CCPA Compliance and the ‘Right to Be Forgotten’

The United States’ landmark privacy measure is finally coming to fruition. After years of buildup, infighting, and the threat of more stringent amendments and ballot initiatives, California’s Legislature is prepared to introduce its consumer data protection regulation into law.

The California Consumer Privacy Act (CCPA) doesn’t go into effect until Jan. 1, 2020, but organizations that operate within California or collect the data of its citizens need to be prepared before these new regulations before the year is up. California long has been the leader in the United States for legislation addressing the security of personal information and the protection of data privacy, but the statute’s local impact is only the beginning. With the world’s fifth-largest economy and more than 39 million residents, California has significant influence that far exceeds its border. Because of this, the CCPA—much like the European Union’s General Data Protection Regulation—is likely to affect entities and organizations around the world.

In addition, countries all over the globe are implementing their own forms of similar privacy laws, from the aforementioned General Data Protection Regulation (GDPR) in the EU to regulations recently enacted or under consideration in China, Brazil, India, and more. The common thread among these laws is recognition of the fact that individuals want greater ownership of their personal information, as well as stricter requirements for organizations who are collecting and processing personal information. These two ideas are driving the expansion of privacy rights and regulations worldwide.

In an effort to grant individuals greater control over their personal information, the CCPA includes a measure called the “right to be forgotten.” This measure—which also is present in the GDPR and Brazil’s recently passed data protection law, the Lei Geral de Proteção de Dados (LGPD)—grants individuals specific rights when it comes to how their personal information is used. Under the CCPA, these rights allow consumers to request that an organization delete any information it possesses about those individuals. Unless the consumer data in the possession of that organization is being processed due to a compelling legal or business interest, the organization is required by law to comply with consumer requests to delete the data in question.

However, in some instances, organizations would be able to decline the request. The CCPA outlines nine possible exceptions to the requirement, such as compliance with a legal obligation, that qualify as a compelling legal or business interest. This leaves significant room for interpretation, which could lead to disputes concerning an organization’s right to ignore a request by an individual to have its data deleted. To prepare for the potential of these contested requests, now is the time to determine if your organization has the right policies, procedures, and technologies in place to respond to these deletion requests. If not, you need to move quickly to ensure these considerations are sufficiently addressed.

Prepare your organization for CCPA compliance by downloading our “CCPA Compliance Guide” ebook today.

CCPA Compliance: Meeting a Request of the “Right to be Forgotten”

In the event that your business receives a request from a customer to have that individual’s personal information deleted, it’s essential for your organization to know ahead of time how it will act in order to comply with the given 45-day window to respond. Because the process for satisfying the right to be forgotten is largely the same for both the GDPR and CCPA , if you have already taken steps to comply with the right to be forgotten under the GDPR, you should be well-positioned to comply with the CCPA’s version. If you’re not in scope for the GDPR or haven’t yet started to address how your business will respond to individual rights requests, compliance will be a little bit more difficult. However, all is not lost—you can still take advantage of the experience of the many other organizations that have completed the compliance process before you.

Mapping Data for CCPA Personal Data

Accurate data inventories and data maps are essential in order for organizations to comply with all individual data rights requests—including the CCPA’s right to be forgotten, in particular. If you don’t know where an individual’s data resides in your organization or what systems process the data, you simply cannot be sure you have successfully met your obligation to delete the data. Additionally, you will not be able to anticipate how the associated systems will respond once that data is deleted. Accurate data inventories and maps also allow you to pseudonymize personal information, a data protection technique specifically mentioned in both the CCPA and GDPR for meeting many of their requirements.

Pseudonymization for CCPA Privacy

Pseudonymization—the process of replacing sensitive data with a pseudonym—is synonymous with tokenization, a method of replacing sensitive data with a placeholder token. Tokenization is a mature technology that has been used to protect payment card information (PCI) and other cardholder data (CHD) for many years, and it’s now beginning to be used to secure and desensitize data within the privacy space. Similar to how it is used to protect CHD in payments applications, it can be used to de-identify personal information, rendering sensitive data unreadable without additional information and thereby reducing your organization’s risk of suffering data theft in the event of a data breach. In this specific use case, pseudonymization of personal information using tokenization has particular benefits when it comes to the right to be forgotten.

Although successfully deleting an individual’s personal information in an organization’s live systems is not an arduous task—assuming the organization is in possession of updated data maps and clearly defined operational procedures—it is often another thing altogether to delete that data from backup media. This is because it requires the same data-mapping process previously undertaken for the active systems in an organization’s data environment.

Deleting the information from backups is important for two reasons. First, it obviously complies with the request for data to be deleted. Second, it successfully prevents organizations from inadvertently restoring someone’s deleted information from a backup.

Tokenization for CCPA Compliance

If you have tokenized the identifying elements of an individual’s personal data, complying with the right to be forgotten is as simple as deleting the mapping between the token and the corresponding data. Once that deletion is completed, all that is left in your organization’s backup systems are a set of nonsensitive tokens that can no longer be used to identify an individual by combining them with additional information. As a result, you will have met your compliance obligation for the right to be forgotten across the entirety of your organization’s systems.

Additionally, tokenization offers unmatched security and risk reduction with its ability to virtually eliminate the risk of data theft. Because tokenization replaces the sensitive data in your systems with nonsensitive placeholders, it prevents the exposure of sensitive data in the event of a data breach. To learn more about tokenization and how it can help satisfy many industry and international privacy regulations, visit our PII compliance solutions page.

John Noltensmeyer, CIPP/E/US, CIPM, CIPT, CISSP, ISA is the Head of Product for TokenEx. TokenEx is the industry leader for cloud-based tokenization, encryption, and data vaulting for international compliance. Follow us on Twitter and LinkedIn.