Comparison of privacy laws and deletion requests

Modern state privacy laws provide individuals with the ability to request deletion of their personal information. However, the statutes differ as to the scope of the “right to erasure”. For example, some states only allow consumers to request deletion of personal information they have provided to the organization (which allows the organization to retain personal information it has obtained from third-party sources or has created itself), while other laws allow consumers to make requests. It should be noted that even if a law grants consumers the ability to request deletion of a particular type of data, the law may still provide exceptions allowing an organization to decline the request. For example, if an organization is required by law to retain certain information, it may refuse a deletion request, whether the data was collected directly from the consumer or through a third party.

Here is a comparison of the types of personal information for which consumers can request deletion:

NOTES

[1] Cal. Civil. Code 1798.105(a) (West 2020).

[2] Cal. Civil. Code 1798.105(a) (West 2021).

[3] CRS § 6-1-1306(1)(d).

[4] Connecticut Substitute Bill No. 6, § 4(a)(3).

[5] Utah Code Ann. §13-61-201(2).

[6] Virginia Code §59.1-573(3).

[7] CRS § 6-1-1306(1)(d).

[8] Connecticut Substitute Bill No. 6, § 4(a)(3).

[9] Virginia Code §59.1-573(3).

[10] CRS § 6-1-1306(1)(d).

[11] Connecticut Substitute Bill No. 6, § 4(a)(3). The law refers to information “provided by, or obtained about” the consumer. It is unclear whether a court would consider information created by a company to be “obtained” by the controller.

[12] Virginia Code § 59.1-573(3). The law refers to information “provided by, or obtained about” the consumer. It is unclear whether a court would consider information created by a company to be “obtained” by the controller.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 160