Businesses in the United States have a new imperative to carefully manage records retention and promptly dispose of unnecessary information (and no, it’s not due to GDPR or other global privacy law developments).  Recent changes in U.S. data security and privacy laws, and the trends they portend, are elevating the disposal of unnecessary data from a risk management strategy to a compliance requirement.

Managing data volumes has always been prudent.  Using retention schedules to curb relentless data growth remains an established, sensible way to keep business operations efficient, manage storage expense, mitigate ediscovery costs, and limit data security and privacy exposures.  Perhaps the most trenchant explanation was offered by former U.S. District Court Magistrate Judge John Facciola:  “If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”

But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a mandated retention period, but not compelling disposal.  With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data.  And U.S. privacy and data security laws have generally been silent on retention periods for protected information.  For example, HIPAA and its Privacy and Security Standards impose no retention period on covered entities for protected health information (PHI); the Gramm-Leach-Bliley Act (GLBA) and its federal functional regulators’ privacy regulations and Interagency Security Guidelines do not explicitly require financial institutions to dispose of unnecessary nonpublic customer information (NPI); and the FACTA Disposal Rule only speaks to how, not when, to compliantly dispose of consumer report information.

Well … that was then, and this is a new now, driven by recent changes in U.S. data security and privacy laws.  I’ll dig deeper into these developments in upcoming posts, but here are the high points:

Data Security
  • Several states have recently amended their data security statutes to mandate disposal of unnecessary personally identifiable information (PII).  Alabama (2019), Colorado (2018), New Mexico (2017), New York (2020), and Rhode Island (2016) have now joined Oregon in requiring that businesses dispose of records containing PII when such records are no longer needed.  Ala. Code § 8-38-10; Colo. Rev. Stat. § 6-1-713(1); N.M. Stat. Ann. § 57-12C-3N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4); R.I. Gen. Laws § 11-49.3-2(a).
  • The New York DFS Cybersecurity Requirements for Financial Services Companies now require covered entities to, pursuant to a retention policy and procedures, dispose of specified NPI that is no longer necessary for business operations or legitimate business purposes.  23 NYCRR § 500.13.
  • The NAIC Model Insurance Data Security Law (2017), already adopted by 11 states, requires insurance industry licensees’ data security programs to “[d]efine and periodically reevaluate a schedule for retention of Nonpublic information and a mechanism for its destruction when no longer needed.”  NAIC MDL-668 § 4(B)(4).
  • For decades the Federal Trade Commission has used Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” 15 U.S.C. § 45(a)(1), to pursue companies with inadequate and unreasonable data security practices.  In its recent Section 5 enforcement actions against InfoTrax Systems (2019) and  SkyMed International (2020), the FTC alleged that the failure to dispose of personal information once “no longer necessary” was itself an unreasonable data security practice. And the consent orders in these FTC enforcement matters explicitly require the respondents to have policies, procedures, and measures to delete personal information once it is no longer necessary.
Data Privacy

With limited exceptions, such as the Children’s Online Privacy & Protection Rule under COPPA, U.S. sector-specific privacy laws have not explicitly required businesses to maintain retention schedules or to dispose of unnecessary personal data.  But state data privacy laws are now elevating data retention schedules and disposal of unnecessary personal data as core privacy compliance requirements.

  • Under state biometric data privacy statutes, biometric data subject to statutory protection must generally be disposed of after the collection purpose has been satisfied. The Illinois Biometric Information Privacy Act (BIPA, 2008) requires that private entities possessing biometric identifiers or biometric information must maintain a written, publicly available policy for permanently destroying such data upon the earlier of when the initial purpose for collecting or retaining the data has been satisfied or within three years of the individual’s last interaction with the private entity.  740 ILL. COMP. STAT. 14/15(a).  The Texas Biometric Privacy Act (2009) requires persons possessing an individual’s biometric identifier captured for a commercial purpose to destroy such data within a reasonable time period, not exceeding one year after the purpose of collection expires.  TEX. BUS. & COM. CODE ANN. § 503.001(c)(3).  And under Washington’s biometric privacy law (2017), biometric identifiers must be disposed of once no longer reasonably necessary to comply with legal requirements, to protect against specified exposures, or to provide the services for which the data was enrolled.  WASH. REV. CODE § 19.375.020(4)(b).
  • The California Consumer Privacy Act (CCPA), effective January 1, 2020, requires that covered businesses must delete  consumers’ personal information (PI) from their records after receiving a verifiable consumer request, unless further retention is required by law or is justified for specific business purposes listed in the CCPA. Cal. Civ. Code § 1798.105.  This deletion right generally applies to PI of customers and other natural persons, but, for now, not to specified forms of HR recordkeeping.  Cal. Civ. Code § 1798.145(m)(as amended November 3, 2020).
  • And the California Privacy Rights Act (CPRA), enacted as a November 2020 ballot initiative and generally effective January 1, 2023, makes sweeping changes to the CCPA, including new provisions regarding data retention and disposal.  Under the CPRA, covered businesses:
    • Must inform consumers how long the business intends to retain each category of PI the business collects, or if that is not possible, the criteria used to determine the retention period.
    • Must not retain PI for longer than is reasonably necessary for the disclosed purpose of collection.

Cal. Civ. Code § 1798.100 (effective January 1, 2023).  Notably, while both the CCPA and CPRA have temporarily exempted specified forms of HR recordkeeping from the ambit of their PI deletion, disclosure, and other rights for consumers, the above new records retention and data disposal requirements nevertheless will be fully applicable to covered businesses’ HR records.

These new compliance requirements for retention schedules and data disposal target a broad range of U.S. businesses.  Yet even more significant is the trend line.  Momentum is growing in additional states to adopt data privacy laws akin to Illinois’ BIPA and California’s CCPA/CPRA (for tracking of these various state legislative efforts, check out Husch Blackwell’s superb data privacy blog, ByteBack).  Also, as time passes, states are continually expanding the definitions of personal information protected under their data security and privacy laws, compounding the impact of these new requirements.

Consider this:  in 2002, only one state, California, had a PII breach notification statute, and by 2018 there were such laws in every one of the 50 states, plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands.  The expanding scope of state data security and data privacy laws seems inevitable, and these recent developments — requiring records retention schedules and disposal of unnecessary personal information — up the ante, right now, for managing data retention carefully, consistently, and compliantly.

[Post updated 2/24/2021 with additional citations]