The “Right to be Forgotten” has sailed across the Atlantic.  From its origin in a 2014 CJEU case involving Google and subsequent codification in the GDPR, it has now entered the U.S. data privacy landscape in the form of the CCPA’s “Right to Deletion.”

While there are important differences between the two, both essentially allow a data subject (or “consumer,” in the CCPA’s terminology) to ask a data controller (or “business,” in CCPA language) to delete personal information it has collected about that individual.

This development has understandably been the subject of some fascinating philosophical and political discussions,  but I am more interested in a basic, practical question:  in short, how can companies actually carry out these requests?


Continue Reading Complying with Data Subject Requests: Back to the Basics