Third party right to be forgotten

January 14, 2020

QT:{{”

Does a company have to forward a right to be forgotten request to a third party with whom it has shared personal information?

….
In California the CCPA requires that (in certain situations) a business “delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”1 In situations in which a business has shared a consumer’s personal information with another business or a third party, the CCPA does not require business A to inform business B that a deletion request has been received. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2

In comparison, under the European GDPR when a controller receives a right to be forgotten request, and determines that it is required to delete information about an individual, the controller must “take reasonable steps” to “inform [other] controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”3 It is unclear based upon the text of the GDPR whether this requirement requires controller A to notify controller B that the data subject has requested controller A to erase data, or whether the requirement requires controller A to notify controller B that a data subject has requested erasure by both controller A and B.

‘}}

https://ccpa-info.com/category/1798-105-c-faqs/