Records retention and management policies are key components of a company’s data protection program. Many recently enacted or amended data protection laws adopt data retention or storage limitation principles to protect personal information. Companies that don’t have clearly defined record retention practices should consider this. Companies with existing practices should review those practices to ensure they comply with applicable law and their information security program.
The recently passed California Privacy Rights Act of 2020 (CPRA), which amends and supplements the California Consumer Privacy Act (CCPA), adopts the storage limitation principle of the EU General Data Protection Regulation (GDPR). Under the GDPR, record retention practices play an important role; Storage limitation is a key principle of data processing. Personal data should only be kept for as long as necessary to fulfill the purpose for which it was collected, thus ensuring that the retention period is limited to the strict minimum. The objective is to minimize the risks for the confidentiality and security of personal data. The longer a business retains personal data, the more opportunities there are for unauthorized and possibly unlawful access, use or disclosure of that data. EU regulators have highlighted the importance of limiting storage in various GDPR enforcement actions, including a €14.5 million fine imposed by the Berlin Commissioner for Data Protection and freedom of information for improper storage and retention of data.
Similarly, under the CPRA, a business must not keep a consumer’s personal information longer than is reasonably necessary for the stated purpose for which it was collected. (As with the GDPR, the company must also disclose to the individual how long it intends to retain the data, or if that is not possible, the criteria it uses to determine that duration. ) Failure to implement and adhere to an appropriate data retention and disposal schedule may result in a violation of the CPRA Storage Limitation Principle.
A company’s data retention practices can be exposed in a variety of ways. For purposes of the CPRA, a California regulator may review a company’s data retention practices, or lack thereof, when investigating a consumer complaint. For example, a consumer can exercise their right to know what personal information a business holds about them. In response, the business may disclose that it retains personal information that the consumer believes is no longer necessary for the purpose for which it was collected, such as when the consumer is no longer a member of the business’ loyalty program . Or, a business can notify the consumer of a data breach affecting their personal information. The consumer may consider that the company no longer needs this information for the purposes for which it was collected. Alternatively, during a data breach investigation to determine whether the company has failed to implement reasonable safeguards, a law enforcement agency may discover that the company has retained personal information for longer than he considers reasonable. It can also be discovered when a consumer brings a private action alleging that the company’s failure to implement reasonable safeguards resulted in the unauthorized access or disclosure of their information under a data breach.
A company’s failure to retain personal information for as long as necessary to fulfill the specific, stated purpose for which it was collected may violate CPRA’s Storage Limitation Principle. However, CPRA also imposes a positive obligation on a business to implement reasonable safeguards to protect personal information from unauthorized or unlawful access, destruction, use, alteration or disclosure. Enforcement agencies may regard storage limitation practices as a basic reasonable safeguard, and failure to comply with storage limitations may also constitute a breach of this positive obligation.
The Federal Trade Commission has taken such a position in a complaint alleging unfair acts or practices in connection with a personal data breach. The FTC alleged that a US technology company failed to implement reasonable safeguards for a hacker to gain access to consumers’ personal information. In its complaint, the FTC listed several data security practices the company engaged in, including the lack of a systematic process for inventorying and deleting consumers’ personal information when it is no longer needed. , which she said was unreasonable. The 2019 settlement the agreement requires the company to implement an information security program to address the security vulnerabilities raised in the complaint.
Currently, more than twenty states including Florida, Texas and Illinois have laws requiring companies that collect and maintain personal information to implement reasonable safeguards to protect that data. Although the majority of these statutes do not define reasonable safeguards, it is likely that state attorneys general will agree with the FTC’s position that deletion of personal information when it is no longer needed is a safeguard. of “reasonable, inexpensive and readily available security”.
Over thirty states, including California, new York and Colorado have enacted laws requiring companies to securely dispose of records containing certain personal information when they are no longer needed. Compliance with these laws requires developing and adhering to appropriate data retention schedules and records management policies. However, unlike the CPRA, the storage limitations imposed by these laws are not expressly tied to fulfilling the specific purpose for which the data was obtained.
Prolonged data retention creates an increased risk to the privacy and security of personal information retained by a business. To minimize this risk and reduce potential liability, it is necessary to understand existing practices for records management, data retention, and data destruction. With the law’s emphasis on record retention and, in some cases, the move towards more restrictive storage limitations, businesses will want to review or develop an informed data retention schedule, identify any contractual, statutory or operational retention of personal data and whether the company retains obsolete or legacy data. As with any data protection activity, these steps will be most effective when carried out by an interdisciplinary team.
© 2022 Jackson LewisNational Law Review, Volume X, Number 364