Five steps to meeting the CPRA’s new data retention requirements

How you keep or delete customer information is key to earning their trust

  • Which personal information do you keep on your customers, and how do you decide whether to retain or eliminate it? The wrong strategy can leave your organization vulnerable to privacy intrusions and drive customer and stakeholder mistrust.
  • Enter the California Privacy Rights Act (CPRA), a new law prompting new requirements for data retention.
  • While CPRA won’t take effect until Jan. 1, 2023, companies will need the two years to prepare. Confirm your data and records footprint and review your existing retention capabilities, including technology; right-size, revamp and fully implement your retention policy and schedule; and update required disclosures and agreements. 
  • Treat the preparations as a time to modernize data retention. Strategically-minded companies will invest heavily in technology to tackle the challenge. They will fold the compliance plan into the overall plan to enhance customer and stakeholder trust.

Why is an effective data retention program more important than ever?

Consumer data trust is falling, not rising. Only 21% of consumers have greater trust in business use of their data, 36% are less comfortable sharing information than they were a year earlier and 85% wish they could trust more companies with their data, according to a 2020 PwC survey.

The California Consumer Privacy Act (CCPA) directly addresses these consumer concerns by requiring companies to disclose which types of personal information they collect, how it is obtained and used, and whether it’s sold or shared. The new law, the California Privacy Rights Act (CPRA), which goes into effect Jan. 1, 2023, goes further. It requires companies to disclose how long they keep each category of personal information or, if that’s not possible, the criteria they use to determine retention periods.  

Under CPRA, companies can no longer simply hold on to individuals’ personal data forever, at least not without justification and not without notifying consumers, employees and other stakeholders of the decision and rationale for doing so.

The data that’s removed is as important, perhaps more important, than the data that’s retained. Protecting privacy means collecting only fit-for-purpose data, then keeping and accessing only the data you’re required to keep (i.e., the principle of minimization). The less personal information that’s retained, the easier it will be for companies to fulfill CPRA-mandated individual requests to access, delete, correct or opt-out of selling or sharing that data. And eliminating obsolete or outdated data will help companies create more accurate and complete personalized experiences for customers. 

More importantly, over-retention of records creates a security and e-discovery risk. In one example, last June, hackers exposed the “BlueLeaks” collection, the term coined for nearly 270 gigabytes of data dating as far back as 24 years taken from hundreds of police agencies across the US. The breach revealed highly sensitive information such as ACH routing numbers and international bank account numbers as well as personally identifiable information and images of suspects — a risk that could have been mitigated if the agencies had effective retention policies in place. 

Increasing the cost of noncompliance is CPRA's expanded private right of action, with statutory damages ranging from $100 to $750 per consumer per incident. That’s on top of fines from regulatory enforcement actions ranging from $2,500 to $7,500 per violation and the longer-term financial impact resulting from reputational damage and loss of stakeholder trust. What’s more, a new California Privacy Protection Agency will have subpoena and audit powers, and it will coordinate investigations with regulators in other jurisdictions, including European data protection authorities. 

Will our existing data retention program suffice?

For most companies, bringing retention programs into compliance will be a big lift.  

CPRA retention requirements focus on personal information at a granular data category level: for example, personal identifiers along with financial, health, commercial, biometric, geolocation and employment information — personal information that is embedded or referenced in many record types and multiple categories per record. Examples of a customer record include invoices, receipts and targeted mailers. Retention programs have historically focused on these record types, not around the data category level as required by CPRA. That means many companies will probably have to go back to the drawing board on data retention policies.

CPRA requires companies to establish maximum retention periods, not just minimum periods as most of them do now, so they don’t hold data indefinitely.   

Data under long-term and/or enterprise-wide legal holds need special attention. Current processes for data disposal, once a legal hold is lifted, may be rendered obsolete or invalidated by CPRA. 

When should we take action? Now. Most companies will need the two years before CPRA goes into effect to update their data retention programs. Technology may need overhauling or upgrading, and platforms for storing structured and unstructured electronic records may need to be retooled. A roadmap leading to 2023 will be essential.

Five actions you should take immediately

1. Understand and evaluate existing retention schedule, procedures and tools

Which categories of personal information do you collect? What records store this data? How are you managing retention? Use a risk-based and prioritized approach to understand current procedures and tools. Assess your structured and unstructured data as well as automated and manual retention methods. Use the information you gain from the following steps to identify retention risks, policy revisions and operational gaps.

Confirm data and legal scope: Understand the geographic scope of records and data collected and retention-related requirements of applicable privacy laws as you revisit and update your retention schedule. Consider a privacy technology platform to accelerate this effort.

Identify where sensitive and high-priority information categories sit: Use existing data inventories and/or processes, including records of processing activities (ROPAs) and results of privacy impact assessments (PIAs), to identify sensitive and high-priority categories of personal information and support net-new information gathering at scale. For example, you need to know the specific records where a particular category of personal information is stored, whether it’s in a structured and/or unstructured format, how long it’s held and how it’s retained and disposed.  

Assess current tools and procedures for executing retention obligations: Confirm your existing tools and related procedures for fulfilling retention obligations for in-scope records, and determine where gaps exist. Where is the company ill-equipped from a people, process and/or technology perspective to dispose of data in line with your retention and disposition policies?

Understand existing non-record disposal policies: Some categories of personal information may not meet the definition of a record. These include extra copies of documents kept for convenience, reference stocks of publications and draft documents that do not contain unique information or that were not circulated for formal approval, comment or action. Review existing policies on the ongoing disposal of non-record information and understand how non-record policies are enforced.

Contact us

Joshua Rattan

Joshua Rattan

Principal, PwC US

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Joseph Nocera

Joseph Nocera

Cyber & Tech Risk Solution Leader, Cybersecurity, Risk & Regulatory, PwC US

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Follow us