Handling "Right to Deletion" Requests: A Practical Guide to California Privacy

For any business operating online today, navigating the complex web of state privacy laws can be daunting. And, the enforcement actions of the California Privacy Protection Agency show that compliance with California privacy regulations is no longer optional. Among the various consumer rights established by California law, the right to deletion is one of the most common and operationally challenging for website owners. A consumer can request that you erase their personal information, and you are required to respond. But, are you required to delete their information? This guide provides a clear, step-by-step look at how to handle these requests based on California's requirements.

What is the "Right to Deletion"?

Under California law, consumers have several fundamental rights regarding their personal data, including the right to know what information is collected, the right to correct it, and the right to opt-out of its sale or sharing. The right to deletion is a key part of these protections, allowing a consumer to request that a business delete the personal information it has collected from them. Fulfilling this right correctly hinges on one critical, detailed process: identity verification.

Step-by-Step: What Do I Need to Do with a Deletion Request?

While the full lifecycle of a deletion request involves multiple steps, one of the most regulated and crucial phases is the verification of the identity of the person making the request. California law is very specific about this process to prevent fraud and protect consumer data.

Step 1: Understand the Verification Requirement

For any request to delete, your business is required to have a documented and reasonable method for verifying that the person making the request is the consumer whose data you possess. The regulations state you "shall generally avoid requesting additional information from the consumer for purposes of verification." This is one of the issues that Honda had in a settlement from earlier this year. The CPPA found that Honda violated the regulations by "requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights". Nor can you charge a fee for this verification process.

Step 2: Determine the Correct Standard of Certainty

The depth of your verification process depends on the type of data being deleted. This risk-based approach is a core concept in California privacy compliance.

• Reasonable Certainty: This standard applies to less sensitive information where an unauthorized deletion would not cause significant harm to the consumer. This might involve matching at least two data points provided by the consumer with information you already have. Examples include deleting a user's browsing history or correcting their marital status.

• Reasonably High Certainty: This stricter standard is required when the personal information is sensitive and its unauthorized deletion could cause significant harm. This could involve matching at least three data points and requiring a signed declaration under penalty of perjury from the consumer. Examples include deleting family photos or changing account contact information.

Step 3: Manage Verification Information Carefully

The basic guideline is to minimize consumer data you are holding. Therefore, when the consumer has a password-protected account, you should use your existing login process, but you must require the user to re-authenticate before deleting their data. You should not ask for new personal information if you can verify identity using data you already have. If you must collect new information for verification, you are required to delete it as soon as practical after processing the request. Addiitonally, you should avoid collecting highly sensitive data for verification, such as Social Security numbers or driver's license numbers, unless absolutely necessary.

Step 4: Handle a Failed Verification

If you cannot verify the requestor's identity to the required degree of certainty, you may deny the right to deletion request. However, you must inform the person that you could not verify their identity and are therefore denying the request. If your business has no reasonable way to verify requests, you must state and explain this in your privacy policy.

Key Takeaways for Website Owners

Handling a right to deletion request properly comes down to having a well-defined process. Here are the key takeaways:

1. Have a Documented Process: California law requires you to establish, document, and follow a reasonable method for verifying deletion requests. A clear internal procedure is the first and most important step.

2. Match the Verification Level to the Risk: The sensitivity of the data determines the verification standard you must use. For example, deleting browsing history requires less stringent verification than deleting family photos.

3. Don't Make Verification a Hurdle: Your process should be reasonable. Avoid asking for more information than is necessary and never charge a fee for verification.

4. Be Transparent When You Deny: If you cannot verify someone's identity, you must inform them that you are denying their request for that reason. Transparency is critical, even when you cannot fulfill the request.

As data privacy continues to evolve, respecting consumer rights is not just a legal requirement but a crucial part of building customer trust. Understanding and implementing the verification procedures for the right to deletion is a foundational element of maintaining compliance with California’s robust privacy rules.