follow up to my stripe thread — different problem now. former customer (CA resident) submitted a CCPA deletion request. easy to delete from production, but our daily backups go back 90 days and the customer's records are in those backups. is there a "best practice" for handling this technically?
standard answer: delete from active systems immediately and add the user ID to a "deletion queue" that re-applies the deletion when backups are restored. document this in your privacy policy. CCPA recognizes that backup deletion is impractical and accepts reasonable technical measures.
we built a "right-to-be-forgotten" service that maintains a tombstone list and re-deletes after every restore. about 2 days of work to set up. saved us a lot of pain.
I'm Sergei Tokmakov, California attorney (Bar #279869). The CPRA (which amended CCPA effective 2023) and the implementing regs explicitly contemplate the backup problem. Section 1798.105 requires deletion "from records" but the regulations recognize that immediate purge from backups isn't always practical.
Defensible approach: (1) delete from production within 45 days, (2) implement a process that re-applies deletion if/when the backup is restored to production, (3) document this process in your privacy policy and in your response to the customer, (4) maintain logs proving the deletion was completed. The CA AG has consistently endorsed this approach in enforcement guidance. Informational only.