Starting in January of 2023, businesses subject to California Privacy Rights Act (CPRA), may be required to publish the retention periods for all categories of personal and sensitive information they collect, manage, store, share, or sell.
CPRA Section 1798.100. General Duties of Businesses that Collect Personal Information states that businesses subject to CPRA need to disclose:
The length of time the business intends to retainor if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
each category of personal information, including sensitive personal information,
Imagine the difficulty of publishing a single retention period for all data elements that fall under the category “Personal Identifiers”, such as first and last name or phone number. Depending on whether these appear in a contract, help desk ticket, bill, or email, the retention periods will differ widely.
How can you use your data inventory to be compliant with the CPRA?
Companies likely already know that a complete data inventory is a key building block for a privacy program as it can be used to update the privacy notice, better allocate security controls, and respond to consumer requests in a timely and efficient manner. But companies may not realize that developing a data inventory is also essential for operationalizing a data retention program. A data inventory can provide businesses with a systematic way to identify retention periods at a category-by-category level.
A data inventory for privacy compliance should not only include detailed information on assets that contain personal information, but also information on the business processing activities that a company is engaged in that process personal information. Detailed information at the asset and processing activity level should capture at a minimum:
- Data Subject (employees, customers, vendors, etc.),
- Processing Category (there are 11 categories specified under the California Consumer Privacy Act (CCPA) and CPRA, including biometric data, personal identifiers, and geolocation data), and
- Data Elements (the actual data elements captured or processed like device ID, phone number, purchase history, browsing time, etc.)
It is important that this information is not only captured, but also related appropriately to each other. In other words, if you capture data on employees in an asset, you should also be able to identify both the higher-level processing categories and the specific data elements collected for those employees.
In addition, each item in the data inventory, whether assets or processing activities, should include a question on the retention timeframe for that data. The answer options for this question should match the standard retention periods from the company’s Records Retention Schedule but should also allow for respondents to indicate if a different retention schedule is in place and/or if the respondent is not sure. Capturing that information at a granular level allows the Records Management team to confirm that the Records Retention Schedule has been operationalized throughout the organization. It also allows the company to filter, search and summarize the information to be compliant with the many requirements of the CPRA.
Data retention regulations often deal with records (and in the case of the CPRA, specific processing categories), not assets. Companies that maintain a data inventory at the appropriate level of detail will be able to query that data to create a matrix of key information on a category level. The below chart shows an example of what the privacy notice might need to include starting in January 2023 using an example of just 2 of the 11 CCPA/CPRA categories.
Personal Identifiers | |||||
Examples of PI Collected | Sources of PI | Purposes for PI Collection | Categories of Recipients | Data Sold? | Retention Period |
Name, postal address, email address, identification numbers | From the Consumer, Clients, Service Providers, Government Entities, and Third Parties | Processing Interactions and Transactions; Managing Interactions and Transactions; Performing Services | Clients; Government Entities; Data Processors and Storage Providers: Service Providers | No | 5 years after last transaction for customers, 3 years after separation for employees |
Internet Usage Information | |||||
Examples of PI Collected | Sources of PI | Purposes for PI Collection | Categories of Recipients | Data Sold? | Retention Period |
Information regarding interactions with our website, computer systems, and/or devices | From the Consumer, Service Providers, and Third Parties. | Processing Interactions and Transactions; Managing Interactions and Transactions; Performing Services; Security; Debugging | Marketing and Analytics Vendors and other Service Providers | No | 12 months after the last transaction |
If the CPRA requirements around reporting retention schedules don’t go into effect until January 1, 2023, why do I need to worry about this now?
While a year and a half may seem like enough time to prepare, companies should not underestimate the length of time it can take to create a comprehensive data inventory, develop a retention schedule, and operationalize it. In our experience, the timelines we have seen with our clients for each of these activities can vary significantly based on the size, structure, and data environment of the organization:
- Data Inventory: 2 – 5 months
- Records Retention Policy and Schedule: 2 – 4 months
- Operationalizing a Records Retention Program: 6 months – 1 year
Even with a good set of data maps and a listing of assets to start with, capturing the required information for a data inventory takes time and will require participation of between 40 to 100 different individuals from within your company. This effort requires significant business exploration and can be a very time-consuming step even with automation in place to assist. Even if you already have a retention policy and schedule, in our experience, most companies have not operationalized it. The deletion mechanisms and processes will need to be agreed upon with the relevant stakeholders and everyone will need to be educated on the plan and practice implementing it.
More stringent data retention requirements are coming, and organizations should take the time now to review their current data retention programs to update as needed and to operationalize to be compliant with the current and emerging privacy regulations.
Given the complexity of the upcoming CPRA requirements, we are publishing a series of articles on this topic. Our first article introduced and reviewed the unique data retention and notice requirements of the CPRA. Our second article provided guidance on developing a functional records management program. Our third article reviewed the creation of a defensible disposition process. This last article provided guidance on how to use your data inventory to update your privacy notice with the required retention periods for each category of personal information.
© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals.