Consumer data trust is falling, not rising. Only 21% of consumers have greater trust in business use of their data, 36% are less comfortable sharing information than they were a year earlier and 85% wish they could trust more companies with their data, according to a 2020 PwC survey.
The California Consumer Privacy Act (CCPA) directly addresses these consumer concerns by requiring companies to disclose which types of personal information they collect, how it is obtained and used, and whether it’s sold or shared. The new law, the California Privacy Rights Act (CPRA), which goes into effect Jan. 1, 2023, goes further. It requires companies to disclose how long they keep each category of personal information or, if that’s not possible, the criteria they use to determine retention periods.
Under CPRA, companies can no longer simply hold on to individuals’ personal data forever, at least not without justification and not without notifying consumers, employees and other stakeholders of the decision and rationale for doing so.
The data that’s removed is as important, perhaps more important, than the data that’s retained. Protecting privacy means collecting only fit-for-purpose data, then keeping and accessing only the data you’re required to keep (i.e., the principle of minimization). The less personal information that’s retained, the easier it will be for companies to fulfill CPRA-mandated individual requests to access, delete, correct or opt-out of selling or sharing that data. And eliminating obsolete or outdated data will help companies create more accurate and complete personalized experiences for customers.
More importantly, over-retention of records creates a security and e-discovery risk. In one example, last June, hackers exposed the “BlueLeaks” collection, the term coined for nearly 270 gigabytes of data dating as far back as 24 years taken from hundreds of police agencies across the US. The breach revealed highly sensitive information such as ACH routing numbers and international bank account numbers as well as personally identifiable information and images of suspects — a risk that could have been mitigated if the agencies had effective retention policies in place.
Increasing the cost of noncompliance is CPRA's expanded private right of action, with statutory damages ranging from $100 to $750 per consumer per incident. That’s on top of fines from regulatory enforcement actions ranging from $2,500 to $7,500 per violation and the longer-term financial impact resulting from reputational damage and loss of stakeholder trust. What’s more, a new California Privacy Protection Agency will have subpoena and audit powers, and it will coordinate investigations with regulators in other jurisdictions, including European data protection authorities.
For most companies, bringing retention programs into compliance will be a big lift.
CPRA retention requirements focus on personal information at a granular data category level: for example, personal identifiers along with financial, health, commercial, biometric, geolocation and employment information — personal information that is embedded or referenced in many record types and multiple categories per record. Examples of a customer record include invoices, receipts and targeted mailers. Retention programs have historically focused on these record types, not around the data category level as required by CPRA. That means many companies will probably have to go back to the drawing board on data retention policies.
CPRA requires companies to establish maximum retention periods, not just minimum periods as most of them do now, so they don’t hold data indefinitely.
Data under long-term and/or enterprise-wide legal holds need special attention. Current processes for data disposal, once a legal hold is lifted, may be rendered obsolete or invalidated by CPRA.
When should we take action? Now. Most companies will need the two years before CPRA goes into effect to update their data retention programs. Technology may need overhauling or upgrading, and platforms for storing structured and unstructured electronic records may need to be retooled. A roadmap leading to 2023 will be essential.
Which categories of personal information do you collect? What records store this data? How are you managing retention? Use a risk-based and prioritized approach to understand current procedures and tools. Assess your structured and unstructured data as well as automated and manual retention methods. Use the information you gain from the following steps to identify retention risks, policy revisions and operational gaps.
Confirm data and legal scope: Understand the geographic scope of records and data collected and retention-related requirements of applicable privacy laws as you revisit and update your retention schedule. Consider a privacy technology platform to accelerate this effort.
Identify where sensitive and high-priority information categories sit: Use existing data inventories and/or processes, including records of processing activities (ROPAs) and results of privacy impact assessments (PIAs), to identify sensitive and high-priority categories of personal information and support net-new information gathering at scale. For example, you need to know the specific records where a particular category of personal information is stored, whether it’s in a structured and/or unstructured format, how long it’s held and how it’s retained and disposed.
Assess current tools and procedures for executing retention obligations: Confirm your existing tools and related procedures for fulfilling retention obligations for in-scope records, and determine where gaps exist. Where is the company ill-equipped from a people, process and/or technology perspective to dispose of data in line with your retention and disposition policies?
Understand existing non-record disposal policies: Some categories of personal information may not meet the definition of a record. These include extra copies of documents kept for convenience, reference stocks of publications and draft documents that do not contain unique information or that were not circulated for formal approval, comment or action. Review existing policies on the ongoing disposal of non-record information and understand how non-record policies are enforced.
Which data should be kept? How long should it be kept? What do we need to update? Before you overhaul your entire retention schedule, develop a right-sized approach and plan tailored to fit your organization.
Confirm where updates are necessary: Identify the subset of record types that require potential retention period changes, starting with records that include high-risk or sensitive personal information.
Identify and prioritize high-risk record types: Key risk areas within existing retention schedules include where records that contain personal information have been tagged for permanent retention as well as where biometrics and other highly sensitive personal information is being captured and recorded.
Determine updates to retention periods: Legal, privacy, data and information governance teams should determine appropriate retention periods at a record and data category level. The business, which ultimately determines use cases for data, is also integral to this process, particularly when it comes to setting and justifying minimum and maximum retention periods.
These teams should consider legal retention requirements and use cases, privacy-related exceptions (e.g., for CPRA) and rules of agencies such as the IRS, HIPAA and OSHA. Legal retention requirements can be used as the baseline for determining retention periods.
The retention period can be a set time frame — three years after an account is no longer active or after contracts or relationships are terminated, for instance.
Determine go-forward mechanisms for disposal: Deletion may not always be the right disposal approach. In some cases, it could mean de-identification, which can be helpful in balancing long-term analytics needs. Determine how you’ll dispose of each record type containing personal information in both structured and unstructured formats.
You’ve identified and prioritized relevant categories of personal information, record types and needed updates to retention periods. Now it's time to update your retention policy and schedule.
Record retention schedules typically follow a ‘‘big bucket’’ approach, grouping retention requirements into large buckets to reduce and streamline operational complexity. CPRA dictates that you adjust those schedules to account for additional granularity and for non-record disposal.
As the schedule is updated to incorporate these new privacy requirements, continue to look for opportunities to streamline operations. Minimize the number of records for permanent retention and limit the number of ‘‘event trigger’’ requirements to minimize operational overhead.
Engage with business stakeholders to appropriately map the revised retention requirements to the data and information assets in your organization. Plan for change management so that enforcing the updated retention policy doesn’t negatively affect your business.
Implement routine disposal processes: Particularly when it comes to personal information, a trigger depends on when the data is no longer needed. Evaluate and implement triggers in new or existing business processes to identify and dispose of this data in a timely manner in accordance with your updated retention schedule. Incorporate exception processes to address legal holds or other regulations, including anti-money laundering and Know Your Customer requirements.
Implement incremental technologies and tools: Retention management tools and other new technology can help automate timely disposal of data. You can use third parties to host and manage retention of data on your behalf, but this approach carries risks. Your company will need specific contractual provisions and monitoring capabilities to ensure the third party’s adherence to retention requirements.
Customers need to know how you’re better protecting their data through enhanced data retention policies. Update your privacy notices to reflect required disclosures around retention of personal information.
Determine approach to disclosures: The level of detail can vary. One organization might disclose the actual retention periods for each category of personal information, while another might simply disclose its method for determining retention periods, an alternative provided in CPRA.
Consider stakeholder privacy experience: When updating your privacy notice, consider what experience you want for your customers. Include information about your organization’s privacy stance and privacy platform, consumer navigation of privacy features, and how you handle data. The notice language should be easy for consumers to understand. Also review existing third-party contracts and amend them to include sufficient provisions for retention requirements.
Our PwC colleagues Joe DeMarzio and Neha Thakrar contributed to this article.