Sometimes, depending on the service provider’s agreement with the business.
A consumer may incorrectly direct a deletion request to a service provider rather than to the business for which the service provider processes personal information.
If a service provider receives such a deletion request and decides, on its own accord, whether to honor it, that action could result in the service provider losing its legal status as a “service provider” under the CCPA. Specifically, the CCPA mandates that a service provider be contractually prohibited from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by [the CCPA].” Deleting a consumer’s personal information absent the direction of a business could be considered a “use” of personal information for a purpose outside of performing the services for the business. It should be noted that in some situations, however, a business may provide a service provider with specific instructions concerning how it should handle deletion requests that it receives. For example, some businesses may instruct their service providers to always honor and respond to such requests. In those situations, a service provider’s destruction of the information at the behest of a business would be consistent with its contractual obligations.
Although not currently required to do so, the current draft of the CCPA’s proposed regulations requires a service provider to direct a requestor to the applicable business.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
[View source.]
