The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. If controller A forwards a right to be forgotten request to controller B, does controller B have to delete information
When a company receives a right to be forgotten request, and determines that it is required to delete information about an individual, the GDPR requires that the company “take reasonable steps” to “inform [other] controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.” It is unclear based upon the text of the GDPR whether this requirement requires controller A to notify the controller B that the data subject has requested erasure by the controller A, or whether the requirement requires controller A to notify controller B that the data subject has requested erasure by controller A and B. While the European Data Protection Board (and its predecessor, the Article 29 Working Party) has not interpreted this requirement, some supervisory authorities have implied that the first interpretation may be correct. For example, the United Kingdom’s ICO has summarized the requirement as follows:
If you have disclosed the personal data to others, you must [after receiving and honoring a right to be forgotten request] contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort.”
The use of the past tense – inform them of the erasure –implies that the requirement is to convey to controller B the action taken by controller A; it is not necessarily to convey to controller B that they have been requested to delete information.
Interpreting Article 17 as only requiring that a controller notify other controllers of an erasure decision and not requiring that one controller instruct a second controller to erase personal data as well, ultimately protects the data subject. For example if a data subject provided his information to one controller (e.g., a travel agent) to book a hotel reservation and that controller provided the information to a second controller (e.g., a hotel) to effectuate the booking, it would be illogical to assume that if the data subject made a request for the travel agent to forget his information the data subject also intended the hotel to forget his information. Indeed, were the travel agent to honor the request for deletion and then forward an instruction for deletion to the hotel, and if the hotel decided to honor the deletion request by either cancelling the reservation and removing the data subject from its loyalty program, the data subject would likely be surprised, inconvenienced, and possibly suffer the loss of their account value.
The question becomes then if controller A informs controller B that it has received a deletion request from a data subject, what action (if any) should controller B take? The answer may depend upon context. If no other information is conveyed to the controller B, that controller should arguably take no action. Specifically, while controller B might consider reaching out to the data subject to inquire whether he or she would like to extend the deletion request to controller B, the act of using the personal data to communicate with the data subject would constitute a form of processing for which controller B may not have a clear permissible purpose. In addition, if controller B does not have reliable contact information the attempt to communicate with the data subject could itself raise a potential risk that the communication (and any inference that the communication may have concerning the relationship of the controller B to the data subject) might be received by someone other than the data subject. If, on the other hand, the controller A expressly states that the data subject has requested that recipients of the information (i.e., controller B) delete the data, then controller B may (assuming that it has reliable contact information) consider reaching out to the data subject to verify the request and independently verify the identity of the data subject.