Using a Data Inventory in Conjunction with your Retention Schedule to Update your Privacy Notice for CPRA

Ankura Cybersecurity & Data Privacy
Contact

Starting in January of 2023, businesses subject to California Privacy Rights Act (CPRA), may be required to publish the retention periods for all categories of personal and sensitive information they collect, manage, store, share, or sell. 

CPRA Section 1798.100. General Duties of Businesses that Collect Personal Information states that businesses subject to CPRA need to disclose:

The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

Imagine the difficulty of publishing a single retention period for all data elements that fall under the category “Personal Identifiers”, such as first and last name or phone number. Depending on whether these appear in a contract, help desk ticket, bill, or email, the retention periods will differ widely.

How can you use your data inventory to be compliant with the CPRA?

Companies likely already know that a complete data inventory is a key building block for a privacy program as it can be used to update the privacy notice, better allocate security controls, and respond to consumer requests in a timely and efficient manner. But companies may not realize that developing a data inventory is also essential for operationalizing a data retention program.  A data inventory can provide businesses with a systematic way to identify retention periods at a category-by-category level.

A data inventory for privacy compliance should not only include detailed information on assets that contain personal information, but also information on the business processing activities that a company is engaged in that process personal information.  Detailed information at the asset and processing activity level should capture at a minimum:

  • Data Subject (employees, customers, vendors, etc.),
  • Processing Category (there are 11 categories specified under the California Consumer Privacy Act (CCPA) and CPRA, including biometric data, personal identifiers, and geolocation data), and
  • Data Elements (the actual data elements captured or processed like device ID, phone number, purchase history, browsing time, etc.)

It is important that this information is not only captured, but also related appropriately to each other.  In other words, if you capture data on employees in an asset, you should also be able to identify both the higher-level processing categories and the specific data elements collected for those employees. 

In addition, each item in the data inventory, whether assets or processing activities, should include a question on the retention timeframe for that data.  The answer options for this question should match the standard retention periods from the company’s Records Retention Schedule but should also allow for respondents to indicate if a different retention schedule is in place and/or if the respondent is not sure.  Capturing that information at a granular level allows the Records Management team to confirm that the Records Retention Schedule has been operationalized throughout the organization.  It also allows the company to filter, search and summarize the information to be compliant with the many requirements of the CPRA.

Data retention regulations often deal with records (and in the case of the CPRA, specific processing categories), not assets.  Companies that maintain a data inventory at the appropriate level of detail will be able to query that data to create a matrix of key information on a category level.  The below chart shows an example of what the privacy notice might need to include starting in January 2023 using an example of just 2 of the 11 CCPA/CPRA categories.

Personal Identifiers
Examples of PI Collected Sources of PI Purposes for PI Collection Categories of Recipients Data Sold? Retention Period
Name, postal address, email address, identification numbers From the Consumer, Clients, Service Providers, Government Entities, and Third Parties Processing Interactions and Transactions;
Managing Interactions and Transactions;
Performing Services
Clients; Government Entities; Data Processors and Storage Providers: Service Providers No 5 years after last transaction for customers, 3 years after separation for employees

 

Internet Usage Information
Examples of PI Collected Sources of PI Purposes for PI Collection Categories of Recipients Data Sold? Retention Period
Information regarding interactions with our website, computer systems, and/or devices From the Consumer, Service Providers, and Third Parties. Processing Interactions and Transactions;
Managing Interactions and Transactions;
Performing Services;
Security;
Debugging
Marketing and Analytics Vendors and other Service Providers No 12 months after the last transaction

If the CPRA requirements around reporting retention schedules don’t go into effect until January 1, 2023, why do I need to worry about this now?

While a year and a half may seem like enough time to prepare, companies should not underestimate the length of time it can take to create a comprehensive data inventory, develop a retention schedule, and operationalize it. In our experience, the timelines we have seen with our clients for each of these activities can vary significantly based on the size, structure, and data environment of the organization:

  • Data Inventory: 2 – 5 months
  • Records Retention Policy and Schedule: 2 – 4 months
  • Operationalizing a Records Retention Program: 6 months – 1 year

Even with a good set of data maps and a listing of assets to start with, capturing the required information for a data inventory takes time and will require participation of between 40 to 100 different individuals from within your company.  This effort requires significant business exploration and can be a very time-consuming step even with automation in place to assist.  Even if you already have a retention policy and schedule, in our experience, most companies have not operationalized it.  The deletion mechanisms and processes will need to be agreed upon with the relevant stakeholders and everyone will need to be educated on the plan and practice implementing it.

More stringent data retention requirements are coming, and organizations should take the time now to review their current data retention programs to update as needed and to operationalize to be compliant with the current and emerging privacy regulations. 

Given the complexity of the upcoming CPRA requirements, we are publishing a series of articles on this topic.  Our first article introduced and reviewed the unique data retention and notice requirements of the CPRA.  Our second article provided guidance on developing a functional records management program. Our third article reviewed the creation of a defensible disposition process. This last article provided guidance on how to use your data inventory to update your privacy notice with the required retention periods for each category of personal information.

Written by:

Ankura Cybersecurity & Data Privacy
Contact
more
less

Ankura Cybersecurity & Data Privacy on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.