AI Personal-Data Deletion-Rights Workflow Drafting: GDPR and CCPA Alignment

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-ethics-ai-and-personal-data-deletion-rights-workflow-r6a3-creators

1. Which component of a GDPR Article 17 and CCPA deletion workflow requires human counsel review rather than AI determination?

   1. Whether a legal-hold exemption applies to the request
   2. The identity verification step to confirm the requester
   3. The audit-log entry format for compliance records
   4. The response template language for the data subject

2. A deletion workflow addresses the primary customer database but does not include backup systems or analytics warehouses. What is the primary risk?

   1. The AI will be held personally liable for the oversight
   2. The verification step becomes invalid
   3. The requester will receive duplicate deletion confirmations
   4. The workflow will fail compliance audits because backups retain data

3. What task can an AI reliably perform when drafting a personal-data deletion workflow?

   1. Generating verification-step language compliant with both GDPR and CCPA
   2. Evaluating whether the requester has standing to make the request
   3. Deciding if a legal-hold overrides the deletion right
   4. Determining whether a research exemption applies to a specific request

4. What does the term 'downstream-system fan-out' refer to in deletion workflow design?

   1. The routing of deletion requests to all systems containing the subject's data
   2. The escalation of complex requests to senior legal reviewers
   3. The automated generation of deletion confirmation emails
   4. The process of notifying external regulators about deletion requests

5. A company claims their AI-powered deletion system is fully compliant because it processes all requests automatically. What is the most significant compliance concern?

   1. The AI will refuse requests from minors
   2. The AI may process requests faster than regulations allow
   3. The automated system cannot generate audit logs
   4. The system may not properly handle exemptions that require human legal review

6. What must be explicitly addressed in the downstream-system fan-out checklist to ensure complete erasure?

   1. Employee training schedules for the deletion team
   2. Backup retention policies and de-link procedures
   3. The color scheme of the deletion request portal
   4. Third-party marketing partner contact information

7. In a GDPR Article 17 deletion workflow, what is the purpose of the identity verification step?

   1. To generate the audit-log entry for regulatory review
   2. To confirm the requester is who they claim to be before processing deletion
   3. To determine whether an exemption applies to the request
   4. To route the request to the appropriate downstream system

8. A student argues that AI can handle exemption assessments for deletion requests because the AI is trained on legal texts. Why is this incorrect?

   1. Exemption assessments require contextual judgment about specific cases, not pattern matching
   2. AI is always more accurate than human lawyers
   3. GDPR Article 17 does not include exemptions
   4. AI cannot read legal texts

9. What elements must an end-to-end deletion-rights workflow include, according to best practices for GDPR and CCPA alignment?

   1. Verification, deletion, and marketing suppression only
   2. Request intake, identity verification, exemption assessment, downstream fan-out, response template, and audit logging
   3. Request intake, payment processing, and customer service follow-up
   4. Only the verification step and the actual deletion from the database

10. Under CCPA, what must a deletion response template typically communicate to the requester?

    1. The names of all employees who processed the request
    2. Whether deletion was completed or if an exemption applies, and what categories of data were affected
    3. The specific technical method used to delete the data
    4. The company's profit margins for the deleted data

11. Why is an audit-log entry important in a deletion workflow?

    1. It speeds up the deletion process significantly
    2. It replaces the need for identity verification
    3. It allows the company to market additional services to the requester
    4. It provides evidence of compliance if regulators investigate

12. A deletion workflow includes a response template. What should this template primarily address?

    1. The company's terms of service
    2. The requester's social media passwords
    3. The outcome of the deletion request and any limitations
    4. Technical details about the database architecture

13. What is the relationship between GDPR Article 17 and CCPA deletion rights?

    1. They are identical and use the exact same language
    2. They share the core principle of right to erasure but have different procedural requirements
    3. CCPA only applies to California residents, while GDPR applies globally with no overlap
    4. GDPR does not include deletion rights—only CCPA does

14. When drafting identity verification language for a deletion request workflow, what should the AI focus on producing?

    1. Language that allows deletion without any verification
    2. Procedural steps that confirm the requester's identity while complying with both GDPR and CCPA
    3. Questions about the requester's political beliefs
    4. A lottery system to randomly select which requests to process

15. A company wants to use AI to completely replace human lawyers for handling deletion request exemptions. What is the fundamental limitation?

    1. AI lacks the legal authority to make binding exemption determinations that could be challenged in court
    2. AI cannot type fast enough
    3. AI cannot generate text
    4. AI only works for large companies, not small ones