Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed. This article will delve into the CPRA requirements for data retention.
Under the California Privacy Rights Act (CPRA), you cannot retain personal information forever. The days when you could collect users’ data, process it, and store it—just in case you needed it sometime in the future—are gone.
Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed.
Explore more privacy compliance insights and best practices
This article will delve into the CPRA requirements for data retention. We will explain the following:
A data retention period is when you retain personal information (including employee data) on your servers for business purposes for a length of time. For CPRA compliance, you cannot keep data forever and must erase it from your servers after a while.
You collect email addresses to send marketing messages to your consumers. Such period between the moment of collection of the email address and the moment of erasure of the same address is your email address retention period.
There are two main reasons why you need a data retention period:
Even though the CPRA doesn’t say you have to have a data retention policy, it’s good to have one to stay on the right side of the law and keep the California Privacy Protection Agency from giving you trouble.
Your data retention policy should say what kinds of personal information need to be processed and for what purposes. It should also say how long you need to keep such information.
You can establish a retention schedule for each category of personal information. For the email addresses, you could determine to delete emails from consumers who haven’t opened your email messages for six consecutive months. For Google Analytics data, you can choose to delete it after two years, assuming you don’t need data about your website visits for longer than that.
Your data retention policy will inform you and your employees when you need to erase some personal information and comply with these CPRA requirements effortlessly. In addition, it will make it easier for you to inform consumers about your data retention programs and practices, which leads us to the next question.
Yes, you’ll need to inform consumers about your data retention practices before or at the moment of data collection. Ideally, you’ll provide users with this information in your privacy policy.
CPRA explicitly prescribes the minimum information you need to present to users (CPRA Full Text Summary):
So, include the exact retention period in your privacy notice. Where that is not possible, give consumers an idea of how you will determine when it is time to delete their data.
In the example of the email, you don’t know for how many years and months you’ll retain the data. But you know that you’ll delete the emails of consumers who are unresponsive for six consecutive months. This is a situation where you can inform users of your retention criteria.
You can give them exact numbers for Google Analytics data, such as two years.
Yes, that is possible in three cases: one is related to providing incentives to consumers in return for data, and the other two are exemptions from the CPRA.
CPRA explicitly allows businesses to offer financial incentives to consumers in return for
Financial incentives can come in the form of payments or a change in the price, rate, level, or quality of goods or services for the consumer, as long as the price or difference is related to the value that the consumer’s data brings the business.
Two CPRA exemptions allow you to keep data after processing purposes have expired:
Unless you have a good reason to keep the personal information of your customers, you must delete it immediately.
CPRA requires you to have written contracts with service providers, contractors, and third parties with whom you share consumer data. A promise not to keep personal information must be one of the most important parts of this type of contract.
In addition, CPRA allows service providers to delete any information that should not be retained in the ordinary business.
These three data privacy laws in two different jurisdictions have different requirements for businesses.
The General Data Protection Regulation of the EU is the world’s strictest law. It takes data security seriously and therefore requires businesses to remove data subjects’ data upon satisfying processing purposes immediately.
The California Consumer Privacy Act (CCPA) contains no significant requirements for covered businesses. As long as the consumer does not request the erasure of personal information, you can retain it.
On the other hand, CPRA brings some new requirements for covered businesses processing data about California residents. It introduces the data minimization and data retention principles in California, requiring businesses to process the minimum amount of data for the minimum amount of time necessary for processing purposes.
CPRA data retention obligations are not hard to meet. They require a small investment in resources to ensure that you stay away from enforcement actions.
The road to compliance starts with a simple data mapping exercise leading to a data inventory. It is a good practice to involve all the stakeholders in your data mapping to ensure that the information you get is accurate. Once you have such an inventory, you’ll know how and why data flows within your organization. That will answer your question about how long to keep each type of personal information.
CPRA also requires businesses to do regular risk assessments and cybersecurity audits to ensure their data is safe.
Finally, keep in mind that the CPRA has a look-back period that starts on 1 January 2022, which means that the data retention obligations already apply to you. It may seem like a no-brainer for your business to set up a good data retention policy.
Schedule a call to learn more
