Business Law Journal

Understanding these requirements and the steps necessary to comply with them are thus key for any covered company (as defined below) that collects personal information.  The CPRA codifies two main data retention principles:

• Data Minimization: Only collect, process, and retain the minimum necessary personal information that is required for the purpose disclosed by the organization.
• Data Limitation: Only retain information for as long as necessary to fulfill the disclosed purpose.

COMPLYING WITH CPRA DATA RETENTION REQUIREMENTS

WHAT DO YOU HAVE TO DO?

Inform Consumers of Retention Period and Purpose:  The CPRA requires any covered business that collects a consumer’s personal information to inform consumers of the length of time the business intends to retain each category of personal information and why the business is retaining the information.  If that is not possible, the business should disclose the criteria used to determine how long the data will be retained.

Inform at or Before Time of Collection:  The retention period must be disclosed to the consumer at or before the point of data collection.

Not Retain Longer than Reasonably Necessary:  The business must not retain any personal information for longer than is reasonably necessary for the disclosed purpose. 

DOES YOUR EXISTING DATA RETENTION PROGRAM SUFFICE?

CPRA focuses on data type (not record type):  Retention programs have typically focused on record types (i.e., invoices, tax returns, receipts, etc.).  The CRPA changes that focus by targeting detailed categories of personal information (for example: personal identifiers, financial, health, or biometric information).  These detailed categories may be embedded or referenced in many record types with multiple categories per record. 

CPRA Requires Maximum Retention Periods:  The CPRA requires companies to establish maximum retention periods rather than the commonly used minimum periods.  This means that most companies will need to establish policies that expressly indicate how long specific types of data are held and the rationalization for that period.

WHY LIMIT THE DATA YOU RETAIN? 

Studies show that 75% of records with personal data are over retained.  This over-retained data poses significant risks under the CPRA.

Avoid Statutory Damages:  CPRA includes an expanded private right of action with statutory damages ranging from $100 to $750 per consumer per incident.  And those damages are added to fines from regulatory enforcement actions ranging from $2,500 to $7,500 per violation.

Avoid Breach Liability: Over retaining increases liability risks for any data breach.  Damages for any data breach may be increased when a company has kept data longer than was necessary.

Easier to Fulfil Individual Requests:  Under the CPRA, the less personal information that a company retains, the easier it will be for companies to fulfill individual requests to access, delete, correct, or opt-out of selling or sharing that data.

Avoid E-Discovery Risks:  Over-retention expands the records that must be disclosed in litigation increasing litigation costs and creating discovery risks.

3 STEPS TO DEFENSIBLE DATA RETENTION:

1. DATA INVENTORY: Bring correct stakeholders to the table to discuss CPRA changes including: (1) what personal information is collected; (2) why that personal information is collected (what do we use this for?); and (3) how long to keep this data (keeping in mind the justification for collecting).
2. ACTIONABLE RETENTION SCHEDULE: Create a revised retention schedule that incorporates the information gathered in your Data Inventory. Ensure that the retention schedule addresses each category of personal information collected and retains it only as long as is necessary to accomplish the purpose for which it is retained.
3. OPERATIONAL CAPACITY: Use automation if possible to delete data in accordance with retention schedule. If automation is not possible, assign an employee to ensure compliance with revised policies.^[1]

Is My Business a Covered Business Subject to the CCPA/CPRA?

All businesses that (1) conduct business in California for the profit or financial benefit of their shareholders or owners, (2) collect consumers’ (i.e., California residents) personal information, and (3) that meet any of the following three thresholds are a covered business:

• Has annual gross revenues in excess of $25 Million; or
• Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 (or 100,000 after January 1, 2023) or more consumers, households, or devices; or
• Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Covered businesses also include companies and individuals that control or are controlled by a business that satisfies the above requirements and have common branding (e.g., name, service mark, trademark, etc.) with a business that satisfies the above requirements.

CONCLUSION:

The CPRA’s data-retention requirements significantly change the way most covered businesses will retain consumer information.  Revising data retention policies and processes to comply with the CPRA’s data retention requirements requires understanding what personal information is collected, why it is collected, and how long that information reasonably needs to be stored.  AALRR is ready and able to help with this process and or any questions you may have.  Please contact the authors of this article or your trusted adviser at AALRR to discuss next steps or questions.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process. 
© 2022 Atkinson, Andelson, Loya, Ruud & Romo

[1] Having a plan or policy and then not following it is a critical mistake. It opens your business up to increased liability and the Attorney General has often focused privacy enforcement on differences between a company’s plan and their actions.