It seems that we are getting bombarded with new privacy regulations every few months. These regulations not only keep CIOs up at night, they have far reaching implications on business strategy and operations, including information governance and your records retention schedule.

To answer the question everyone is asking – yes, privacy regulations such as CCPA (soon to be integrated with the CPRA), GDPR and the New York Shield Act do affect the records retention schedule. (Even HIPAA is getting a much-needed refresh.) Since these regulations may impact multiple business units, they require more than the simple addition or modification of a records category on the retention schedule.

While each state has its own privacy regulations, we are focusing on California’s regulations because it is one of the first of such provisions in the US and it affects any organization who collects information from California residents. Furthermore, in the absence of a national standard, what happens in California will likely be replicated in other parts of the country. Here is what you need to know about California’s highly impactful privacy regulations:

What is the CCPA?

Enacted in 2018, the California Consumer Privacy Act (CCPA) is essentially California’s version of Europe’s General Data Protection Regulation (GDPR). In a nutshell, this legislation provides the following protections to California consumers:

• The right to opt-out of having their personal data collected by a company.
• The right to know what personal information is being collect and how it is used.
• The right to have their personal data deleted upon request, similar to GDPR’s “the right to be forgotten.”

What is the CPRA?

The California Privacy Rights Act (CPRA), passed November 2020 and enforceable starting January 2023, amends or augments many of the requirements of the CCPA.  Notably, it creates an oversight board designed to enforce the law and penalize violators.  It also requires companies to dispose of consumers’ personal information when it is no longer required for the purpose for which it was collected.  This requirement will significantly influence a company’s information governance program and records retention schedule.  More on that below. 

What Organizations are Impacted by the CCPA and CPRA?

What organizations are affected by this regulation? Today, only organizations that collect data from California consumers. However, as alluded to above, California is widely known for being a trailblazer in this area. Thus, if the state(s) in which you operate do not have privacy laws as strict as California’s, it is reasonable to expect that they will soon follow suit. In other words, the CPRA is speculated to be America’s gold standard of privacy regulations, at least if/until a national regulatory framework is enacted.

How do Privacy Regulations like CCPA and CPRA Affect a Records Retention Schedule?

Records retention schedules primarily focus on meeting the minimum legal retention requirements for each given record category. The primary driver behind the minimum requirement is risk – if you destroy records before it is legally acceptable, your organization is exposed to increased legal risk, namely spoliation. There are also risks for retaining records for too long, with the biggest risk being increased eDiscovery exposure. However, the risks of over-retention are generally considered to be much lower than for under-retention.

The CPRA turns conventional retention scheduling on its head because it introduces significant legal and financial risk for exceeding the maximum allowable retention for each given record category. In other words, the risk of retaining the information past the prescribed retention period far exceeds any risk for destroying these records prior to the expiration of the retention period.

How do I Update my Organization’s Records Retention Schedule to Comply with Privacy Regulations like CCPA and CPRA?

For better or worse, it is not as easy as simply identifying the record categories affected by privacy regulations and updating them accordingly. It requires significant coordination between records management, legal, IT and the business units that collect and manage personal information, i.e. it takes sound information governance practices and persistent communications between divergent stakeholders. Here are some general guidelines to follow when considering updating your organization’s records retention schedule to comply with privacy regulations:

1. Assess the organization’s exposure to applicable privacy regulations. This is best done in consultation with your organization’s legal counsel. Be sure to not fall in the trap of looking at privacy regulations from where your firm operates. Instead, examine the touchpoints where consumers interact with your organization – your firm’s website, social media, direct mail, etc.
2. Interview your business units to determine what types of personal information are collected, why they are collected, and how long they need to be retained for their originally intended use. This task may be quite complex if you work for an organization that manages multiple product or service lines across multiple geographies. However, it is vital to collect this inventory of personal information in order to map the data collected to the appropriate retention category.
3. Work with your IT department to identify where personal information resides, where it is collected, how it is shared and with whom. What data retention agreements are in place with 3rd parties? Where are the systems of record? Where may copies reside, including backups?
4. Once you have assessed your organization’s risk exposure, and have identified the types of personal information collected and the systems of record that manage this information, you can begin the process of creating record categories that dictate the appropriate retention requirements and leverage your information map to link these record categories to the appropriate source repositories. Keep in mind that business requirements and purposes for collection may change frequently, in which case it may not be feasible to address every single personal record type in the retention schedule. Instead, you may want to consider grouping the major types of personal information collected in the retention schedule and refer to a specific business unit level policy or procedure for specific guidance.
5. Work with your IT and business unit stakeholders to ensure that systems of record and applicable business processes/procedures are updated to comply with the new requirements, and that system audits are set up at specific intervals to monitor compliance. This includes data managed by 3rd party providers. If appropriate, your IT department may want to look at implementing a file analysis application that monitors information capture and flow across the enterprise.

These steps will obviously require buy-in from the highest levels of your organization, the legal department, IT and all of the affected business units. It will require deliberate and frequent communication between all affected stakeholders in order to maintain compliance. However, the risk of not doing so can be catastrophic.

Need Help?

Cadence Group has been providing information governance and records retention consulting services to public and private sector organizations of all sizes for over a quarter century. Our certified consultants can help bring your organization into compliance by providing:

• A full information governance program assessment
• Records retention scheduling, including legal research
• Records inventorying and information mapping
• Physical and electronic records cleanup

Contact us to set up a free consultation.