On November 3, 2020 California voters approved the California Privacy Rights Act (CPRA) by a healthy margin.  As we discussed last year, the CPRA addresses several perceived loopholes in the California Consumer Privacy Act (CCPA), and modifies and enlarges the CCPA’s requirements in several notable ways, including in the treatment of “sensitive personal information” and the sharing of personal information in the context of cross-context behavioral advertising.  However, one aspect of the CPRA that’s received comparatively little attention could also have a significant practical impact on covered businesses: a storage limitation requirement similar to that in the EU’s General Data Protection Regulation (GDPR).

Under Article 5.1(e) of the GDPR, personal data can be kept in a form that permits identification of data subjects for “no longer than is necessary for the purposes for which the personal data are processed.”  The CPRA brings this fundamental tenet stateside, providing that “[a] business that controls the collection of consumer’s personal information shall, at or before the point of collection, inform consumers as to . . . the length of time the business intends to retain each category of personal information, or if that is not possible, the criteria used to determine such period.”  The law also affirmatively prohibits businesses from “retain[ing] a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”

So, what does this requirement mean for your business?  When the CPRA goes into effect on January 1, 2023, businesses subject to the law will need to (i) determine how long they plan to retain each category of personal information they collect from California consumers and update their notices at collection to include that time period; and (ii) implement policies and procedures to ensure that personal information is kept for no longer than necessary to accomplish the purposes for which it was collected.

This post discusses the considerations businesses should keep in mind when designing and implementing a record retention program before the CPRA’s effective date.

The Big Picture

The CPRA’s storage limitation principle goes against what, for many businesses, is standard operating procedure in the age of big data: keep everything, indefinitely.  This strategy assumes that when it comes to data, more is better, because you never know what might be useful one day.

That strategy, however, ignores the potentially significant risks associated with holding on to data beyond its useful life to the business—especially when that data includes personal information.  Those risks include costly data breaches.  In its 2019 complaint in In re InfoTrax Sys., the Federal Trade Commission cited a business’s ineffective record retention practices as a basis for a data security enforcement action.  To that end, the FTC listed the business’s failure “to have a systematic process for inventorying and deleting consumers’ personal information stored on InfoTrax’s network that is no longer necessary,” as one of the unreasonable security practices that led to multiple and repeated security breaches.  As part of its Decision and Order settling the case, the FTC required InfoTrax, among other things, to implement a comprehensive information security program that is subject to third-party biennial assessments for the next 20 years.

Having effective record retention practices is thus a keystone for any well-functioning data security and privacy program.  But laws like the GDPR and the CPRA, which directly impose specific retention and related notice obligations, raise the stakes significantly.

Hallmarks of Effective Record Retention Programs

Whether you are building your record retention practices from the ground up or looking to improve an existing program before the CPRA goes live, there are four core characteristics that are the hallmark of any effective record retention program.

1. Collaborative. To be effective, a record retention program must be an intra-departmental endeavor that involves key stakeholders from every aspect of the business.  Legal and IT cannot handle this alone—Finance, Environmental Health and Safety, Information Security, Sales, Operations, and any other departments involved in collecting, using, or disclosing data should have a seat at the table.  Sure, Legal should take the lead in drafting the language in the policy and schedule to comply with applicable laws and regulations.  But relevant business units should be involved in determining the appropriate timeframes for retention based on how the particular record is used and for what purpose or the contractual value of the record.  Likewise, Information Security personnel should be involved as they are the ones tasked with protecting all information on the company’s systems.  This intra-departmental approach allows for the company to know what type of records it collects, what department stores those records, and what department should verify that the records have been destroyed.

2. Clear & Complete. A record retention policy and corresponding retention schedule should be plain and simple so that any employee within the company can review and understand the company’s expectations as to: (i) what is a record under the policy; (ii) what records are maintained; (iii) how long different kinds of records should be retained; and (iv) acceptable practices for disposing of the records when their retention periods have expired.  A clear and complete policy and schedule should anticipate and address possible workarounds or loopholes, which could indicate an overly complex approach possibly leading to confusing and inconsistent record retention practices.  Ideally, the retention policy should include the scope of the policy, key definitions, legal hold procedures, and approved destruction procedures.  Similarly, the accompanying retention schedule should cover all relevant categories of records and include summary descriptions of each category, where they are located, and the business function that is responsible for retaining (and destroying) the record in accordance with the retention schedule’s timeframe.  A clear and complete record retention program can provide protection from potential legal attacks to your program and assurance that a business is consistently and systematically disposing of outdated records, which directly reduces its overall privacy and security risks.

3. Controlled. Record retention programs need corresponding controls to foster compliance and accountability. First, there should be a clearly-designated party (individual, group, or department – depending on the size of the business) tasked with managing record retention practices and delivering training on those practices.  Second, the record retention policy and schedule should be controlled documents within the company, e., edit rights should be restricted to only the designated party exclusively responsible for updating the retention policy and schedule.  This characteristic helps facilitate the routine updating of the schedule consistently across the enterprise to accurately reflect how the business collects, retains, and destroys records.

4. Compliant. Apart from the CPRA’s storage limitation requirements, businesses can already be subject to myriad record retention obligations.  Those obligations can arise from federal, state, and local laws relating to subjects such as financial accounting, worker safety, payroll, and employment.  The record retention policy and retention schedule should take those obligations into account, along with any industry- or business sector-specific obligations, and any contractual obligations that the business has undertaken that could extend the applicable retention periods.

Together, these four core characteristics help ensure that a business’s record retention policy and retention schedule are comprehensive, consistent, and accurately capture germane records.  These characteristics also ensure that the retention timeframes for those records are appropriately determined based on the record’s intended purpose and use.

Regardless of your company’s size and maturity, the CPRA provides a strong incentive to revisit your record retention management practices to ensure your company is best situated to comply.