The fourth installment in our ongoing series about changes to the California Consumer Privacy Act (CCPA) focuses on the new data minimization and data retention requirements for subject businesses created by the passage of the California Privacy Rights Act (CPRA) on November 3, 2020. These provisions also obligate subject entities to implement business-wide internal policy changes to accommodate the possible need to change their data collection and retention policies before the CPRA is fully operative on January 1, 2023 (with a look-back period beginning January 1, 2022). As we know from the lead up to the CCPA's enforcement, these deadlines pass quickly.
Businesses subject to the European Union's General Data
Protection Regulation (GDPR) and other international data privacy
laws will already be familiar with data minimization as a core
tenet of data privacy. While not directly required under the CCPA,
the CPRA amended Section 1798.100(c) of California's data
privacy regime to effectively mandate data minimization and require
subject businesses to limit the collection of personal information
to that which is "reasonably necessary and proportionate"
to the purposes for which it is being collected. Further,
businesses must notify individuals of the purposes for collection
prior to actually collecting the personal information.
Again, similar to Europe's data privacy regime, the CPRA institutes limitations on how long entities should retain the data they collect. Entities subject to the CPRA must only retain personal information for the length of time reasonably necessary to complete the processing for which it was collected. Specifically, once a business finishes processing personal information for the reasons it was collected, that personal information must be removed from its systems.
Mirroring the CPRA's data minimization disclosure requirement, businesses must inform individuals of the length of time, or criteria used to determine the length of time, that they retain the personal information collected.
Implications for Businesses
The CPRA's new data minimization and retention obligations will require entities within its purview to reassess not only their consumer-facing privacy policies, but internal policies as well. Entities that will be subject to the CPRA should begin reviewing their internal policies associated with their data collection and retention procedures now to determine what, if any, changes need to be made to accommodate the impending obligations. As part of this effort, subject entities should conduct data mapping efforts to determine what information they collect, the purposes and need for their collection, and assess the likely retention period that should apply to the categories of information under their control. While conducting this review, it is important to remember that the CCPA continues to govern these entities until the CPRA takes effect in January 2023.
Lewis Brisbois' Digital Insights will continue to monitor developments around the implementation of the CPRA. Read Part I, Part II, and Part III of our ongoing CPRA series, and subscribe to our blog to receive further installments in this series, which analyzes how the CPRA will amend the CCPA and impact businesses operating in California.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.