This exception would justify retention of the records for at least the limitations period.
In comparison to the CCPA, the European GDPR states that a company does not have to honor a request to be forgotten if the processing is necessary for “compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.”9 Many companies assume that they can use this exception if they are required by United States law to retain data. Unfortunately, the Article 29 Working party – the organization that preceded the European Data Protection Board – has implied that United States law cannot justify ongoing processing. In guidance issued under the Privacy Directive, which predated the GDPR, the Article 29 Working party stated:
It is . . . important to emphasise that Article 7(c) [Article 6(1)(c) under the GDPR] refers to the laws of the European Union or of a Member State [of the European Union]. Obligations under the laws of third countries (such as, for example, the obligation to set up whistleblowing schemes under the Sarbanes-Oxley Act of 2002 in the United States) are not covered by this ground. To be valid, a legal obligation of a third country would need to be officially recognized and integrated in the legal order of the Member State concerned, for instance under the form of an international agreement.10
According to the Article 29 Working Party, when a foreign law (e.g., a law of the United States) requires the processing of information, an organization should base that processing upon Article 6(1)(f) which requires the organization to balance whether the legitimate interests of the organization in complying with the foreign law outweighs the interests of the data subject.11
In situations in which processing is based upon Article 6(1)(f), and a company receives a right to be forgotten request, the GDPR functionally treats the right to be forgotten request as an objection to ongoing processing that is based upon the legitimate interest of the controller.12 When such an objection is received the controller is obligated to determine whether there is an “overriding legitimate grounds” for the processing to continue.13 In essence, the organization is required to conduct a balancing test to determine whether it can “demonstrat[e] compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.”14
In the context of a United States marketing law that requires an organization to maintain data, the balancing test envisioned by the GDPR will presumably come out in favor of the organization (i.e., it will permit the organization to retain the data over the data subject’s objection). Similarly in the context of a United States marketing law that requires opt-in consent, but does not expressly mandate that the consent be maintained as a record, the balancing test will also typically come out in favor of the organization.