Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Less Data #6: Explosion of new state consumer privacy laws compels deletion of unnecessary data

By Peter Sloan on May 1, 2023
Email this postTweet this postLike this postShare this post on LinkedIn

We’re witnessing a “rapid, unscheduled disassembly” (thanks SpaceX) of comprehensive consumer privacy laws across the United States. While these new state laws generally have a different, sleeker structure than California’s CCPA/CPRA, they share a similar impact – each such law compels or motivates covered businesses to delete unnecessary data.

Following California’s lead, comprehensive consumer privacy laws have now been enacted in Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (effective July 1, 2023), Utah (effective December 31, 2023), and Iowa (effective January 1, 2025). Here’s how these new laws address data retention and the deletion of unnecessary data:

Data Minimization and Storage Limitation

  • Virginia Consumer Data Protection Act (VCDPA)
    Under the VCDPA, controllers must limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. Va. Code Ann. § 59.1-578(A)(1). Controllers may only process personal data for purposes either reasonably necessary to or compatible with the purposes for which such personal data is processed, as disclosed to the consumer, unless the consumer’s consent is obtained or as otherwise provided in the VCDPA. Va. Code Ann. § 59.1-578(A)(2).
  • Colorado Privacy Act (CPA)
    The CPA requires that controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed. Colo. Rev. Stat. § 6-1-1308(3). A controller must not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent. Colo. Rev. Stat. § 6-1-1308(4).
  • Connecticut Data Privacy Act (CTDPA)
    Under the CTDPA, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. CTDPA § 6(a)(1). Controllers must, except as otherwise provided in CTDPA, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. CTDPA § 6(a)(2).

In each of these laws, the definition of “process” includes the storage and deletion of consumers’ personal information, and so their processing limitation includes an obligation to not unnecessarily retain consumer data. And as with California’s CCPA/CPRA, the obligation to provide consumers a compliant privacy policy on how personal data will be “processed” requires notice of retention practices, which as a practical matter are based upon the business’s records retention policies and records retention schedules.

Defacto Deletion Impact

All five of these new laws provide deletion rights to consumers, but covered businesses are not required to delete data for which retention is required by records retention laws or regulations:

  • Virginia: The VCDPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations. Va. Code Ann. § 59.1-582(A).
  • Colorado: The CPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations. Colo. Rev. Stat. § 6-1-1304(3)(a).
  • Connecticut: The CTDPA does not restrict a controller’s or processor’s ability to comply with federal, state, or municipal ordinances or regulations. CTDPA § 10(a).
  • Utah: The UCPA does not restrict a controller’s or processor’s ability to comply with a federal, state, or local law, rule, or regulation. Utah Code Ann. § 13-61-304(1).
  • Iowa: The ICDPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations. Iowa Code § 715D.7(1).

Thus, similar to the original CCPA, these laws reward covered businesses that carefully manage their data with retention schedules and that delete unnecessary data. Covered businesses that manage personal data under a legally validated retention schedule and that dispose of such data once retention is no longer legally required can avoid uncertainty, inefficiency, and cost in handling consumer deletion requests.

And on and on…

And it ain’t over yet, not even close. Comprehensive consumer privacy bills are percolating in many more state legislatures across the country. In April alone, three new comprehensive consumer privacy acts passed in state legislatures and were sent to governors in Indiana, Montana, and Tennessee. If signed into law, these three additional states’ laws will have the same double impact on data deletion as those of Virginia, Colorado, and Connecticut, by both (1) explicitly requiring data minimization and storage limitation, and (2) incenting covered businesses to use legally validated retention schedules and data deletion to curb inefficiency and cost in handling customer deletion requests:

  • Indiana Consumer Data Privacy Act (ICDPA)(effective January 1, 2026): A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer, and controller must not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purposes for which the personal data is processed, unless the controller obtains the consumer’s consent. Ind. Code § 25-15-4-1(1)&(2). “Processing” includes storage and deletion of personal information. Ind. Code § 25-15-2-21. And in handling consumer data requests, the ICDPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations, such as retention requirements. See Ind. Code § 25-15-8-1(a)(1).
  • Montana Consumer Data Privacy Act (MCDPA)(effective October 1, 2024): A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer; and must not, except as otherwise provided in the MCDPA, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer’s consent. MCDPA § 7(1)(a)&(2)(a). “Processing” includes storage and deletion of personal data. MCDPA § 2(17). And when handling consumer data requests, nothing in the MCDPA restricts a controller’s or processor’s ability to comply with federal, state, or municipal ordinances or regulations, such as retention requirements. See MCDPA § 11(1)(a).
  • Tennessee Information Privacy Act (TIPA)(effective July 1, 2025): A controller must limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer; and, except as otherwise provided in TIPA, must not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. Tenn. Code Ann. § 47-18-3204(a)(1)&(2). “Processing” includes storage and deletion of personal information. Tenn. Code Ann. § 47-18-3201(18). And for responding to consumer data requests, TIPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations, such as data retention requirements. See 47-18-3208(a)(1).

California set all of this in motion with the CCPA. But remember, this is not the first time that California has lit a match on data-related laws that then swept across the United States. Consider this: in 2003, only California had a state-level law requiring notification of individuals whose PII had been breached. By 2018, PII breach notifications were required by statute in all 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands.

And so, as comprehensive data privacy legislation ignites across the states in 2023 and beyond, the imperative will only escalate for businesses to manage their data with retention schedules and to dispose of unnecessary data.

Photo of Peter Sloan Peter Sloan

Peter advises clients on how best to retain, secure, preserve, and dispose of information. He helps clients throughout the United States create, validate, and update retention schedules; implement compliant information management policies and processes; and defensibly dispose of information. Peter also counsels clients…

Peter advises clients on how best to retain, secure, preserve, and dispose of information. He helps clients throughout the United States create, validate, and update retention schedules; implement compliant information management policies and processes; and defensibly dispose of information. Peter also counsels clients on data security compliance and breach response readiness, and he works with clients to manage data breach response.

Peter has served clients across a broad range of industries, including:

Financial Services (national and state-chartered banks, investment companies, investment advisers, broker-dealers, tax preparation companies, insurance companies, and government-sponsored enterprises)
Health Care (health systems and hospitals, physician practices, pharmacy and pharmacy benefit management companies, pharmaceutical and biotechnology firms, and medical equipment manufacturers)
Energy (power and gas utilities, power transmission companies, oil and gas pipeline companies, and exploration and production companies)
Higher Education
Engineering and Construction
Manufacturing
Retail
Technology
Transportation

Read more about Peter SloanEmail
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Information Bytes
  • Organization:
    Information Governance Group
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • PatentNext
  • Tressler Insurance Law Blog
  • Tressler Employment Law Blog
  • Inside Global Tech
  • Proskauer Whistleblower Defense
Copyright © 2023, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo