This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
Forgive me, but to fully appreciate the impact of state data privacy laws on managing records retention and disposing of unnecessary data, a bit of history is needed (if you’re allergic to history, skip this post). Our focus is through the narrow lens of two key elements of data privacy regimes: data minimization (only collecting the minimum of personal data needed for the collection purposes) and storage limitation (only keeping personal data for as long as needed for these purposes).
United States data privacy law is a global outlier. That’s ironic, given that the building blocks of modern data privacy law, the Fair Information Privacy Practices (FIPPs), were first expressed in a 1973 report by the U.S. Department of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens. As originally framed, the FIPPs (Transparency, Access, Choice, Correction, and Quality/Protection) did not speak directly to data minimization or storage limitation. At least at the outset, the FIPPs did not expressly call for minimizing collection of personal data or deleting personal data once its collection purpose was satisfied.
If data privacy were a religion, and the FIPPs its original Word, what came next was inevitable – inspiration spread globally and resulted in various denominations, each restating and taking the core beliefs in different directions, as influenced by cultural factors and, with data privacy law, governing philosophies:
- The 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of the Organization for Economic Cooperation and Development (OECD) expressed eight privacy principles, largely incorporating the FIPPs, but with nuances. The OECD Guidelines included a Collection Limitation Principle: “There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.” Id., Paragraph 7 (data minimization). The Guidelines also provided a Use Limitation Principle, under which “[p]ersonal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except (a) with the consent of the data subject; or (b) by the authority of law.” Id., Paragaph 10 (emphasis added). While still not calling explicitly for the disposal of unnecessary personal information, the “or otherwise used” language in the Use Limitation Principle invited an understanding of data retention and disposal as implicit in “use,” thereby suggesting a storage limitation principle.
- The EU took things yet further on data disposal, among other direct compliance requirements. The 1995 EU Data Protection Directive required member states to provide in their conforming national privacy laws that personal data must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.” Id., Art. 6, § 1(c)(emphasis added, data minimization). Personal data must also be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes” and must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.” Id., Art. 6, § 1(b)&(e)(emphasis added). “Processed” was defined to encompass a wide range of operations over the personal data’s lifecycle, from “collection” through “storage” and ultimately “erasure or destruction.” Id., Art. 2(b). The Directive thus moved further toward requiring disclosure of retention practices and disposal of personal information after its collection purposes are satisfied (storage limitation).
- In 2018 the EU’s General Data Protection Regulation (GDPR) became effective, replacing the EU Directive, but keeping in place the data minimization and storage limitation provisions of the Directive. Id., Art. 4(2) & Art. 5, § 1(b),(c),&(e).
- Similar data privacy regimes have emerged around the world. For example, Canada’s Personal Information Protection & Electronic Documents Act (PIPEDA) contains principles of both data minimization (“[t]he collection of personal information must be limited to that which is needed for the purposes identified by the organization”) and storage limitation (“[u]nless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected [and p]ersonal information must only be kept as long as required to serve those purposes”). Id., Principles 4 & 5. And Brazil’s General Data Protection Law (LGPD) incorporates data minimization and storage limitation in its principle of Necessity, under which processing is limited to “the minimum necessary to achieve its purposes, covering data that are relevant, proportional and non-excessive in relation to the purposes of the data processing.” Id., Art. 6 (III). The LGPD specifically provides that “[p]ersonal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities….” Id., Art 16.
In contrast, the U.S. downplayed direct compliance requirements for data privacy at private sector businesses, such as data minimization and storage limitation, and instead pursued a self-regulatory approach, primarily emphasizing notice and consent, and to a lesser degree, access and security. The point was to limit direct government regulation of the private sector and to encourage privacy self-regulation through free market principles and competitive forces. Thus, in its 1998 Report to Congress, the FTC took a hands-off approach on direct privacy regulation of private-sector businesses. And two years later, when the FTC’s 2020 Report urged Congress to reverse course from self-regulation and instead enact a general data privacy law authorizing a comprehensive regulatory regime for on-line data privacy, Congress wasn’t interested. Instead, the U.S. continued in its sector-specific approach, with federal laws mandating information privacy in targeted sectors of commerce, such as:
- HIPAA – individuals’ protected health information (PHI) collected or used by covered entities and business associates.
- GLBA – consumers’ non-public information (NPI) collected or used by financial institutions.
- FERPA – students’ personally identifiable information (PII) collected or used by educational agencies and institutions.
- FCRA/FACTA – consumer report information collected or used by credit reporting agencies and by furnishers and users of such information.
These U.S. federal laws do not require data minimization or storage limitation for private-sector businesses, unlike what has transpired in data privacy regimes in the EU and elsewhere. The sole exception was on-line privacy protections for minors, which the FTC encouraged in its 1998 Report to Congress. Within just four months Congress enacted the Children’s Online Privacy Protection Act (COPPA). The FTC’s COPPA regulations incorporate the storage limitation principle by requiring that covered online service operators “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” 16 C.F.R. § 312.10. And at least one U.S. government agency professed that it would follow data minimization and storage limitation principles. The Department of Homeland Security’s 2008 policy memorandum on data privacy provides that “DHS should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s)” (though one can drive a Patriot Act-sized truck through the “specified purpose” loophole).
As a result, the FTC was left on its own to address data privacy generally in the U.S. private sector, beyond its authorized enforcement of certain sector-specific laws such as COPPA and GLBA. Not to be glib, but this was a bit like the FTC showing up with a knife for a gun fight. Denied the “gun” of a comprehensive federal data privacy law, the FTC used the “knife” of enforcement actions under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). The result of over two decades of such FTC enforcement, usually ending in consent decrees with private businesses, has been dubbed a “new common law of privacy.” But, in part because these enforcement actions were grounded in Section 5 deception or unfairness, the FTC’s core focus was on notice and consent, to ensure that businesses treated data privacy as they said they would in their privacy policies (or as reasonable consumers would fairly expect).
Thus, after launching the modern era of data privacy, and unlike the EU and other global regions, the United States shied away from imposing federal data minimization and storage limitation requirements for data privacy upon private sector businesses. Yet under federalism, states get to weigh in too – and now they are. Stay tuned.