This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
The California Consumer Privacy Act, effective January 1, 2020, was the United States’ first state-level comprehensive data privacy law. And the CCPA blogging blitzkreig has not been merely hype – the CCPA presages a fundamental shift in U.S. privacy law.
The statute was a bit convoluted in its original form, almost as if the California legislature had hurriedly cobbled it together in a week’s time to avoid different provisions becoming law through a ballot initiative spearheaded by private activists, and which would have been essentially immune to subsequent direct amendment by the legislature (oops, that’s actually what happened). Today’s CCPA is the also the product of a flurry of legislative clean-up amendments, supplemented by now-final California regulations (not that anything is ever quite final in California), and with a few targeted statutory amendments effective now due to last November’s adoption of the CPRA by ballot referendum.
Much thoughtful guidance is available elsewhere on the CCPA’s scope, applicability, and the various consumer rights it creates, including notice/transparency, access, deletion, and sale opt-out. Our narrow focus here is on whether and how the CCPA affects the need of covered businesses (1) to manage PI with retention scheduling and (2) to dispose of PI once no longer necessary.
At first blush, the CCPA requires neither retention scheduling nor, absent a consumer’s verifiable deletion request, data disposal. The CCPA’s consumer notice provisions do not specifically require covered businesses to tell consumers how long their PI will be retained, and there are no explicit data minimization or storage limitation requirements in the CCPA’s statutory text. Instead, the CCPA subsumes data minimization in the vehicle of notice, by providing that covered businesses must not collect additional categories of PI or use collected PI for additional purposes (beyond the purposes noticed at collection), without providing the consumer with notice. CAL. CIV. CODE § 1798.100(b). Note that the CCPA’s regulations do contain a narrowly-focused storage limitation requirement that, if a covered business requests additional PI from consumers for identity verification or for security or fraud prevention purposes, such new PI must be deleted as soon as practical after processing the consumer’s request. CAL. CODE REGS. tit. 11, § 999.323(c).
But the practical repercussions of the CCPA’s deletion right make managing data retention and disposal an important priority. A consumer’s right under the CCPA to request deletion of her PI has the effect of shifting decision-making power for data minimization and storage limitation from the covered business to its consumers, leaving the business at their unpredictable mercy – some consumers may be fine with – or oblivious to – lengthy retention, while others may insist, through verifiable deletion requests, that their PI be disposed of promptly. The result is a costly and inefficient predicament for such businesses. Yet the CCPA’s deletion right has safe harbors. A covered business may refuse a deletion request if retaining the consumer’s PI is necessary for such matters as completing the transaction with the consumer, performing a contract with the consumer, or to “[c]omply with a legal obligation.” CAL. CIV. CODE § 1798.105(d). And the CCPA does not restrict a covered business’s ability to “c]omply with federal, state, or local laws.” CAL. CIV. CODE § 1798.145(a)(1).
In other words, if a covered business (1) manages consumers’ PI under a legally-validated retention schedule and (2) disposes of the PI pursuant to the retention schedule once it is no longer needed to comply with legal retention requirements and the business’s needs for the consumer transaction or contract, then the business will be free of the cost, inefficiency, and unpredictability of selectively deleting the PI of individual consumers upon their request.
As a result, prudent covered businesses carefully manage retention of CCPA personal data, mindful of the logistics, cost, and inefficiency involved in responding to verifiable deletion requests. Careful management of PI retention (who, what, when, where, how, and why) is necessary to prepare the covered business for timely and compliant response to CCPA deletion requests. And retaining such PI beyond the CCPA’s deletion safe harbors is a choice, best knowingly and carefully made after balancing the potential value of such information against the attendant costs and risks of complying with future deletion requests from an unknown share of consumers. Some types of PI may, for a given covered business, be worth the cost and risk, and frankly, many types of PI may not. It behooves prudent businesses to know which is which, and to act accordingly.
Please forgive this post’s length, but two last points are pertinent here:
- Broad Scope of PI: While the CCPA is indeed limited to certain businesses (for profit businesses doing business in California, that have annual gross revenues over $25 million, or that annually transact in PI of at least 50,000 consumers/households/devices, or that derive at least 50% of their annual revenue from selling PI), its definition of “personal information” is sweepingly expansive. PI under the CCPA is “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” unless the information is publicly available from government records or is deidentified or aggregated. CAL. CIV. CODE § 1798.145(o).
In making decisions about PI retention, disposal, and the deletion right’s safe harbors, prudent covered businesses will carefully consider the CCPA’s long list of exemplar PI types, which includes:
- Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Any categories of PI described in CAL. CIV. CODE § 1798.80(e): information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
- Characteristics of protected classifications under California or federal law;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information, defined in CAL. CIV. CODE § 1798.140(c) as an individual’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s DNA that is used or intended to be used, singly or combined with other identifying data, to establish individual identity. Includes but is not limited to imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying data;
- Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement;
- Geolocation information;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Education information, which is not publicly available personally identifiable information as defined by FERPA, 20 U.S.C. § 1232g, 34 C.F.R. Part 99; and
- Inferences drawn from any of the information identified in this subsection to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
CAL. CIV. CODE § 1798.145(o).
- Exemption for “Employee Data”: The CCPA, as you no doubt know, exempts some types of activities and entities and also some categories of information from some or all of its provisions. I simply flag here the CCPA’s partial exemption for what is colloquially referred to as Employee Data, and which the CCPA more specifically defines as PI collected or used solely in the context of the individual’s current or former role as a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of the business, or emergency contact information for such persons, or benefits administration data for individuals related to such persons. CAL. CIV. CODE § 1798.145(m). Under the CCPA (as amended effective now by the CPRA), this exemption lasts until January 1, 2023.
The practical impact of this partial exemption is that covered businesses must provide CCPA-required notice to their employees of the categories of PI to be collected and the purposes for which the categories will be used, per CAL. CIV. CODE Section 1798.100(b), but they are not subject to requests by employees under the CCPA rights enjoyed by other consumers, such as for access and deletion. Such businesses nevertheless remain exposed to civil actions by employees for PI data breaches under CAL. CIV. CODE Section 1798.150. So, simply put a pin in this for now – the employee data exemption will play a surprising and important role, for our purposes, when we turn next to the CPRA.