For delete requests, the CCPA gives you wide latitude to deny a request if you need the data to comply with laws, to identify errors, to maintain security, to provide services to the consumer, or for reasonably anticipated internal uses, such as financial reporting or product improvement.
If you deny a delete request because you need the data for one or more of these purposes, inform the consumer about those purposes and then going forward, use the data only for those purposes. IF YOU DENY A DELETE REQUEST AND YOU ALSO SELL DATA, OFFER TO OPT THE CONSUMER OUT OF SALES AND LINK TO YOUR OPT OUT PROCEDURES. For data you must delete, you can (1) delete it, (2) render it anonymous or “de-identified” by removing the information associated with the consumer, or (3) you can aggregate it with other data so that it is not capable of being associated with the consumer. There is no need to tell consumers which method you used. For your computer backups, you can delay deleting them until they next time you access them. Finally, inform consumers that you’ll maintain a record of their delete request.
For opt out of sale requests, wait at least 12 months before you ask a consumer to opt into sales again. However, if the consumer requests a transaction or service that requires opting in, you can request an opt in at that time. When you receive a request opt out of sales, take action on a go-forward basis–there is no need to inform third parties you may have sold the information to previously. However, once you receive the opt out request, if you sell any information to a third party before you process the request, you do need to instruct that third party not to further sell that consumer’s information.
Whenever a consumer opts in to the sale of their personal information, use a two-step opt-in process where the consumer first makes a clear request to opt-in by any available method and then separately confirms their request, for example by filling out a web form and then clicking a link in a resulting email.