In this series we’ve looked at recent developments in United States’ data privacy and security laws, primarily at the state level, that are transforming retention schedules and data disposal from merely prudent practices into compliance requirements:

  • State statutes on PII data security and data disposal in Alabama, Colorado, New Mexico, New York, Oregon, and Rhode Island now require that PII be disposed of when no longer required by retention laws or otherwise needed for business purposes.
  • New York’s DFS cybersecurity regulations now require DFS-regulated financial services businesses to have a records retention schedule tying retention of nonpublic information to legal requirements and business need, and to dispose of such data when it is no longer necessary for legal compliance or legitimate business purposes.
  • State data security statutes in Alabama, Connecticut, Delaware, Indiana, Kentucky, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia now (or effective soon, will) require insurance licensees to have a retention schedule for nonpublic information and a mechanism for its disposal when no longer needed.
  • In 2019 and 2021 data security enforcement actions under FTC Act Section 5, the FTC now takes the position that over-retention of consumer PI is itself an unreasonable data security practice, and that a reasonable information security program includes data retention scheduling under which consumer PI is disposed of when no longer necessary.
  • State biometric data privacy statutes in Illinois, Texas, and Washington now require that biometric data subject to statutory protection must generally be disposed of after the collection purpose has been satisfied, and Illinois’ BIPA also requires that covered businesses must maintain and must comply with a publicly available, written data retention schedule for biometric data.
  • California’s CCPA, due to the consumers’ right to request deletion of personal information, incents covered businesses to manage consumer PI under a legally-validated retention schedule and to dispose of such PI under the retention schedule once the PI is no longer needed to comply with legal retention requirements and the business’s needs for the consumer transaction or contract.
  • Virginia’s Consumer Data Protection Act (CDPA), signed into law this week and effective January 1, 2023, will require covered businesses (“data controllers”) to limit their collection of personal data and to generally not retain personal data for purposes not reasonably necessary to, or compatible with, the disclosed purposes for which such personal data is processed, unless the consumer consents.
  • And under the California Consumer Privacy Rights Act (CPRA), effective January 1, 2023, covered businesses will be required to manage PI under data retention schedule rules disclosed through notice to consumers, including their employees, and to dispose of PI once it is no longer required for legal compliance or reasonably necessary for the disclosed purposes for its collection and use.

Virtually every one the above changes in data security and data privacy laws has happened in just the last few years, with similar legislation percolating in additional states’ legislatures across the country.  The trend is unmistakable, and the pace of change is quickening.  Managing data with retention scheduling and disposing of unnecessary data are becoming compliance requirements for data privacy and security.

What to do about this?

  • Clarify what constitutes protected information, based on your business’s geographic footprint and scope of operations.
  • Understand where protected information resides, both in your business’s data systems and through your relationships with service providers and contractors.
  • Update and legally validate your business’s data retention schedule, with particular attention to legally required retention periods for records and data sets containing protected information.
  • With that foundation in place, ensure that your business’s policies, contracts, privacy notices, training, and compliance systems ensure compliant practices for the safeguarding, timely disposal, and other processing of protected information.

But wait … aren’t these the same things that have always been good to do?  Of course.  Managing records and information (more broadly, Information Governance) has consistently been prudent, and increasingly so as our digital age has multiplied the volume and velocity of business data. Yet in the real world, what to do has never been as impactful as why to do it.  There needs to be an impetus to govern information, or at least to do it better, that drives actual change within the business.

In the 2000s, a powerful impetus for managing information retention and disposal was the rise of ediscovery, triggering concerns about (1) explosive litigation costs due to unnecessarily retained data and (2) the specter of spoliation sanctions if information is managed carelessly or poorly.  In the 2010s, a new impetus was the fear of data breaches, with their resulting reputational damage, business interruption, regulatory implications, and legal exposures, which are all multiplied by retaining unnecessary data.

For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance.  Buckle up.