When honoring a right to be forgotten request, does a business have to delete information from its backup systems?

Not immediately, but yes.

The CCPA does not distinguish or make allowances for backup and other less accessible systems when determining the scope of a business’s obligation to delete the personal information of a consumer when it receives a valid request for deletion.  The CCPA states that “[a] business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”¹  That said, final regulations promulgated by the Attorney General indicate that the obligation to delete such information from backup systems is not immediate.  The Regulations state that “[I]f a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.”²

The likely intent of this provision is to allow a business to delay the deletion of records from a backup system until it is accessed for another, separate purpose.  The CCPA defines “commercial purpose” to mean a purpose which “advance[s] a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.”³

Thus, the intent of the Regulation likely is to allow businesses to implement valid deletion requests only when backup or other archived systems are accessed for a regular business purpose and, as a consequence, a business has no obligation to deleted personal information from a backup system immediately as the requests are validated and executed on normal operational systems.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide.

1. CCPA, Section 1798.105(c).

2. CCPA, Regulation 999.313(d)(3).

3. CCPA, Section 1798.140(f).