The California Privacy Rights Act (“CPRA”) requires that companies that collect and process consumer private information must publish — disclose — their policies with respect to retention of data. That is, companies must disclose the company’s policies for how long certain types of information will be stored and when the information will be deleted. More specifically, Section 1798.100(a)(3) of the CPRA requires disclosure of each and every “purpose for which the personal information [is] collected” and requires that the information be retained for only so long as “is reasonably necessary for that disclosed purpose.” In addition, the company must disclose the “length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided…” But, again, a company “shall not” retain a consumer’s personal information or sensitive personal information for longer than is “reasonably necessary for that disclosed purpose.”

What is the Purpose of Data Retention Disclosures and Schedules?

Generally speaking, the various consumer data privacy statutes have increasingly focused on the consumers’ “right to be forgotten” which encompasses the idea that personal and sensitive data should not forever remain in various databases long after consumers have purchased goods and services. Despite business claims that data is securely held and managed, the facts show that data is routinely compromised and exfiltrated by unauthorized access and by cybercriminal hacking. Further, personal data and information that “floats around the internet” for years creates serious risks to consumers like identity theft and abuse of data for such things as unwanted targeted harassing advertising. Further, prior to the enactment of the data privacy laws, companies had various disincentives to delete extraneous and unused data. The main disincentive was the cost of tracking data that was no longer being used. It takes employee and IT staffing time to make decisions with respect to what data should be retained and what should be discarded. It was easier and less expensive to just “keep it all.”

Statutes like the CPRA have changed those incentive structures. Now there are serious administrative enforcement risks in retaining unnecessary and unused personal and sensitive data. Further, it is now legally mandated that companies expend staffing time to make decisions about what data is needed and what data can be discarded.

How to Create Data Retention Schedules and Disclosure Policies

The ultimate goal is to create written company policies with respect to data/information retention and management policies and data retention schedules. The first step is to audit the data/information that is being collected and stored. Extensive care must be taken here since your company may be collecting more data than you might think. For example, are your automated processes collecting IP addresses? The next step is to categorize the data by type. Some types of data — such as health-related data — must comply with the CPRA and also with other statutory and regulatory regimes.

The next step involves determining why certain data is being collected (and, then, ensuring that that “business purpose” is a legitimate one). Often, this is “easy.” Data that includes names, emails, credit card or other payment data, billing addresses, shipping addresses, product or service identification, shipping data, shipment tracking data, and other data is collected for the “business purpose” of providing, at the customer’s request, the desired product or service.

The next step is deciding the retention policy for that set of personal data complies with the requirement that the data be retained for no longer than is “reasonably necessary for that disclosed purpose.” Note that there are options with respect to how the data is “no longer retained.” The data can be destroyed or converted into types of data that are not covered by the CPRA.

The final steps are reducing the data retention policies to writing and then matching those written policies to the disclosures being provided to consumers.

At all phases of this process, your company will need legal guidance and assistance from experienced data privacy and internet law attorneys. Further, there must be an ongoing process of monitoring, auditing, and updating the data retention policies and schedules.

Contact the Data Privacy Compliance Attorneys at Revision Legal For more information, contact the experienced Data Privacy Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.