On November 3, 2020 California voters approved the California Privacy Rights Act (CPRA) by a healthy margin. As we discussed last year, the CPRA addresses several perceived loopholes in the California Consumer Privacy Act (CCPA), and modifies and enlarges the CCPA’s requirements in several notable ways, including in the treatment of “sensitive personal information” and the sharing of personal information in the context of cross-context behavioral advertising. However, one aspect of the CPRA that’s received comparatively little attention could also have a significant practical impact on covered businesses: a storage limitation requirement similar to that in the EU’s General Data Protection Regulation (GDPR).
Under Article 5.1(e) of the GDPR, personal data can be kept in a form that permits identification of data subjects for “no longer than is necessary for the purposes for which the personal data are processed.” The CPRA brings this fundamental tenet stateside, providing that “[a] business that controls the collection of consumer’s personal information shall, at or before the point of collection, inform consumers as to . . . the length of time the business intends to retain each category of personal information, or if that is not possible, the criteria used to determine such period.” The law also affirmatively prohibits businesses from “retain[ing] a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
So, what does this requirement mean for your business? When the CPRA goes into effect on January 1, 2023, businesses subject to the law will need to (i) determine how long they plan to retain each category of personal information they collect from California consumers and update their notices at collection to include that time period; and (ii) implement policies and procedures to ensure that personal information is kept for no longer than necessary to accomplish the purposes for which it was collected.
This post discusses the considerations businesses should keep in mind when designing and implementing a record retention program before the CPRA’s effective date.
The Big Picture
The CPRA’s storage limitation principle goes against what, for many businesses, is standard operating procedure in the age of big data: keep everything, indefinitely. This strategy assumes that when it comes to data, more is better, because you never know what might be useful one day.
That strategy, however, ignores the potentially significant risks associated with holding on to data beyond its useful life to the business—especially when that data includes personal information. Those risks include costly data breaches. In its 2019 complaint in In re InfoTrax Sys., the Federal Trade Commission cited a business’s ineffective record retention practices as a basis for a data security enforcement action. To that end, the FTC listed the business’s failure “to have a systematic process for inventorying and deleting consumers’ personal information stored on InfoTrax’s network that is no longer necessary,” as one of the unreasonable security practices that led to multiple and repeated security breaches. As part of its Decision and Order settling the case, the FTC required InfoTrax, among other things, to implement a comprehensive information security program that is subject to third-party biennial assessments for the next 20 years.
Having effective record retention practices is thus a keystone for any well-functioning data security and privacy program. But laws like the GDPR and the CPRA, which directly impose specific retention and related notice obligations, raise the stakes significantly.
Hallmarks of Effective Record Retention Programs
Whether you are building your record retention practices from the ground up or looking to improve an existing program before the CPRA goes live, there are four core characteristics that are the hallmark of any effective record retention program.
Together, these four core characteristics help ensure that a business’s record retention policy and retention schedule are comprehensive, consistent, and accurately capture germane records. These characteristics also ensure that the retention timeframes for those records are appropriately determined based on the record’s intended purpose and use.
Regardless of your company’s size and maturity, the CPRA provides a strong incentive to revisit your record retention management practices to ensure your company is best situated to comply.