Can A Business Deny My Privacy Request?

Yes, there are instances in which a business may deny your privacy request or retain the information you have requested to delete.

The CCPA might not apply to the business

The CCPA has very clear criteria on what businesses should meet in order to comply with the data privacy law. If the business does not meet these criteria, they are not obligated to honor your request.

Service provider exception

You may have submitted a request to a service provider of a business you transact with. In this case, they did not collect your information directly from you. They may either act on behalf of the business or inform you that your request cannot be acted upon.

Your request is not verifiable

If you have submitted a Request to Know or Request to Delete, the business will verify your identity. If you are unable to provide the verification information required, or if there is reason to believe your request is fraudulent, the business may deny your request.

CCPA Exceptions for privacy requests

While your Request to Delete might not be denied, your information may still be retained. There are a number of exceptions in the CCPA that allow a business to retain your personal information even when you have made a Request to Delete. These exceptions include when a business needs your information to:

  1. Complete the transaction for which your information was collected, provide goods or services you have requested, or to perform a contract you have entered into with the business

  2. Detect any security incidents, and protect against malicious, fraudulent, or illegal activity

  3. Exercise any rights provided for by law

  4. Comply with other laws or legal obligation

  5. Engage in public or peer-reviewed research, if the deletion of your information is likely to impede the achievement of the research and so long as the business has your consent

  6. Use your information for internal purposes in a lawful manner that is consistent with the context in which your personal information was collected for

You may read more about the reasons why your information may still be retained, or why your privacy requests may be denied, in the Cal. Civ. Code section 1798.105(d) and in the Cal. Civ. Code section 1798.145.

Other instances

The business is only obligated to delete the information they collected directly from you. If the business collected your personal information from a source other than you, the business is not required to delete your personal information.

You may have already submitted two requests in the past year. A business is obligated to respond to your Request to Know and your Request to Delete twice in a 12-month period.

Alternately, a business may have already deleted all personal information they collected from you.