The California Privacy Rights Act (CPRA) which goes live January 1, 2023 introduces data retention and deletion requirements very similar to those that we see in the General Data Protection Regulation (GDPR).
Both the CPRA and GDPR are driving to the same storage limitation principle, which supports that organizations need to delete personal data when it’s no longer necessary. Storage limitation presents one of the largest, if not the largest challenge for organizations preparing for CPRA.
GDPR - GDPR Article 30 states, “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility…That record shall contain all of the following information: 1) where possible, the envisaged time limits for erasure of the different categories of data". GDPR Article 13 states, “the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: 1) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period…”
CPRA – In comparison, CPRA’s section 1789.100 states, “A business that controls the collection of consumer's personal information shall, at or before the point of collection, inform consumers as to:…the length of time the business intends to retain each category of personal Information, including sensitive personal Information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer's personal Information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
Let’s unpack the potential CPRA disclosure requirement referenced in section 1789.100 – at the point of collection, the business must inform consumers as to the length of time the business intends to retain each category of PI, or if that is not possible, the criteria used to determine such period.
We hope that this privacy notice disclosure requirement is clarified during the rulemaking process and when the supporting CPRA regulations are published, but currently we see two disclosure options.
The first potential disclosure option is that for each category of personal information identified in a pre-collection privacy notice, businesses will need to include a retention period. Most CCPA pre-collection privacy notices include a chart that lists the categories of personal information collected, the business purpose(s) for collecting it, and information on third parties with whom it is shared. To the meet the CPRA requirement, we may need to add a retention period column to that same chart (i.e., 3 years, 7 years, etc.). There are a lot of implications to this scenario. The most noteworthy is that publicly disclosing elements of a retention schedule, which has traditionally been an internally facing document, introduces an obligation for an organization to actually follow the retention schedule and delete personal information once it exceeds the retention period. This first disclosure option can also become more complex if retention periods need to be disclosed by category and business purpose, which would result in an even more granular disclosure.
The second disclosure option is that businesses will make a statement in their pre-collection notice, similar to what we see with GDPR notices, whereby “we only retain personal information long enough to complete our intended business purposes or to meet certain legal obligations.”
The ambiguity around these retention disclosure requirements in the CPRA should be clarified in the rulemaking process; however, it is crystal clear that organizations need to be preparing for how to defensibly delete data.
What can we be doing now?
Although defensible data deletion will differ in practice from organization to organization, there are some key tactical activities all organizations need to undertake to enable it effectively:
- Update (or create) a data inventory. Knowing what kind of data you have, what systems it’s stored in, and who owns both is a key first step to being able to manage that data in accordance with your legal and compliance obligations—and to get rid of it when those obligations are no longer in force.
- Document your compliance obligations. In order to know when you can delete data, you need to understand the full array of legal and compliance obligations it’s subject to (not simply privacy obligations) and what they each require.
- Review and revise the records retention schedule. An up-to-date retention schedule functions as the “disposition bible” that distills the range of compliance obligations for each kind of data into clear, succinct guidance on how long to retain that data and when to dispose of it.
- Publish an information lifecycle management (ILM) policy. To manage data in a compliant way, you’ll need an ILM policy to tell employees what’s expected of them throughout the lifecycle of data, from the point of capture/creation, through usage, management, sharing and eventually disposition (archival or purge).
- Define the data disposition process. In order to be defensible, your disposition process needs to not only be reasonable, but documented, consistent, repeatable and auditable as well—a defined data disposition process is therefore central to being able to demonstrate defensibility to courts, regulators, auditors and others.
With these five activities complete, you’ll be better able to leverage supporting technology such as file analytics, GRC (governance, risk, and compliance), DLP (digital loss prevention), or data classification to manage data throughout its lifecycle and, ultimately, to dispose of it in accordance with your compliance obligations.