Current through Register 2024 Notice Reg. No. 45, November 8, 2024
Section 7022 - Requests to Delete(a) For requests to delete, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 5, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified.(b) A business shall comply with a consumer's request to delete their personal information by: (1) Permanently and completely erasing the personal information from its existing systems except archived or backup systems, deidentifying the personal information, or aggregating the consumer information;(2) Notifying the business's service providers or contractors of the need to delete from their records the consumer's personal information that they collected pursuant to their written contract with the business, or if enabled to do so by the service provider or contractor, the business shall delete the personal information that the service provider or contractor collected pursuant to their written contract with the business; and(3) Notifying all third parties to whom the business has sold or shared the personal information of the need to delete the consumer's personal information unless this proves impossible or involves disproportionate effort. If a business claims that notifying some or all third parties would be impossible or would involve disproportionate effort, the business shall provide the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot notify all third parties. The business shall not simply state that notifying all third parties is impossible or would require disproportionate effort.(c) A service provider or contractor shall, with respect to personal information that they collected pursuant to their written contract with the business and upon notification by the business, cooperate with the business in responding to a request to delete by doing all of the following:(1) Permanently and completely erasing the personal information from its existing systems except archived or backup systems, deidentifying the personal information, aggregating the consumer information, or enabling the business to do so.(2) To the extent that an exception applies to the deletion of personal information, deleting or enabling the business to delete the consumer's personal information that is not subject to the exception and refraining from using the consumer's personal information retained for any purpose other than the purpose provided for by that exception.(3) Notifying any of its own service providers or contractors of the need to delete from their records in the same manner the consumer's personal information that they collected pursuant to their written contract with the service provider or contractor.(4) Notifying any other service providers, contractors, or third parties that may have accessed personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, of the need to delete the consumer's personal information unless this proves impossible or involves disproportionate effort.(d) If a business, service provider, or contractor stores any personal information on archived or backup systems, it may delay compliance with the consumer's request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or is next accessed or used for a sale, disclosure, or commercial purpose.(e) In responding to a request to delete, a business shall inform the consumer whether it has complied with the consumer's request. The business shall also inform the consumer that it will maintain a record of the request as required by section 7101, subsection (a). A business, service provider, contractor, or third party may retain a record of the request for the purpose of ensuring that the consumer's personal information remains deleted from its records.(f) In cases where a business denies a consumer's request to delete in whole or in part, the business shall do all of the following: (1) Provide to the consumer a detailed explanation of the basis for the denial, including any conflict with federal or state law, exception to the CCPA, or factual basis for contending that compliance would be impossible or involve disproportionate effort, unless prohibited from doing so by law.(2) Delete the consumer's personal information that is not subject to the exception.(3) Not use the consumer's personal information retained for any other purpose than provided for by that exception; and(4) Instruct its service providers and contractors to delete the consumer's personal information that is not subject to the exception and to not use the consumer's personal information retained for any purpose other than the purpose provided for by that exception.(g) If a business that denies a consumer's request to delete sells or shares personal information and the consumer has not already made a request to opt-out of sale/sharing, the business shall ask the consumer if they would like to opt-out of the sale or sharing of their personal information and shall include either the contents of, or a link to, the Notice of Right to Opt-out of Sale/Sharing in accordance with section 7013.(h) In responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information as long as a single option to delete all personal information is also offered. A business that provides consumers the ability to delete select categories of personal information in other contexts (e.g., purchase history, browsing history, voice recordings), however, must inform consumers of their ability to do so and direct them to how they can do so. For example, a business may provide the consumer with a link to a support page or other resource that explains consumers' data deletion options.Cal. Code Regs. Tit. 11, § 7022
1. Change without regulatory effect renumbering section 999.313, subsections (d)-(d)(8) to new section 7022, including new section heading, amendment of section and new NOTE, filed 5-5-2022 pursuant to section 100, title 1, California Code of Regulations (Register 2022, No. 18).
2. Amendment of section and NOTE filed 3-29-2023; operative 3-29-2023 pursuant to Government Code section 11343.4(b)(3) (Register 2023, No. 13). Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.105, 1798.130 and 1798.185, Civil Code.
1. Change without regulatory effect renumbering section 999.313, subsections (d)-(d)(8) to new section 7022, including new section heading, amendment of section and new Note, filed 5-5-2022 pursuant to section 100, title 1, California Code of Regulations (Register 2022, No. 18).
2. Amendment of section and NOTE filed 3-29-2023; operative 3/29/2023 pursuant to Government Code section 11343.4(b)(3) (Register 2023, No. 13).