Last month California finalized its updated regulations under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). With the CPRA, California has upped the ante on requiring data retention schedules and disposal of unnecessary data.
As always, to fully appreciate where we are, we need to remember from where we’ve come. With but rare exceptions, U.S. data privacy laws have not explicitly required data retention schedules, or data minimization (only collect data we need), or storage limitation (dispose of data when no longer needed). But this began to change in January 2020 with the CCPA, the United States’ first state-level comprehensive data privacy law.
CCPA incented retention schedules and data disposal
The CCPA mandated data minimization through the vehicle of notice, by prohibiting covered businesses from collecting additional categories of PI or using collected PI for additional purposes beyond the purposes noticed at collection, without such notice to the consumer. Cal. Civ. Code § 1798.100(b). Yet as originally enacted, the CCPA did not explicitly require either retention scheduling or, absent a consumer’s verifiable deletion request, data disposal.
But the CCPA quietly did make managing data retention and disposal a practical priority, due to the repercussions of the CCPA’s deletion right. Consumers’ ability under the CCPA to request deletion of their PI shifted decision-making power for data retention from the covered business to its consumers, leaving the business at their unpredictable mercy – some consumers might be fine with, or oblivious to, lengthy data retention, while others could insist, through verifiable deletion requests, that their PI be disposed of promptly. The result is a costly and inefficient predicament for such businesses.
Yet the CCPA’s deletion right has safe harbors. A covered business can compliantly refuse a deletion request if retaining the consumer’s PI is necessary for such matters as completing the transaction with the consumer, performing a contract with the consumer, or to “[c]omply with a legal obligation,” Cal. Civ. Code § 1798.105(d). And the CCPA does not restrict a covered business’s ability to “[c]omply with federal, state, or local laws,” such as legal retention requirements. Cal. Civ. Code § 1798.145(a)(1).
These are precisely the kind of factors used to establish retention periods in a well-constructed data retention schedule. And so, covered businesses that manage personal data under a legally validated retention schedule and that dispose of such data once no longer required can avoid uncertainty, inefficiency, and cost in handling CCPA consumer deletion requests.
CPRA explicitly requires retention schedules and data disposal
Effective January 1, 2023, the CPRA made sweeping changes to the CCPA. And regarding retention schedules and data disposal, while the CCPA was indirect, the CPRA says the quiet part out loud – loud and clear. Under the CPRA, covered businesses:
- Must inform consumers how long the business intends to retain each category of PI the business collects, or if that is not possible, the criteria used to determine the retention period.
- Must not retain PI for longer than is reasonably necessary and proportionate for the disclosed purpose(s) of collection or processing.
Cal. Civ. Code § 1798.100(a)(3) & (c). Thus, for the first time under any U.S. comprehensive data privacy law, the CPRA explicitly and directly requires covered businesses to both (1) manage the CPRA’s broad range of PI under data retention schedule rules disclosed through notice to consumers, and (2) dispose of PI once it is no longer required for legal compliance or as reasonably necessary for the disclosed purposes for its collection and use.
The CPRA’s enactment also marked another important change in the impact of these requirements. Under the CCPA, the PI of covered businesses’ employees was exempt from the various consumer rights, including the deletion right. But coinciding with enactment of the CPRA, the employee PI exemption expired. So now, the CPRA’s retention schedule and data deletion requirements also apply to employee data.
The CPRA maintains consumers’ CCPA rights to request PI access and disposal, and it also adds additional consumer rights, such as to rectify inaccurate PI and to limit use and disclosure of sensitive PI. As a result, the same practical incentives continue, as under the original CCPA, for covered businesses to carefully manage data retention and disposal. Prudent businesses will still want to carefully manage retention of PI in light of the logistics, cost, and inefficiency involved in responding to verifiable requests. And because of the deletion right’s safe harbors, covered businesses that dispose of PI under a legally-validated retention schedule once the PI is no longer needed to comply with legal retention requirements or the business’s needs for the consumer transaction or contract will be free of the cost, inefficiency, and unpredictability of selectively deleting the PI of individual consumers.
But because it also contains direct, explicit requirements for data minimization and storage limitation, the CPRA elevates data retention schedules and disposal of unnecessary data from prudent practice to direct, explicit compliance requirements.
The civil and administrative enforcement date for the CPRA and its newly finalized regulations is upon us – July 1, 2023. And California no longer stands alone in using comprehensive privacy laws to compel data minimization and data storage limitation. We’ll explore that next time, in Less Data #6.