The ‘right to delete’ personal data in the US

Many states across the US have passed new privacy laws enabling consumers to request the deletion of their personal data. These laws will cover millions of businesses.

But after decades of near-zero privacy regulation, are US businesses ready to deal with data deletion requests?

Here’s a look at how the “right to delete” works and how the principles of data minimization and storage limitation can help reduce the associated headaches and resource costs.

A right to be forgotten?

The right to delete personal data is sometimes called the “right to be forgotten”.

This phrase derives from a 2017 EU court case known as “Google Spain”, which confirmed that search engines must erase results that include personal data under certain circumstances. The phrase now features in the EU and UK General Data Protection Regulation (GDPR).

But “the right to be forgotten” is arguably a misleading term, considering what data protection and privacy laws say.

Even in the EU, the “right to erasure” is only granted under certain conditions, namely:

• The personal data is no longer needed for the purpose for it was collected
• The individual consented to the processing of the personal data and has since withdrawn consent
• The individual has raised a valid request under the GDPR’s “right to object”
• The personal data has been processed unlawfully
• There’s a legal obligation to erase the data
• The personal data relates to a child and was collected in connection with an online service

If a person submits a request under the GDPR’s “right to erasure” and is not covered by one of the above conditions, the organization has no obligation to delete their personal data. And even if one of the above conditions does apply, there are exceptions, including:

• Freedom of expression
• Legal compliance
• Public health
• Certain archiving and research purposes
• Establishing or defending legal claims.

As such, the right to delete personal data is not absolute – even in the EU and the UK.

Sweeping new data deletion laws

Strict data protection laws providing a “right to delete” are usually associated with Europe. But in recent years, many states across the US have passed laws requiring businesses to delete consumers’ personal data on request, including:

• California Consumer Privacy Act (CCPA), first passed in 2020 and amended in 2023 by the California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)

The above list includes only laws currently in effect. In total, at least 13 states have passed laws that include a right for consumers to delete their personal data, most of which will take effect over the next two years.

These laws also bring consumers the right to access a copy of their personal data and (except in Utah) correct inaccurate personal data.

Deletion requests must generally be fulfilled within 45 days. And if a consumer isn’t happy with a company’s response, they can often complain to the relevant state’s Attorney General.

While not every US business will be covered by such a law, it’s clear that thousands of organizations across the US will need to get their data-deletion houses in order.

Exceptions to the right to delete

As under the UK and EU GDPR, there are exceptions to the “right to delete” under these US laws, too.

For example, in Virginia (the state whose privacy law inspired similar bills in many other states), a business does not have to comply with a consumer’s deletion request if the business:

• Cannot reasonably associate the data with the consumer, or it would be “unreasonably burdensome” to do so, and
• Doesn’t use the personal data to recognize or respond to the consumer, or associate it with other personal data about the consumer, and
• Doesn’t sell the personal data or disclose it to any third party (other than its “processors”).

Also, “pseudonymous” data isn’t covered by the right to delete in Virginia, meaning that businesses can apply certain data masking techniques to data and bring it out of the scope of the right to delete.

Data minimization and storage limitation

Despite all these conditions and exceptions, businesses covered by data protection and privacy laws should expect to receive deletion (and access and correction) requests from their customers.

Often, the best response to such a request is, “We don’t have that data”.

Many new US privacy laws, like the EU law that inspired them, limit the amount of personal data that businesses may collect, and sometimes limit how long businesses may store personal data. These principles are known as “data minimization” and “storage limitation”.

Essentially, these principles prohibit you from collecting, using, or storing personal data unless you have a specific reason to do so.

For example, California’s CCPA states that businesses may only collect personal data that is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed…”

And while the CCPA’s “storage limitation” principle is slightly more nuanced; the upshot is that you should not be storing personal data longer than necessary.

But minimizing the amount of data you collect, and store has benefits beyond legal compliance, including:

• Less work when responding to consumer rights requests
• Decreased risk of data breaches
• Decreased storage costs and environmental impact
• More efficient data management

It’s a good time to map and review all the personal data your business holds, and deleting anything you don’t need.