Consumer data trust is falling, not rising. Only 21% of consumers have greater trust in business use of their data, 36% are less comfortable sharing information than they were a year earlier and 85% wish they could trust more companies with their data, according to a 2020 PwC survey.
The California Consumer Privacy Act (CCPA) directly addresses these consumer concerns by requiring companies to disclose which types of personal information they collect, how it is obtained and used, and whether it’s sold or shared. The new law, the California Privacy Rights Act (CPRA), which goes into effect Jan. 1, 2023, goes further. It requires companies to disclose how long they keep each category of personal information or, if that’s not possible, the criteria they use to determine retention periods.
Under CPRA, companies can no longer simply hold on to individuals’ personal data forever, at least not without justification and not without notifying consumers, employees and other stakeholders of the decision and rationale for doing so.
The data that’s removed is as important, perhaps more important, than the data that’s retained. Protecting privacy means collecting only fit-for-purpose data, then keeping and accessing only the data you’re required to keep (i.e., the principle of minimization). The less personal information that’s retained, the easier it will be for companies to fulfill CPRA-mandated individual requests to access, delete, correct or opt-out of selling or sharing that data. And eliminating obsolete or outdated data will help companies create more accurate and complete personalized experiences for customers.
More importantly, over-retention of records creates a security and e-discovery risk. In one example, last June, hackers exposed the “BlueLeaks” collection, the term coined for nearly 270 gigabytes of data dating as far back as 24 years taken from hundreds of police agencies across the US. The breach revealed highly sensitive information such as ACH routing numbers and international bank account numbers as well as personally identifiable information and images of suspects — a risk that could have been mitigated if the agencies had effective retention policies in place.
Increasing the cost of noncompliance is CPRA's expanded private right of action, with statutory damages ranging from $100 to $750 per consumer per incident. That’s on top of fines from regulatory enforcement actions ranging from $2,500 to $7,500 per violation and the longer-term financial impact resulting from reputational damage and loss of stakeholder trust. What’s more, a new California Privacy Protection Agency will have subpoena and audit powers, and it will coordinate investigations with regulators in other jurisdictions, including European data protection authorities.
For most companies, bringing retention programs into compliance will be a big lift.
CPRA retention requirements focus on personal information at a granular data category level: for example, personal identifiers along with financial, health, commercial, biometric, geolocation and employment information — personal information that is embedded or referenced in many record types and multiple categories per record. Examples of a customer record include invoices, receipts and targeted mailers. Retention programs have historically focused on these record types, not around the data category level as required by CPRA. That means many companies will probably have to go back to the drawing board on data retention policies.
CPRA requires companies to establish maximum retention periods, not just minimum periods as most of them do now, so they don’t hold data indefinitely.
Data under long-term and/or enterprise-wide legal holds need special attention. Current processes for data disposal, once a legal hold is lifted, may be rendered obsolete or invalidated by CPRA.
When should we take action? Now. Most companies will need the two years before CPRA goes into effect to update their data retention programs. Technology may need overhauling or upgrading, and platforms for storing structured and unstructured electronic records may need to be retooled. A roadmap leading to 2023 will be essential.
Which categories of personal information do you collect? What records store this data? How are you managing retention? Use a risk-based and prioritized approach to understand current procedures and tools. Assess your structured and unstructured data as well as automated and manual retention methods. Use the information you gain from the following steps to identify retention risks, policy revisions and operational gaps.
Confirm data and legal scope: Understand the geographic scope of records and data collected and retention-related requirements of applicable privacy laws as you revisit and update your retention schedule. Consider a privacy technology platform to accelerate this effort.
Identify where sensitive and high-priority information categories sit: Use existing data inventories and/or processes, including records of processing activities (ROPAs) and results of privacy impact assessments (PIAs), to identify sensitive and high-priority categories of personal information and support net-new information gathering at scale. For example, you need to know the specific records where a particular category of personal information is stored, whether it’s in a structured and/or unstructured format, how long it’s held and how it’s retained and disposed.
Assess current tools and procedures for executing retention obligations: Confirm your existing tools and related procedures for fulfilling retention obligations for in-scope records, and determine where gaps exist. Where is the company ill-equipped from a people, process and/or technology perspective to dispose of data in line with your retention and disposition policies?
Understand existing non-record disposal policies: Some categories of personal information may not meet the definition of a record. These include extra copies of documents kept for convenience, reference stocks of publications and draft documents that do not contain unique information or that were not circulated for formal approval, comment or action. Review existing policies on the ongoing disposal of non-record information and understand how non-record policies are enforced.