This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Today’s companion post explores how the California Consumer Privacy Act (CCPA), without statutory provisions explicitly requiring data minimization or storage limitation, nevertheless incents covered businesses to carefully manage retention and disposal of personal information (PI).  But less than two years from now, the script gets flipped, with California mandating both data minimization and storage limitation for businesses covered by the California Privacy Rights Act (CPRA).

The CPRA became law through a November 2020 ballot initiative.  Generally effective on January 1, 2023, the CPRA makes sweeping changes to the CCPA, including new provisions that directly require data retention management and data disposal.  Under the CPRA, covered businesses:

  • Must inform consumers how long the business intends to retain each category of PI the business collects, or if that is not possible, the criteria used to determine the retention period.
  • Must not retain PI for longer than is reasonably necessary and proportionate for the disclosed purpose(s) of collection or processing.

Cal. Civ. Code § 1798.100(a)(3) & (c) (effective January 1, 2023).  Thus, for the first time under any U.S. federal or state comprehensive data privacy law, The CPRA will explicitly and directly require covered businesses (1) to manage the CPRA’s broad range of PI under data retention schedule rules disclosed through notice to consumers, and (2) to dispose of PI once it is no longer required for legal compliance or reasonably necessary for the disclosed purposes for its collection and use.

The CPRA maintains consumers’ CCPA rights to request PI access and disposal, and it also adds additional consumer rights, such as to rectify inaccurate PI and to limit use and disclosure of sensitive PI.  As a result, the same incentives as under the CCPA will continue for covered businesses to carefully manage data retention and disposal.   Prudent businesses will still want to carefully manage retention of PI in light of the logistics, cost, and inefficiency involved in responding to verifiable requests.  And because of the deletion right’s safe harbors, covered businesses that dispose of PI under a legally-validated retention schedule once the PI is no longer needed to comply with legal retention requirements or the business’s needs for the consumer transaction or contract will be free of the cost, inefficiency, and unpredictability of selectively deleting the PI of individual consumers.

But because it also contains direct, explicit requirements for data minimization and storage limitation, the CPRA elevates data retention schedules and disposal of unnecessary PI from prudent practice to compliance requirements.

Revised Definition of PI

The CPRA preserves the CCPA’s broad footprint of “personal information,” only tweaking it in two respects:

  • The core definition of PI is qualified by reasonableness:  “Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household….”
  • Some additional types of information are added to the existing exclusion from PI under the CCPA (information publicly available from government records or information that is deidentified or aggregated).  Under the CPRA, PI also does not include information that the business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information without restricting the information to a specific audience; or lawfully obtained, truthful information that is a matter of public concern.

CAL. CIV. CODE § 1798.145(v)(effective January 1, 2023).

Important Quirks of The Revised Employee Data Exemption

Remember the mention in the companion post about the CCPA’s partial exemption for Employee Data?  The CPRA maintains this exemption from responding to employees’ requests, at least until January 1, 2023.  It’s possible that this exemption will indeed go away then, exposing covered businesses to the full weight of CPRA compliance for employee PI.  On the other hand, the Employee Data exemption has already been extended twice, and it is of course plausible, perhaps even likely, that the California legislature could keep it alive and well beyond 2023.

But here’s the takeaway –  even if the California legislature further extends the life of the Employee Data exemption, the CPRA’s framing of this exemption contains two significant twists:

  • Retention Scheduling Disclosure Will Be Required for Employee Data:  Under the CPRA, covered businesses will remain obligated to provide privacy notices to their employees, as under the CCPA.  But because of the CPRA’s broader scope for consumer notice requirements, covered businesses will need to notify their employees, as for other consumers, of:
    • The categories of PI to be collected, the purposes for which the PI categories are collected or used, and whether such PI is sold or shared. CIV. CODE § 1798.100(a)(1).
    • If business collects sensitive PI, the categories of sensitive PI to be collected, the purposes for which the sensitive PI categories are collected or used, and whether such PI is sold or shared. CIV. CODE § 1798.100(a)(2).
    • The length of time the business intends to retain each category of PI and sensitive PI, or if not possible, the criteria used to determine such period.

CAL. CIV. CODE § 1798.100(a)(1)-(3)(effective January 1, 2023) (emphasis added).

  • Storage Limitation Will Be Required for Employee Data:  Under the CPRA, just as for other consumers, businesses will be prohibited from retaining employees’ PI or sensitive PI for each disclosed collection purpose “for longer than is reasonably necessary for that disclosed purpose.”  CAL. CIV. CODE § 1798.100(a)(3)(effective January 1, 2023).

Some CCPA-covered businesses, working fast and hard to ramp-up for CCPA compliance, understandably put HR and benefits data to the side, relying on the CCPA Employee Data exemption.  But due to the above changes in scope to the Employee Data exemption under the CPRA (whether or not the exemption is further extended), covered businesses need to revisit their HR and benefits data now to prepare for impending CPRA compliance, with updated retention scheduling for employee data, retention periods for employee data tied to legal retention requirements and collection purposes, and revised employee privacy notices.

… and Beyond

Lots of proposed comprehensive data privacy laws are in the works across the states.  In past years this has been like watching an endless loop of Lucy swiping the football from Charlie Brown.  But 2021 seems different, with various bills gaining attention-worthy traction.  You can keep an eye on the 2021 proposed legislation through two excellent tracking tools:

Though the various 2021 bills differ in detail, most incorporate data minimization and storage limitation principles for covered businesses.  For example, the Virginia CDPA, now passed by the Virginia legislature and ready for the Governor’s signature, requires that data controllers:

  • “Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;” and
  • “Except as otherwise provided in this chapter, not process [including storage of] personal data for purposes not reasonably necessary to, or compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”

Id. at § 59.1-574(A)(1)& (2).  In other words, as comprehensive data privacy legislation plays out across the states in 2021 and beyond, the imperatives for businesses to carefully manage data retention and disposal will only increase.