Record retention and records management policies are key elements for a company’s data protection program. Numerous recently enacted, or amended, data protection laws adopt data retention or storage limitation principles to safeguard personal information. Companies that do not have clearly defined record retention practices should take notice. Companies with existing practices should review those practices to ensure they comply with applicable legislation and their information security program.

The recently passed California Privacy Rights Act of 2020 (CPRA), which amends and supplements the California Consumer Privacy Act (CCPA), adopts the EU General Data Protection Regulation (GDPR) storage limitation principle. Under the GDPR, record retention practices play a significant role; storage limitation is a key data processing principle. Personal data must be stored only as long as needed to achieve the articulated purpose for which it was collected, thus ensuring the retention period is limited to a strict minimum. The goal is to minimize risks to the privacy and security of the personal data. The longer a business retains personal data, the more opportunity exists for unauthorized and perhaps unlawful access, use, or disclosure of that data. EU regulators have emphasized the importance of storage limitation in various GDPR enforcement actions, including a €14.5 million fine assessed by the Berlin Commissioner for Data Protection and Freedom of Information for improper data storage and retention.

Similarly, under the CPRA, a business shall not retain a consumer’s personal information for longer than is reasonably necessary for the stated purpose it was collected. (Comparable to the GDPR, the business must also disclose to the individual the length of time it intends to retain the data, or if that is not possible, the criteria it uses to determine such period.) A failure to implement and comply with an appropriate data retention and disposal schedule may result in a violation of the CPRA’s storage limitation principle.

A company’s data retention practices may be exposed in various ways. For purposes of the CPRA, a California regulator may examine a business’s data retention practices, or the absence of, when investigating a consumer complaint. For example, a consumer may exercise their right to know what personal information a business maintains about him or her.  In response, the business may disclose that it maintains personal information the consumer believes is no longer needed for the purpose it was collected, such as when the consumer is no longer a member of the business’ loyalty program. Or, a business may notify the consumer of a data breach affecting their personal information. The consumer may take the position the business no longer needed this information for the purpose it was collected. Alternatively, in the course of investigating a data breach to determine whether the business failed to implement reasonable safeguards, an enforcement agency may discover the business retained personal information for longer than the agency believes was reasonable. This might also be discovered when a consumer brings a private cause of action alleging the business’s failure to implement reasonable safeguards resulted in the unauthorized access or disclosure of their information in a data breach.

A company’s failure to retain personal information for only as long as needed to satisfy the specific, stated purpose for which it was collected may violate the CPRA storage limitation principle. However, the CPRA also imposes an affirmative duty on a business to implement reasonable safeguards to protect personal information from unauthorized or illegal access, destruction, use, modification or disclosure. Enforcement bodies may view storage limitation practices as a basic reasonable safeguard and the failure to implement or follow storage limitations may also constitute a violation of this affirmative duty.

The Federal Trade Commission took such a position in a complaint alleging unfair acts or practices in relation to a personal data breach. The FTC alleged a U.S. technology business failed to implement reasonable safeguards which enabled a hacker to access consumer personal information. In its complaint, the FTC listed several data security practices the business engaged in, including the failure to have a systematic process for inventorying and deleting consumers’ personal information when no longer needed, which it argues were unreasonable. The 2019 settlement agreement requires the company to implement an information security program to address the security failures raised in the complaint.

Currently, over twenty states including Florida, Texas and Illinois have laws requiring businesses that collect and maintain personal information to implement reasonable safeguards to protect that data. Although the majority of these statutes do not define reasonable safeguards, it is likely that state attorneys general will agree with the FTC’s position that deleting personal information when no longer needed is a “reasonable, low-cost, and readily available security” safeguard.

Over thirty states, including California, New York and Colorado have enacted laws requiring businesses to securely dispose of records containing certain personal information when no longer needed. Compliance with these laws necessitates developing and adhering to appropriate data retention schedules and records management policies. However, unlike the CPRA, the storage limitations imposed by these laws are not tied expressly to completion of the specific purpose for which the data was obtained.

Prolonged data retention creates heightened risk to the privacy and security of the personal information a company maintains. Minimizing that risk, and reducing potential liability, necessitates understanding existing records management, data retention, and data destruction practices. With the increased statutory focus on record retention and, in some cases, movement toward more restrictive storage limitations, companies will want to review or develop an informed data retention schedule, identify any contractual, statutory or operational needs for retaining personal data, and determine whether the company retains stale or legacy data. As with any data protection activity, these steps will be most effective when performed by an interdisciplinary team.

For more information on the CPRA or data protection best practices, please see our blog