Implements CCPA/CPRA right-to-delete with identity verification, statutory exceptions, service provider obligations, and 45-day response timelines. For consumer deletion requests.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California consumers the right to request deletion of personal information collected about them. This right is codified in Cal. Civ. Code Section 1798.105. Unlike the GDPR right to erasure which requires establishing one of six grounds, the CCPA right to delete is a more direct right — the...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California consumers the right to request deletion of personal information collected about them. This right is codified in Cal. Civ. Code Section 1798.105. Unlike the GDPR right to erasure which requires establishing one of six grounds, the CCPA right to delete is a more direct right — the consumer simply requests deletion and the business must comply unless a specific exception applies. The CPRA amendments expanded the obligations and introduced the California Privacy Protection Agency (CPPA) as the dedicated enforcement body. This skill covers the complete operational framework for receiving, verifying, assessing, and fulfilling deletion requests under CCPA/CPRA.
(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
(b) A business that collects personal information about consumers shall disclose the consumer's right to request deletion of the consumer's personal information.
(c) A business that receives a verifiable consumer request to delete the consumer's personal information shall delete the consumer's personal information from its records, notify any service providers or contractors to delete the consumer's personal information from their records, and notify all third parties to whom the business has sold or shared the consumer's personal information to delete the consumer's personal information unless this proves impossible or involves disproportionate effort.
(d) A business, service provider, or contractor shall not be required to comply with a consumer's request to delete the consumer's personal information if it is reasonably necessary for the business, service provider, or contractor to maintain the consumer's personal information in order to: [see exceptions below].
Key CPRA changes affecting the right to delete:
The California Attorney General's CCPA regulations (subsequently updated by CPPA regulations) specify:
A business is not required to delete personal information if it is reasonably necessary to:
| Exception | Description | Example at Orion Data Vault Corp |
|---|---|---|
| (d)(1) Complete the transaction | Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business's ongoing business relationship with the consumer | Active subscription or service delivery |
| (d)(2) Detect security incidents | Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity | Fraud investigation records, security incident logs |
| (d)(3) Debug | Debug to identify and repair errors that impair existing intended functionality | Error logs, crash reports tied to consumer account |
| (d)(4) Free speech | Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law | User-generated content on public forums |
| (d)(5) CCPA research | Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair the research | Anonymized research datasets (must meet CCPA research standards) |
| (d)(6) Internal use aligned with expectations | Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business | Service improvement analytics based on consumer's direct interactions |
| (d)(7) Legal obligation | Comply with a legal obligation | Tax records, AML records, employment records |
| (d)(8) Internal use — lawful and compatible | Otherwise use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information | Business operations where consumer reasonably expects data use |
| (d)(9) Comply with other law | Comply with federal, state, or local laws | HIPAA, FCRA, GLBA requirements |
[Deletion Request Received]
│
▼
[For Each Category of Personal Information Held]
│
├── [Does any exception under §1798.105(d) apply?]
│ │
│ ├── No exception ──► DELETE this category
│ │
│ ├── Exception (d)(1) — Active transaction/relationship?
│ │ └── [Is the consumer's transaction/service still active?]
│ │ ├── Yes ──► RETAIN (document: active relationship)
│ │ └── No ──► DELETE (transaction complete)
│ │
│ ├── Exception (d)(2) — Security?
│ │ └── [Is data part of active security investigation?]
│ │ ├── Yes ──► RETAIN (document: investigation ref)
│ │ └── No ──► DELETE
│ │
│ ├── Exception (d)(7) — Legal obligation?
│ │ └── [Is there a specific statutory retention requirement?]
│ │ ├── Yes ──► RETAIN (document: cite statute + period)
│ │ └── No ──► DELETE
│ │
│ └── [Other exceptions: assess per criteria above]
│
▼
[Partial Deletion Decision]
- Delete all categories where no exception applies
- Retain categories where valid exception applies
- Document each retained category with exception citation
- Inform consumer of partial deletion with explanation
CCPA requires that businesses verify the identity of the consumer making the request. The level of verification depends on the type of request and the sensitivity of the data:
| Verification Level | When Required | Methods |
|---|---|---|
| Reasonable degree of certainty | Deletion requests (standard) | Match at least 2 data points provided by consumer against information already maintained |
| Reasonably high degree of certainty | Deletion requests involving sensitive personal information or where deletion could cause significant harm to the consumer if incorrect | Match at least 3 data points + signed declaration under penalty of perjury |
| Method | Description | Data Points Matched |
|---|---|---|
| Account-based verification | Consumer logs into their verified account | Account credentials constitute verification |
| Email verification | Send verification link to email address on file | Email address + 1 additional data point |
| Knowledge-based verification | Ask consumer to confirm information only they would know | 2-3 data points (name, address, transaction history, phone) |
| Government ID | Request government-issued identification | Use only when other methods insufficient; destroy copy after verification |
| Signed declaration | Request signed declaration under penalty of perjury | Required for high-certainty verification; supplements other methods |
[Deletion Request Received]
│
▼
[Does consumer have an account?]
│
├── Yes ──► [Is consumer logged in?]
│ ├── Yes ──► Verified (account-based)
│ └── No ──► Request login; if unable, proceed to non-account verification
│
└── No ──► [Non-account verification]
│
├── [Request 2 data points for standard verification]
│ ├── Match ──► Verified
│ └── No match ──► Request additional data or deny (document reason)
│
└── [If sensitive data or high-risk deletion]
├── [Request 3 data points + signed declaration]
├── Match ──► Verified
└── No match ──► Deny with right to appeal
Consumers may designate an authorized agent to submit deletion requests on their behalf:
| Milestone | Deadline | Action |
|---|---|---|
| Acknowledgement | 10 business days from request receipt | Confirm receipt; provide expected completion date |
| Verification completion | As soon as practicable | Complete identity verification; if unable to verify, notify consumer |
| Response | 45 calendar days from verifiable request receipt | Complete deletion and notify consumer; OR invoke extension |
| Extension (if needed) | Additional 45 calendar days (90 total) | Notify consumer of extension within initial 45 days; explain reason |
| Deletion completion | Within response deadline | Delete from business systems; direct service providers/contractors to delete; notify third parties |
The response to a deletion request must include:
DELETION REQUEST RESPONSE — Orion Data Vault Corp
---------------------------------------------------
Consumer Reference: DEL-CA-2026-0089
Request Date: [YYYY-MM-DD]
Verification Date: [YYYY-MM-DD]
Response Date: [YYYY-MM-DD]
STATUS: [Completed / Partially Completed / Denied]
PERSONAL INFORMATION DELETED:
- Category 1: [Description] — DELETED from business systems
- Category 2: [Description] — DELETED from business systems
- Category 3: [Description] — DELETED from business systems
SERVICE PROVIDERS/CONTRACTORS DIRECTED TO DELETE:
- [Service Provider Name] — Directed [date], confirmed [date]
- [Contractor Name] — Directed [date], confirmed [date]
THIRD PARTIES NOTIFIED (if PI was sold or shared):
- [Third Party Name] — Notified [date]
EXCEPTIONS APPLIED (if any):
- Category [X]: Retained under §1798.105(d)(7) — legal obligation
(Specific statute: [cite statute and retention period])
- Category [Y]: Retained under §1798.105(d)(1) — active transaction
(Transaction expected to complete: [date])
CONSUMER RIGHTS:
- You may appeal this decision by contacting [contact information]
- You may file a complaint with the California Privacy Protection Agency
at [CPPA contact information]
- This deletion does not prevent you from exercising other rights under
the CCPA, including the right to know and the right to opt-out
Under CCPA/CPRA, when a business receives a deletion request:
Orion Data Vault Corp includes the following provisions in all service provider agreements:
CCPA SERVICE PROVIDER ADDENDUM — Key Clauses
----------------------------------------------
1. DELETION OBLIGATIONS
Service Provider shall, upon receipt of direction from Business to
delete a consumer's personal information:
(a) Delete the personal information from its systems within [15]
business days of receiving the direction;
(b) Direct any sub-service providers to delete the personal information;
(c) Confirm deletion to Business in writing within [20] business days;
(d) Retain no copies of the deleted personal information except as
permitted by an applicable exception under Cal. Civ. Code §1798.105(d).
2. EXCEPTION NOTIFICATION
If Service Provider determines that an exception under §1798.105(d)
applies to any portion of the personal information, Service Provider
shall notify Business within [5] business days, specifying the exception
relied upon, the categories of personal information affected, and the
expected retention period.
3. AUDIT RIGHTS
Business shall have the right to audit Service Provider's deletion
processes and verify that deletion has been completed as directed.
| Aspect | CCPA Right to Delete | GDPR Right to Erasure |
|---|---|---|
| Grounds required | No — consumer simply requests deletion | Yes — must establish one of six grounds under Art. 17(1) |
| Scope | Personal information collected FROM the consumer | Personal data concerning the data subject (broader — includes data obtained from other sources) |
| Response timeline | 45 calendar days (extendable to 90) | 30 calendar days (extendable to 90) |
| Verification | Explicit verification requirements with defined certainty levels | Identity verification required but method at controller's discretion |
| Service provider obligations | Explicit — must direct service providers/contractors to delete | Implicit — controller must ensure processors delete under Art. 28 |
| Third-party notification | Must notify third parties to whom PI was sold/shared | Must inform other controllers to whom data was disclosed (Art. 17(2) + Art. 19) |
| Exceptions | 9 enumerated exceptions under §1798.105(d) | 5 exceptions under Art. 17(3) |
| Enforcement | CPPA and California AG; private right of action limited to data breaches | Supervisory authorities; broader private right of action |
| Metric | Target | Reporting |
|---|---|---|
| Requests received (quarterly) | Track volume and trend | Quarterly to CPPA (if required) |
| Median response time | ≤ 30 calendar days | Quarterly |
| Requests completed within 45 days | ≥ 95% | Quarterly |
| Requests requiring extension | ≤ 10% | Quarterly |
| Requests denied (with exception) | Track percentage and exception type breakdown | Quarterly |
| Service provider deletion confirmation rate | 100% within 20 business days | Per request |
| Consumer appeals filed | Track volume and outcome | Quarterly |
If required to provide annual metrics (businesses receiving ≥10 million consumer requests), disclose: