June 24, 2019
INTRODUCTION
In the old days, we worried more about records than data. It was all about hard files. I remember shipping three or more boxes a day to an off-site storage facility when I was a lowly file clerk on a toxic tort litigation case involving thousands of plaintiffs. And my firm had to keep those documents not just for the duration of the litigation itself but for years afterward because there was always a chance we’d end up in litigation that grew out of the original case. I seriously considered abandoning the idea of graduate school and just investing in climate controlled storage units.
That being said, effective data retention policies aren’t just about protection against potential lawsuits. While compliance in and of itself is an excellent motivator, most companies have found the real value in data retention is in recovering from system failures, data breaches, or other system breakdowns. Backing up your data is the best way to ensure you have the smallest interruption of business possible. Following a good data retention policy also ensures that your are able to remove duplicated or outdated data, which has the added benefit of opening more storage space.
When creating your data retention policy, you should make sure to include the relevant stakeholders in the decisions. Your legal counsel, compliance office, department managers, IT staff in charge of data retention settings, and team members who create or receive financial reports should all be represented. The first thing that team should do (if your legal or compliance team has not already), is determine which regulations are applicable to your business. Even if the legal team has already put that together, have the team check it–there’s a high likelihood that many organizations are engaged in some activities that the legal team hasn’t been full brief on, and this is a good opportunity to make sure everyone is on the same page.
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, and it is going to impact more than 500,000 US companies according to estimates from the International Association of Privacy Professionals. If the CCPA isn’t on the list of regulations your Data Retention Policy covers, it’s time to do a check to see if your organization is included in that 500,000+.
CCPA APPLICABILITY
To break the applicability of the CCPA down into four easily digestible pieces, ask whether your company
First, does your company handle Personal Information from California residents? Keep in mind: the definition of personal information is very broad (see here). Personal information includes any data that has to do with a specific person, including names, addresses, height, weight, preferences, etc.
If the answer is no, your business likely does not need to comply with the CCPA. Be aware that, unless a pending amendment passes, personal information about California employees of your organization would qualify under this prong.
If the answer is yes, however, go on to the next question.
Second, do any of the following apply to your company: (1) you make over $25 million in revenue per year, (2) you handle personal data for 50,000 people, devices, or households from California per year, or (3) you make at least half of your revenue from selling the information of California residents? If none of these three apply, your company likely does not need to comply with the CCPA. Keep in mind that there are a few exceptions, so it’s important to speak with a lawyer to know for certain. If any of those three scenarios do apply, however, then you need to answer the next question.
Third, is your company for-profit? If the answer is no, then your organization likely does not need to comply with the CCPA. The CCPA only applies to for-profit businesses; there is, however, an important exception if your non-profit handles information on behalf of a for-profit entity. In that scenario, your organization would need to comply with the new law.
If you answered yes to all three questions, then your business likely needs to comply with the CCPA, and your Data Retention Policy needs to be updated to ensure you are CCPA compliant.
(To see an automated version of these questions that generates results for you, please click here.)
DATA RETENTION UNDER THE CCPA*
Because the CCPA is an evolving law, there are aspects of your data retention policy with relation to the CCPA that you may need to adjust. If your organization does not have a retention policy or has not updated it in some time (is it still all about hard copies?), now is the time to update it.
Organizations should determine whether the retention periods in their policies are based on legal requirements or another business rationale that supports retention periods longer than those legally mandated. Under the CCPA, deletion rights do not apply to Personal Information that businesses have to retain in order to meet a legal obligation (example: IRS regulations requiring 4-year tax record retention, records relating to basic employee data and leave 3-year retention rule under FMLA, etc.).
The deletion rights also do not apply where the business uses the information internally “in a lawful manner that is compatible with the context in which the consumer provided the information” 1798.105(d)(9). For example, if a company provided a warranty to the customer, and it maintained the customer’s information and the serial number of the product purchased in a warranty database, that company would have a colorable argument that the CCPA did not require it to delete that Personal Information.
Even more generally, “[the] rights afforded to consumers and the obligations imposed on the business in [the CCPA] shall not adversely affect the rights and freedoms of other consumers.” Depending on what kind of data your organization deals in, your records retention policy can specifically address situations in which the data might adversely affect the freedoms of other consumers. For example, businesses with physical locations are within their property rights to ban individuals from entering or re-entering their property for a variety of reasons—abusive ex-spouses of employees, unruly or violent patrons, shoplifting, etc. A company could make a claim that being forced to delete the personal information identifying the banned individual and the reason for the ban would infringe on the company’s property rights, and it could potentially infringe on the rights of other guests at the location whose safety would be put at risk.
A strong record retention policy that establishes both the applicable legal obligations for the minimum retention periods and the internal reasoning regarding longer retention periods will both help employees make decisions regarding individual requests and develop a robust, defensible process should the organization ever be subject to a CCPA compliance audit or AG complaint.
CONCLUSION
A records retention policy should incorporate both your obligations under the CCPA and other applicable regulations. Establishing your business purposes in retention of data that exceeds statutory requirements will put you in a stronger position should you ever undergo an audit or receive consumer complaints for not deleting data that you claim a right to maintain.
* Note added July 28, 2022: The CPRA REQUIRES data retention rules.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth