Skip to content

CPRA Step 06

Providing User Right to Deletion

Similar to the right of access in (section eight)[./dsar_cpra], above, the right to deletion requires the same broad steps with some additional considerations:

1. Provide your user two ways to submit their access requests

In order to fulfill this obligation, you must provide your consumer a minimum of two methods to make their request to your business. Typically these are:

  • A form or privacy center to automatically accept requests from consumers.
  • An email address or customer support system to accept requests.

2. Collect information necessary to verify their identity

As the business receiving the request, you are responsible for verifying the validity of the identity of the consumer.

To minimize privacy risks, you should not request additional information you do not already hold about the user to verify their identity. Put simply, if you don’t already have their driver’s license, don’t ask for it to process privacy requests. For this reason, the most common method to verify the identity of a user is their email address or phone number.

You can then use this identity with MFA solutions to send an email or SMS to their inbox or device with a short code. This code allows you to better confirm that the Consumer making the request is the rightful owner of the email address or phone number as they have access to the inbox or the device.

3. Delete their personal data from your systems

You must then delete all of the user's data from across your businesses systems, and to vendors to provide the user.

If you are doing this manually, be very careful to ensure you are not deleting confidential company information, information necessary for reporting or regulatory purposes, and also not deleting data belonging to other users.

Note: you may retain personal information that you require for other regulatory purposes. A good example of this is, if you’re a retailer, you might need to retain order history information and the consumer's state of residence in order to calculate tax nexus for reporting purposes.

The deletion request process is labor intensive and risky. Therefore we strongly recommend using an automated system such as Fides to perform this end-to-end for you, from providing the consumer a privacy center to receive their requests, automating identity verification, and programmatically performing secure data extraction across all business systems on behalf of the user.

Looking for more help with Deletion Requests? Ask a question now on the Fides Slack Community.

If want lightning-fast, automated deletion requests with Privacy Engineering Intelligence from Ethyca, get in touch now.