Data retention is one of the most challenging data privacy-related disciplines for organizations to master. Different business units, departments, teams, and even individual employees retain data often according to their own “retention schedules” whether or not the company has its own official data retention policy and data retention schedule. Personal information lingers on servers, workspaces, shared drives, and laptops for far longer than it should. Data stores are forgotten, and finding the people who were the stewards of the data may be challenging (or impossible, if they have separated from the company). This makes managing data retention all the more difficult, and all the more of a significant risk. If you don’t know what data you have, you can’t accurately assess your data risk, and you can’t know if you’re complying with your own data retention schedules (if you have one) and applicable laws with data retention requirements.
Californians for Consumer Privacy, the group that pushed for legislation leading to the CCPA, submitted a new ballot initiative in California for a new law updating the CCPA called the California Privacy Rights Act, better known as CCPA 2.0. One requirement that may prove challenging for companies is that the CPRA would require privacy notices to (a) disclose the retention period for each category of personal information collected, or (b) the criteria used to determine such period. Given the difficulty companies face in managing and complying with their own data retention practices, the former may be an optimistic exercise, assuming the company even defined retention periods for “each” category. Meanwhile, the latter may be equally challenging as coming up with a list of criteria for determining data retention periods seems like an easy place for the Attorney General to find fault and conclude the company used the same factors for each category and did not in practice apply those factors meaningfully.