This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
The California Consumer Privacy Act, effective January 1, 2020, was the United States’ first state-level comprehensive data privacy law. And the CCPA blogging blitzkreig has not been merely hype – the CCPA presages a fundamental shift in U.S. privacy law.
The statute was a bit convoluted in its original form, almost as if the California legislature had hurriedly cobbled it together in a week’s time to avoid different provisions becoming law through a ballot initiative spearheaded by private activists, and which would have been essentially immune to subsequent direct amendment by the legislature (oops, that’s actually what happened). Today’s CCPA is the also the product of a flurry of legislative clean-up amendments, supplemented by now-final California regulations (not that anything is ever quite final in California), and with a few targeted statutory amendments effective now due to last November’s adoption of the CPRA by ballot referendum.
Much thoughtful guidance is available elsewhere on the CCPA’s scope, applicability, and the various consumer rights it creates, including notice/transparency, access, deletion, and sale opt-out. Our narrow focus here is on whether and how the CCPA affects the need of covered businesses (1) to manage PI with retention scheduling and (2) to dispose of PI once no longer necessary.Continue Reading Less data is more than ever: the CCPA