United States: Data Retention And Minimization, The Elephant In The Room

Following in the footsteps of Europe, U.S. states are codifying obligations to maintain personal data inventories and retention schedules, and to limit retention and use to only what is necessary to meet the purposes disclosed at the point and time of collection, for only so long as that limited purpose continues. A recent study by the publication Compliance Week suggests that info gov professionals have a false sense of confidence regarding their compliance with these obligations, and that when asked about actual policies and practices data retention and minimization programs were typically immature and too often non-existent. The study included a comprehensive survey completed by 173 info gov professionals across 30 industries. The findings, including recommendations for refining info gov programs to meet the requirements of new state privacy laws is available here and includes best practice tips from Alan Friel, Chair of SPB's Global Data Practice.

As an example of what new state laws require, the California Privacy Rights Act, which went into effect January 1 and becomes enforceable July 1, provides:

• A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
  
  
• A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers of the following: ... (3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

Will your organization be ready to comply by July? Another new info gov requirement effective this year is the requirement to undertake and document data protection / privacy impact assessments, which must be retained and made available to regulatory auditors upon request. For more information on the new state requirements for these assessments, see our prior guidance here.

To learn more about data retention management, join a free webinar hosted by SPB, Exterro and Compliance Week on April 25, 2023 at 2 pm Eastern. Register here.

While many companies have made progress in improving transparency regarding their data practices, and implementing data subject rights request processes, many of these same companies are still in a very immature state when it comes to meeting the fundamental obligations under new privacy laws – truly understanding what personal data a company has, where it is and limiting its retention, use and disclosure to what is necessary for permissible collection purposes or to otherwise comply with legal obligations. For more information contact your SPB relationship partner.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.