State Regulation
CCPA and CPRA: Data Deletion, Disposal, and the Right to Destruction in California
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents a right to delete their personal information and requires businesses to secure and properly dispose of it. A separate California law requires businesses to destroy customer records holding personal information. All Green Recycling's data destruction processes are operationally aligned to these California deletion and disposal obligations.
What Are the CCPA and CPRA?
The California Consumer Privacy Act of 2018 (CCPA) is California’s comprehensive consumer-privacy law, codified at Cal. Civ. Code §1798.100 et seq. The California Privacy Rights Act (CPRA), approved by voters in 2020 and operative from 1 January 2023, amended and expanded the CCPA and created the California Privacy Protection Agency (CPPA) to enforce it.
Publisher: State of California; enforced by the CPPA and the California Attorney General
Key citations: §1798.105 (right to delete); §1798.100(a)(3) and (e) (data minimization and storage limitation); §1798.81 (destruction of customer records); §1798.81.5 (reasonable security)
Legal force: Mandatory California law for businesses that meet the statutory thresholds.
The CCPA applies to for-profit businesses that collect California residents’ personal information and meet at least one threshold: $25 million or more in annual gross revenue, buying or selling the personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenue from selling or sharing personal information.
What Do the CCPA and CPRA Require for Deletion and Disposal?
The CCPA and CPRA require businesses to delete a consumer’s personal information on a verifiable request, to limit how long they retain personal information, to maintain reasonable security, and, under a separate California statute, to destroy customer records so personal information is unreadable.
Right to delete (§1798.105)
A consumer can request deletion of personal information a business has collected, and the business must delete it and direct its service providers to do the same, subject to enumerated exceptions. Deletion must be effective, which for end-of-life media means the data is genuinely unrecoverable.
Data minimization and storage limitation (§1798.100)
The CPRA added a requirement that businesses not retain personal information for longer than reasonably necessary for the disclosed purpose. Media holding personal information past its retention need must be disposed of.
Reasonable security (§1798.81.5) and the private right of action
Businesses must maintain reasonable security procedures for personal information. A breach of nonencrypted, nonredacted personal information caused by failure to maintain reasonable security creates a private right of action with statutory damages.
Destruction of customer records (§1798.81)
A separate California law requires a business to take reasonable steps to dispose of customer records containing personal information by shredding, erasing, or otherwise modifying the information to make it unreadable or undecipherable. This is the direct media-destruction mandate.
Service-provider and contractor obligations
The CPRA distinguishes service providers and contractors from third parties and binds them by contract to process personal information only for the business’s specified purposes. When a consumer exercises the right to delete, the business must instruct its service providers and contractors to delete the personal information as well. A data-destruction vendor that handles media holding California personal information acts in this service-provider capacity, which means it operates under contractual deletion instructions and supplies the business with evidence that the deletion was carried out on the media it processed.
Sensitive personal information and the right to limit
The CPRA created a category of sensitive personal information, including government identifiers, financial-account details, precise geolocation, and health and biometric data, and gave consumers a right to limit its use. While the right to limit governs use rather than disposal, sensitive personal information raises the stakes at end of life, because a breach of this category carries heightened scrutiny and, where it is unencrypted, feeds the private right of action. Destroying media that held sensitive personal information at the Destroy level is the conservative way to close that exposure when the data reaches end of life.
How All Green Recycling Aligns to the CCPA and CPRA
All Green Recycling, a California-based business, provides data destruction operationally aligned to California’s deletion and disposal requirements. Destruction renders personal information unreadable on end-of-life media, which completes a deletion request and satisfies the §1798.81 disposal mandate.
| California requirement | All Green Recycling control |
|---|---|
| Make customer records unreadable (§1798.81) | Hard Drive Shredding at NIST Destroy level |
| Effective deletion (§1798.105) | SSD Destruction and verified erasure of redeployed media |
| Reasonable security at disposal (§1798.81.5) | Chain of custody; Witnessed Destruction option |
| Evidence of disposal | Certificate of Destruction with serialized inventory |
All Green Recycling does not claim “CCPA certification.” The CCPA and CPRA are California regulations, not certification schemes. The company states that its destruction methods satisfy the requirements of the California disposal law and support a business’s deletion obligations, and it provides a Certificate of Destruction as the disposal record.
Who Must Comply With the CCPA and CPRA?
The CCPA and CPRA apply to for-profit businesses doing business in California that collect California residents’ personal information and meet at least one statutory threshold for revenue, data volume, or revenue from selling or sharing data. Service providers and contractors that process personal information for those businesses inherit related obligations by contract.
The California disposal law at §1798.81 is broader: it applies to any business that maintains customer records containing personal information, without the CCPA thresholds. A technology company retiring servers, a retail operator decommissioning point-of-sale systems, and a small business clearing out old customer files all fall under the disposal mandate and must render personal information on that media unreadable.
This two-track structure matters in practice. A business below the CCPA revenue and volume thresholds may have no obligation to honor formal deletion requests, yet it still must dispose of customer records securely under §1798.81 whenever it retires the media those records sit on. The result is that essentially every California business that holds customer information has a media-destruction obligation, even if it is not a regulated CCPA business. Treating end-of-life drives, point-of-sale systems, and backup media as records requiring documented destruction is the simplest way to satisfy the disposal law regardless of which track applies.
Enforcement and Consequences
The California Privacy Protection Agency and the California Attorney General enforce the CCPA and CPRA. Consumers can also sue for certain breaches. Penalties combine administrative fines with private statutory damages.
Administrative penalties: Violations can incur civil penalties of up to $2,500 per violation, rising to $7,500 per intentional violation or violations involving the personal information of minors.
Private right of action: A data breach of nonencrypted personal information caused by inadequate security can expose a business to statutory damages of $100 to $750 per consumer per incident, or actual damages if greater.
Disposal-law liability: A business that fails to dispose of customer records under §1798.81 can face civil liability, and a disposal-related breach compounds the exposure with CPRA penalties and breach-notification costs.
Frequently Asked Questions
Is CCPA and CPRA compliance mandatory or voluntary?
CCPA and CPRA compliance is mandatory for for-profit businesses that handle California residents’ personal information and meet at least one statutory threshold for revenue, data volume, or revenue from selling or sharing data. The California Privacy Protection Agency and Attorney General enforce it with penalties up to $7,500 per intentional violation. The separate California disposal law at §1798.81 applies to any business holding customer records, with no threshold, and requires those records to be made unreadable at disposal.
What does California law require for destroying customer records?
California Civil Code §1798.81 requires a business to take reasonable steps to dispose of customer records containing personal information by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable. For electronic media this means physically destroying end-of-life drives or applying a verified erase that defeats recovery. The CCPA’s right to delete and storage-limitation rules reinforce this by requiring effective deletion and limited retention.
How does All Green Recycling satisfy CCPA disposal requirements?
All Green Recycling, a California-based company, provides destruction operationally aligned to the state’s deletion and disposal requirements. The company shreds media at NIST Destroy level to render personal information unreadable under §1798.81, applies verified erasure to redeployed assets to support deletion requests, and issues a Certificate of Destruction with a serialized inventory. All Green Recycling states process-alignment, not a CCPA certification, because the CCPA and CPRA are regulations rather than certification schemes.
Does deleting a file satisfy the CCPA right to delete?
File-level deletion does not satisfy the CCPA right to delete when the underlying data remains recoverable. The right to delete under §1798.105 requires that personal information be genuinely removed. On end-of-life media this means destruction or a verified sanitization method that defeats recovery, documented so the business can confirm the data can no longer be reconstructed. A Certificate of Destruction provides that confirmation for media that has been physically destroyed.
Do California deletion requests reach data on backup and archived media?
The right to delete under §1798.105 reaches the personal information a business has collected, which includes copies held on backups and archives, subject to the statute’s exceptions and to regulatory guidance on backup systems. In practice a business deletes personal information from active systems promptly and addresses backups and archived media on their normal cycle, destroying the underlying media when it reaches end of life so no recoverable copy persists. The discipline that closes the loop is the same as for the disposal law: route retired backup tapes and archival drives to documented destruction so the business can show that personal information was made unreadable rather than left recoverable on shelved media.
What documentation demonstrates CCPA-compliant disposal of media?
A business should retain evidence that media holding personal information was destroyed and made unreadable. The Certificate of Destruction from All Green Recycling records the serialized devices, the destruction method, and the date, which demonstrates compliance with the §1798.81 disposal mandate and supports the business’s response to deletion requests. This record also helps rebut a reasonable-security claim if disposed media is ever questioned.
How do the CCPA and CPRA relate to the GDPR?
The CCPA and CPRA govern California residents’ personal information, while the GDPR governs personal data of individuals in the EU. Both grant a deletion or erasure right and require effective, irreversible removal of data, including on retired media. A business operating across both regimes applies the strictest applicable standard. Documented destruction that renders media unreadable satisfies the deletion and disposal obligations of the CCPA, the CPRA, and the GDPR simultaneously.
Does the §1798.81 disposal law apply to small businesses?
Yes. Unlike the CCPA’s right-to-delete provisions, which apply only to businesses meeting revenue or data-volume thresholds, the customer-records disposal law at §1798.81 contains no size threshold. Any business that maintains customer records containing personal information must take reasonable steps to make that information unreadable or undecipherable at disposal. A small professional office retiring a few computers is therefore subject to the same disposal standard as a large enterprise. The practical compliance step is identical at any scale: route media holding customer information to documented destruction rather than to the trash, and keep the Certificate of Destruction as proof that reasonable steps were taken.
Need compliant destruction services that satisfy CCPA and CPRA?
Bonded · Insured · Certificate of Destruction · Methods follow CCPA and CPRA