Under the California Privacy Rights Act (CPRA), you cannot retain personal information forever. The days when you could collect users’ data, process it, and store it—just in case you needed it sometime in the future—are gone.
Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed.
This article will delve into the CPRA requirements for data retention. We will explain the following:
- What is CPRA data retention?
- Why you need a data retention period
- If you need a data retention policy
- If you should inform consumers about your data retention policies
- How you can retain personal information after fulfilling your purposes
- In which situations you must not retain personal information
- What the data retention requirements are for service providers and contractors
What is CPRA data retention?
A data retention period is when you retain personal information (including employee data) on your servers for business purposes for a length of time. For CPRA compliance, you cannot keep data forever and must erase it from your servers after a while.
You collect email addresses to send marketing messages to your consumers. Such period between the moment of collection of the email address and the moment of erasure of the same address is your email address retention period.
Why do I need a data retention period?
There are two main reasons why you need a data retention period:
- You should not retain personal information that you don’t need. Personal data must be considered an asset, not a liability. If you store data that you don’t use for anything, that’s a liability. It creates risks of unauthorized access to other data breaches while not creating benefits for your business.
- The email addresses of your responsive consumers are an asset. You can use them to reach out to consumers who want to hear from you.
- Email addresses of unresponsive consumers are a liability. They wouldn’t open your emails. If a data breach involving your emails occurs, they have the right to take private action. They could sue you, make you pay statutory damages, and compensate you for their losses due to the data breach.
- That’s why you need to remove the data you don’t need from your databases—there are no benefits, only risks.
- The risks are even higher if you handle sensitive information like precise geolocation, biometric information, social security numbers, and other similar data.
- CPRA requires you to retain the data for no longer than necessary. It states that your retention “shall be reasonably necessary and proportionate to achieve the purposes” for which it was collected, processed, or for another disclosed purpose. Moreover, the data collected for one purpose must not be processed for other purposes.
- Simply put, you should store your data only as long as necessary to fulfill your business purposes. Once such purposes have been fulfilled, you cannot store them anymore and need to delete them.
- In the example of the email addresses, keep the data of your responsive consumers and delete the data of your unresponsive ones.
Do I need a data retention policy?
Even though the CPRA doesn’t say you have to have a data retention policy, it’s good to have one to stay on the right side of the law and keep the California Privacy Protection Agency from giving you trouble.
Your data retention policy should say what kinds of personal information need to be processed and for what purposes. It should also say how long you need to keep such information.
You can establish a retention schedule for each category of personal information. For the email addresses, you could determine to delete emails from consumers who haven’t opened your email messages for six consecutive months. For Google Analytics data, you can choose to delete it after two years, assuming you don’t need data about your website visits for longer than that.
Your data retention policy will inform you and your employees when you need to erase some personal information and comply with these CPRA requirements effortlessly. In addition, it will make it easier for you to inform consumers about your data retention programs and practices, which leads us to the next question.
Do I have to inform consumers about data retention?
Yes, you’ll need to inform consumers about your data retention practices before or at the moment of data collection. Ideally, you’ll provide users with this information in your privacy policy.
CPRA explicitly prescribes the minimum information you need to present to users (CPRA Full Text Summary):
- How long do you plan to keep each type of personal information, even sensitive personal information, or
- If you can’t figure out the exact retention period in advance, this is how to figure it out.
So, include the exact retention period in your privacy notice. Where that is not possible, give consumers an idea of how you will determine when it is time to delete their data.
In the example of the email, you don’t know for how many years and months you’ll retain the data. But you know that you’ll delete the emails of consumers who are unresponsive for six consecutive months. This is a situation where you can inform users of your retention criteria.
You can give them exact numbers for Google Analytics data, such as two years.
How can I retain personal information after fulfilling my purposes?
Yes, that is possible in three cases: one is related to providing incentives to consumers in return for data, and the other two are exemptions from the CPRA.
Data retention due to incentives for consumers
CPRA explicitly allows businesses to offer financial incentives to consumers in return for
- The collection of personal information,
- The sale or sharing of personal information, or
- The retention of personal information
Financial incentives can come in the form of payments or a change in the price, rate, level, or quality of goods or services for the consumer, as long as the price or difference is related to the value that the consumer’s data brings the business.
Data retention based on CPRA exemptions
Two CPRA exemptions allow you to keep data after processing purposes have expired:
- You can anonymize or aggregate consumer data. Such personal information is exempt from the CPRA, and, as a result, the CPRA does not apply to it. You can go ahead and process it for as long as you want. However, if you change such data and make it possible to identify consumers again, CPRA applies again.
- A law enforcement agency requires you not to delete a consumer’s personal information who has requested deletion. You must retain such data but not use it for anything. All you can do with it is store it until the law enforcement agency directs you to behave in another way.
In which situations must I delete personal information and not retain it any longer?
Unless you have a good reason to keep the personal information of your customers, you must delete it immediately.
- Personal information is collected and processed for verification of the identity of the consumer who submits a consumer request. Sometimes, you’ll need to ask requesters for additional information to ensure that you provide the information to the right person. They will give you this information, and once you’ve made sure they’re who they say they are, you need to get rid of it from your databases.
- Personal information that has been subject to an opt-out request
What are the data retention requirements for service providers and contractors?
CPRA requires you to have written contracts with service providers, contractors, and third parties with whom you share consumer data. A promise not to keep personal information must be one of the most important parts of this type of contract.
- For purposes other than those specified in the contract, and
- Outside of the direct business relationship between the contractor and the business.
In addition, CPRA allows service providers to delete any information that should not be retained in the ordinary business.
Retention policies: CPRA v. CCPA v. GDPR
These three data privacy laws in two different jurisdictions have different requirements for businesses.
The General Data Protection Regulation of the EU is the world’s strictest law. It takes data security seriously and therefore requires businesses to remove data subjects’ data upon satisfying processing purposes immediately.
The California Consumer Privacy Act (CCPA) contains no significant requirements for covered businesses. As long as the consumer does not request the erasure of personal information, you can retain it.
On the other hand, CPRA brings some new requirements for covered businesses processing data about California residents. It introduces the data minimization and data retention principles in California, requiring businesses to process the minimum amount of data for the minimum amount of time necessary for processing purposes.
How to comply with the CPRA data retention obligations
CPRA data retention obligations are not hard to meet. They require a small investment in resources to ensure that you stay away from enforcement actions.
The road to compliance starts with a simple data mapping exercise leading to a data inventory. It is a good practice to involve all the stakeholders in your data mapping to ensure that the information you get is accurate. Once you have such an inventory, you’ll know how and why data flows within your organization. That will answer your question about how long to keep each type of personal information.
CPRA also requires businesses to do regular risk assessments and cybersecurity audits to ensure their data is safe.
Finally, keep in mind that the CPRA has a look-back period that starts on 1 January 2022, which means that the data retention obligations already apply to you. It may seem like a no-brainer for your business to set up a good data retention policy.
