California's Online Erasure Law, CCPA, and GDPR Right to be Forgotten
The primary expectation of individuals in every country where data privacy laws exist, is the right to access their data and, where required, have that data corrected or even erased entirely.
For some, the reason for having their personal data erased is so that the individual can exercise their right to be forgotten.
The EU's General Data Protection Regulation (GDPR) has been around now for more than fifteen months, so you might expect most people to be familiar with European residents’ right to be forgotten.
However, the same cannot be said about California's 2005 Online Erasure Law, which at that time, was widely touted as the “Right To Be Forgotten Lite” since it allowed minors to “erase” their personal information online.
In this article we examine how California’s original Online Erasure law was updated for inclusion in the California Consumer Privacy Act (CCPA) - and how the sunshine state’s law compares to the GDPR's right to be forgotten.
From Humbler Beginnings
The right to be forgotten was founded upon a commonly held belief, that individuals should have autonomous control over their online presence without being labelled or identified based on what they may, or may not have done in the past.
This right had its foundational beginnings in Article 12 of the Data Protection Directive on the protection of individuals with regard to the processing of personal data where a data subject’s right to request and obtain access to personal data and object to its processing were first recognized.
It quickly became a hot topic, not only for news agencies around the globe, but also for U.S. businesses that processed the personal data of private individuals residing in European countries.
Widespread concern erupted among U.S. companies in 2014, when the European Court of Justice (ECJ) took up the case of Google vs. Costeja, which originated from Spanish newspaper La Vanguardia, following its publication of announcements in 1998 concerning the forced sale of properties arising from social security debts, which were eventually put online.
One of the property owners, Mario Costeja Gonzalez, lodged an official complaint in 2009 against Google and La Vanguardia, arguing that the forced sale had been several years ago and as such, was no longer relevant, therefore justifying the removal of the data and links. The Court rejected the complaint against La Vanguardia, but upheld the complaint against Google Spain. Consequently Google ended up in the ECJ.
The ruling of the ECJ was that upon the data subject’s request, a search engine company must eliminate from the results of a search, the person's name and any existing links that were no longer relevant. This right was duly codified as Article 17, “The Right to Erasure,” of the GDPR.
This landmark ruling affected countless numbers of businesses covered by the EU privacy law.
Today, the CCPA grants consumers the right to request the deletion of their personal information. Following SB 1121 this right can be disclosed to consumers in a “form that is reasonably accessible”, whereas prior to SB 1121, the right was required to be disclosed in a privacy notice on a company’s website.
Just like the GDPR, the CCPA’s right to deletion has certain limitations. And since the CCPA was modeled on the GDPR, many of the GDPR’s limitations are echoed in the California law, and include various grounds on which a covered company can lawfully refuse a deletion request.
Such limitations occur when the information is:
needed to complete the transaction for which it was collected or is needed to provide goods or services requested by the consumer
Used in the context of the business relationship with the consumer
Required to perform a contract
Used to detect security incidents and protect against malicious, fraudulent or illegal activity
Needed to engage in scientific, historical, or statistical research in the public interest
Used solely for internal uses that are reasonably aligned with the expectations of the consumer
Required to comply with a legal obligation or applicable laws
Also included in the CCPA is the exemption for requests that could interfere with a right to “exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.” This “First Amendment exception” is not always present in other data protection laws. Although, something similar did occur in the Google vs. Costeja case, in which the ECJ finally ruled that while it recognized the right to be forgotten, it did not apply to Costeja, simply because the articles were “in the public interest”, and therefore did not have to be removed.
In the United States, the First Amendment and a legacy of protecting speech is placed above all other privacy related interests, this exception may be interpreted broadly.
How the GDPR deals with the right to be forgotten
Under the EU’s right to be forgotten - and carried forward into the GDPR - any individual residing in the European Union, irrespective of their age, can request a company to disclose whether it is processing personal data concerning them and, if so, the company must provide a copy of the personal data.
Furthermore, the data subject then has the right to object to the processing of their personal data, or request that their data be erased entirely. It is important to note that this not only includes data posted directly by the individual, but any personal data that concerns that individual.
This means a data subject can request the removal of any third-party information if such information concerns them. But, requesting removal does not mean automatic deletion unless the lawful basis for the processing of such data is consent. Instead, the data controller will consider its legitimate interest or the public’s interest in accessing the information, compared to the data subject’s fundamental right to privacy.
This is assuming the lawful basis for processing is either legitimate interest for the controller or public interest.
If the scales tip in favor of the data subject, then the individual’s data must be removed.
When we compare the two laws side-by-side, it is quite apparent that the original California Online Erasure law did not provide individuals with the right to be forgotten. In fact, many would legitimately argue that the California legislature completely failed in its objective to provide minors with online protections.
At best, the only thing legislators achieved was in codifying the right to a ‘delete’ button for minors. At worst, they succeeded in the enactment of a law that was nothing more than a string of smoke and mirrors that merely provided the illusion of protection for California minors.
So, does the CCPA provide Californian consumers with a right to be forgotten?
…in a word, No.
While the CCPA succeeds in expanding the number of its residents who may request that their information be forgotten, as well as the number of businesses that must comply with such requests, there continue to be other privacy laws – both in the U.S. and in Europe – that do confer a right to be forgotten.
While most privacy laws in the United States do not include a right to be forgotten, the Children’s Online Privacy Protection Act (COPPA) does have an analogous provision. COPPA regulates the online collection of information from minors who are under the age of 13. In keeping with the rules implementing COPPA, parents and guardians have a right to review “or have deleted the child’s personal information.” 16 C.F.R. § 312.4(d)(3).
The right to be forgotten has existed for more than 20 years in the European Union. This right first appeared in Europe’s Privacy Directive which was adopted in 1995, and was carried over into the GDPR.
This can be described as follows:
GDPR - ARTICLE 17:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies… Article 17(1).
CCPA - SECTION 1798.105(a)
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
NOTE: This document is provided for informational purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy practitioner and/or data privacy attorney when preparing for compliance with any data protection and privacy legislation.