How to Delete Consumer Data Under the CCPA Guidelines
Deletion requests have become serious business, with regulations now requiring companies to delete their customers' personal data upon request. According to the CCPA and the CPRA (coming into effect in 2023), companies will have to be able to demonstrate that they've indeed acted upon a consumer's request to handle their data.
Disclaimer: the following guide is not to be used for any legal purposes and was not created by legal professionals.
What originally started in California (the CCPA) has now been implemented in Virginia, Colorado, and other states in the United States are gaining traction.
Although deletion requests can be a hurdle for businesses, it is not one that cannot be efficiently overcome by putting in motion organizational procedures.
<hl>Here’s how to delete consumer data under CCPA guidelines:<hl>
Step 1: Recognize Removal Requests
Build a central form or repository for the acceptance of erasure requests. This could be a webpage with an online form or a dedicated privacy platform in which you can ask for additional information about the request that would later help you identify and locate the consumer's data. Having a centralized hub containing all the privacy requests will minimize the risk of losing track and making human errors. In addition, different people within your organization will be able to do their part in the process without having to wait for a team member to complete its role.
Step 2: Erasure Requests Training for Employees
In a perfect world, all of the captured data would occupy one long list. However, user data is usually collected and then stored across multiple databases and systems. Personnel in charge of data aggregation and request processing need clear indications and instructions on where to look for the complete data inventory and how to make sure they delete their users' data from all sources.
Step 3: Prepare a Draft Response
Once a right to be forgotten request comes in, the company needs to confirm receipt of a data request within ten days. A standard template response via email or SMS message can be sent to put the requestor's mind at ease.
Step 4: Verify Identity and Validate the Request
Take the following into account when verifying user requests:
- Verify that the person requesting is the customer.
- Match the information the business has about the user with the data the customer provides.
- If the requestor has a password-protected account, the business can use two-factor authentication to verify the identity.
- The company needs to verify the requestor's identity by law to a 'reasonable degree of certainty.'
- The business needs to let the user know if it doesn't have any methods to verify its identity.
- Verification by someone on behalf of the user may entail written and signed permissions.
- Do not charge the requester fees for any verification.
Step 5: Legal Expectations
Personal Identifiable Information (PII) deletion is not black and white. Those handling the process or the data itself are obligated to understand the CCPA guidelines and its intricacies to, for instance, honor customer-merchant warranties, satisfy other regulations, or even the ability to maintain the business's online community. Companies can even deny some requests for data deletion. <hl>Legal experts should get involved and evaluate each case's complexity as it comes in<hl>.
Step 6: Locate Data
Businesses need to search their system directories and leverage integrated identity management services to find the user data for deletion. If organizations have multiple unconnected systems in place, all need to be explored separately.
Step 7: Full Erasure Implication
The repercussion of personal identity data deletion is the incapability to identify the user in the future. The requestor's identity cannot be retrieved, and all references to the user must be eliminated. This could be important to note to the user.
Step 8: Data Erasure
Data deletion can be done manually, with off-the-shelf automation, or by utilizing <nofollow>automated erasure tools<nofollow>. It's crucial to read the fine print to understand what each service implies. Often, overlaps and additional behind-the-scenes actions may have companies reconsider which method is right for them.
Step 9: Deletion Notification
Once personal data has been deleted, per the user's request, the business must, by law, send out a written notification confirming that the data has been deleted.
<hl>Here is a confirmation example:<hl>
"Dear Jane,
We would like to inform you that per your erasure request of personal data on June 10th, 2020, we hereby confirm that your request has been carried out, and we have deleted the concerned data. "
Sincerely, Business 2.0"
Step 10: Notify Third-Party Data Processors
Third parties, those of which have been provided personal customer information by the business, need to be involved and notified in the data deletion requests.
Notification should include:
- The requestor's name, address, contact number, and email.
- Validation and identity of the person requesting on behalf of the data subject.
- Reason for data deletion request.
- The specific data that is requested to be erased.
- A signed and dated statement by the requested.
Step 11: Log Customer Removals
Once the user data request process has been set in motion, businesses need to keep track of the steps taken and log all customer removals.
Streamlining the Process: Fulfilling Deletion Requests with MineOS
MineOS help businesses validate and fulfill user deletion requests fast and automatically. Our clients save time and avoid human error costs by automating their workflow and streamlining privacy requests from different databases.
The MineOS platform includes: automated responses, smart rules, user identification evidence, data integrations, data mapping, a privacy center, and more, so give it a try today to help your request handling.