The CCPA gives a California’s consumer the right to request a business that is subject to CCPA to delete any personal information about the consumer which the business has collected from the consumer. However, this right of deletion has a list of exceptions. A business does not have to comply with a deletion request if it is necessary for the business to keep the consumer’s personal information to, among others:
- complete the transaction for which the personal information was collected
- provide a good or service requested by the consumer,
- perform a contract between the business and the consumer.
- detect security incidents or protect against fraudulent or illegal activity
- debug to identify and repair errors
- exercise free speech,
- comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6
- engage in public or statistical research
- for internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- comply with a legal obligation.
- for internal uses done in a lawful manner that is compatible with the context in which the consumer provided the information.
Make sure you document the reason you retain California consumer’s information after the request of deletion is accepted and honored.