Two years ago I made a prediction: “For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance. Buckle up.”
This was the last line of a 2021 blog series exploring then-recent developments in United States’ data privacy and security laws that had begun to transform retention schedules and data disposal from merely prudent practices into compliance requirements.
So, where do things stand now? The trend continues, and it is actually accelerating – less data is now even more than ever.
Managing data volumes has always been prudent for U.S. businesses. But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a required minimum retention period, but not compelling disposal. With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data. And U.S. privacy and data security laws have generally been silent on retention periods for protected information.
But that was then. Two years ago I mapped changes in U.S. data security and privacy laws that would now require data retention scheduling and disposal of unnecessary data, under:
- New state statutes on PII data security and data disposal;
- New state-level data security laws for the financial services sector;
- Recent FTC data security enforcement actions under FTC Act Section 5;
- State biometric data privacy laws; and
- The first comprehensive state consumer privacy law, California’s CCPA.
But what I failed to anticipate was how rapidly the pace would quicken. Two years later, all of the changes noted above continue, but now with the accelerants of:
- New state-level data security enforcement activity that compels data retention schedules and data disposal;
- New GLBA data security rules requiring retention schedules and disposal of unnecessary data;
- An upsurge in FTC data security enforcement actions that put data retention and disposal at center stage;
- A new biometric privacy court ruling under BIPA on data retention schedule requirements; and
- A growing wave of new comprehensive state consumer privacy laws mandating data minimization, data retention schedules, and disposal of unnecessary data.
I’ll explore each of these in upcoming posts … stay tuned.