Since 2018, the General Data Protection Regulation (GDPR) has wielded a significant impact on privacy practices across the globe. Aside from offering strong protection for the personal data of European Union citizens, GDPR has effected many changes in the way companies conduct business when EU data is part of the equation. Likewise, it has become the gold standard and a model for privacy legislation in many jurisdictions within the United States, as well as around the world. Among many others, one right afforded to individuals under GDPR is the right to request deletion of one’s personal data held by an organization, or, as it is more colloquially known, the right to be forgotten. As data privacy laws continue to gain a greater foothold in the U.S.[1], the rights of U.S.-based individuals (a/k/a data subjects), including employees in some cases, are now coming into focus, including the right to have personal information deleted[2]. How the Right to Deletion Works Scope of the Right to Deletion The answer is that the right to deletion is not absolute. For example, under GDPR, exceptions to the right to delete include when data is being used for the following purposes: Likewise, under current U.S. state laws, the right to delete is subject to similar types of exceptions, including, but not limited to, the following: Shared Data is also Subject to DSAR. Examples of Data Request Responses However, other requests are not so straightforward. For example, if data is held in the records of a company’s product and is needed to evidence compliance, must it be deleted upon request? What if the data is part of the product delivered on a SaaS platform? What if the data is located in an email? In these situations, any number of exceptions may apply making deletion unnecessary. Establishment of a Privacy Program is Crucial Conclusion [1] As of now, California, Virginia, Connecticut, Colorado and Utah have enacted newly enhanced privacy laws: California Consumer Privacy Act of 2018 (CCPA); California Privacy Rights Act of 2020 (CPRA) and Virginia Consumer Data Protection Act (VACDPA) which both go into effect on January 1, 2023; and finally, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (CTPA); Colorado’s Privacy Act (COPA) and Utah’s Consumer Privacy Act (UCPA) are in the queue. Nevada also has similar requirements. [2] Other rights granted to data subjects include the right to access information, to know how the information was shared, and the right to correct any erroneous information. Lori Ross is a Partner on Outside GC’s California-based team. Lori has over 25 years of legal experience and focuses her practice on advising new and emerging technology, manufacturing and media companies. She regularly handles a wide range of commercial and privacy related issues, include SaaS and IaaS matters. Lori holds the International Association of Privacy Professionals (IAPP) designations in U.S. and European privacy law – CIPP/US and CIPP/E, and she is also an IAPP Certified Information Privacy Manager (CIPM).
The right to deletion is exercised through the mechanism of a Data Subject Access Request or DSAR. Although each state’s privacy law has its own specific requirements on how to handle DSARs, including mandated response times and verification of the data subject’s identity, a company subject to such laws also should have a set and verifiable method for responding to DSARs. In fact, many privacy vendors offer products which allow for the automation of DSARs. This method should be set out in a company’s privacy policy.
As in the popular limbo game, the key question for organizations is “how low can you go?”. In other words, when a company receives a DSAR, how far back into its data records and archives must the company search? Does a company need to pass the request on to other companies which may have received the data from them? What is the scope of this right?
The party collecting the data and receiving the DSAR must also inform any parties with whom it may have shared the data and require them to also delete the data. For instance, if a company has shared data with its affiliates, business partners, ad networks or any number of other third parties, these partners will have similar downstream obligations to delete, subject to the exceptions.
Some requests are easy to respond to, such as requests to delete:
The ability to respond to a DSAR presumes that a company has a data privacy program already in place which enables the tracking or mapping of its data. In fact, the practice of data mapping, or conducting a data inventory, is a critical building block for privacy law compliance. Other key components of an effective privacy program include sound data security practices, frameworks and standards, as well as a transparent privacy policy and data deletion rules. Together, these elements play an important role in a company’s ability to respond to the requests from data subjects and inquiries from regulators.
As digital business practices continue to reshape commerce, it is important to understand applicable privacy laws and the obligations they impose on your business, including the need to respond to requests for deletion. The attorneys at Outside GC have experience in this area and can assist with the establishment or improvement of your company’s privacy program, as well as how you handle DSAR’s and the thorny landscape of the right to be forgotten. For more help, please contact Lori Ross at [email protected].
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.