Companies have always had requirements to retain records in accordance with laws and regulations—and to dispose of them once those obligations were no longer in force. But by and large, most haven’t done so in any consistent, systematic way: instead, they’ve kept the majority of their corporate records forever, despite the specific retention periods in force for any given record type.
In general, this is because there hasn’t been an enforcement authority with any real teeth to monitor, regulate, and enforce records management non-compliance—as records professionals are apt to complain, “there’s no records management police” to enforce their edicts. The closest records management ever came to enforcement was for eDiscovery: if an organization deleted records improperly, and a lawsuit required them to hold these records, they could risk fines and sanctions for spoliation. And despite a few high-profile spoliation fines and sanctions, the risk of records non-compliance wasn’t worth the effort for most firms… until now.
Despite being a privacy regulation, the California Privacy Rights Act (CPRA) has changed this calculus in favor of records management compliance in a big way. In January 2023, businesses subject to CPRA may be required to publish the retention periods for all categories of personal and sensitive information they collect, manage, store, share, or sell. CPRA Section 1798.100. General Duties of Businesses that Collect personal information states that businesses subject to CPRA need to disclose:
The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
Imagine the difficulty of publishing a single retention period for all data elements that fall under the category “Personal Identifiers”, such as first and last name or phone number. Depending on whether these appear in a contract, help desk ticket, bill, or email, the retention periods will differ widely.
And although the CPRA seems to offer an out by enabling firms to disclose the criteria, they apply to the retention of personal information, this only kicks the can down the road. It’s highly likely that the CA AG will ask firms to demonstrate how they ensure that each category of personal information is disposed of according to the criteria disclosed—and then the jig is up because, as discussed above, most firms do not manage retention properly. CPRA compliance, far from being a narrow privacy problem, is now a data retention problem. How can we maintain data for as long—and only as long—as legally obligated and then defensibly dispose of it?
Given the complexity of the upcoming CPRA requirements, we are publishing a series of articles on this topic. This first article introduced and reviewed the unique data retention and notice requirements of the CPRA. Our second article will provide guidance on developing a functional records management program. Our third article will review the creation of a defensible disposition process. The last article will provide guidance on how to use your data inventory to update your privacy notice with the required retention periods for each category of personal information.
The information provided in this article is for general informational purposes only and does not constitute legal advice.
