We’re witnessing a “rapid, unscheduled disassembly” (thanks SpaceX) of comprehensive consumer privacy laws across the United States. While these new state laws generally have a different, sleeker structure than California’s CCPA/CPRA, they share a similar impact – each such law compels or motivates covered businesses to delete unnecessary data.
Following California’s lead, comprehensive consumer privacy laws have now been enacted in Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (effective July 1, 2023), Utah (effective December 31, 2023), and Iowa (effective January 1, 2025). Here’s how these new laws address data retention and the deletion of unnecessary data:
Data Minimization and Storage Limitation
- Virginia Consumer Data Protection Act (VCDPA)
Under the VCDPA, controllers must limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. Va. Code Ann. § 59.1-578(A)(1). Controllers may only process personal data for purposes either reasonably necessary to or compatible with the purposes for which such personal data is processed, as disclosed to the consumer, unless the consumer’s consent is obtained or as otherwise provided in the VCDPA. Va. Code Ann. § 59.1-578(A)(2). - Colorado Privacy Act (CPA)
The CPA requires that controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed. Colo. Rev. Stat. § 6-1-1308(3). A controller must not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent. Colo. Rev. Stat. § 6-1-1308(4). - Connecticut Data Privacy Act (CTDPA)
Under the CTDPA, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. CTDPA § 6(a)(1). Controllers must, except as otherwise provided in CTDPA, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. CTDPA § 6(a)(2).
In each of these laws, the definition of “process” includes the storage and deletion of consumers’ personal information, and so their processing limitation includes an obligation to not unnecessarily retain consumer data. And as with California’s CCPA/CPRA, the obligation to provide consumers a compliant privacy policy on how personal data will be “processed” requires notice of retention practices, which as a practical matter are based upon the business’s records retention policies and records retention schedules.
Defacto Deletion Impact
All five of these new laws provide deletion rights to consumers, but covered businesses are not required to delete data for which retention is required by records retention laws or regulations:
- Virginia: The VCDPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations. Va. Code Ann. § 59.1-582(A).
- Colorado: The CPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations. Colo. Rev. Stat. § 6-1-1304(3)(a).
- Connecticut: The CTDPA does not restrict a controller’s or processor’s ability to comply with federal, state, or municipal ordinances or regulations. CTDPA § 10(a).
- Utah: The UCPA does not restrict a controller’s or processor’s ability to comply with a federal, state, or local law, rule, or regulation. Utah Code Ann. § 13-61-304(1).
- Iowa: The ICDPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations. Iowa Code § 715D.7(1).
Thus, similar to the original CCPA, these laws reward covered businesses that carefully manage their data with retention schedules and that delete unnecessary data. Covered businesses that manage personal data under a legally validated retention schedule and that dispose of such data once retention is no longer legally required can avoid uncertainty, inefficiency, and cost in handling consumer deletion requests.
And on and on…
And it ain’t over yet, not even close. Comprehensive consumer privacy bills are percolating in many more state legislatures across the country. In April alone, three new comprehensive consumer privacy acts passed in state legislatures and were sent to governors in Indiana, Montana, and Tennessee. If signed into law, these three additional states’ laws will have the same double impact on data deletion as those of Virginia, Colorado, and Connecticut, by both (1) explicitly requiring data minimization and storage limitation, and (2) incenting covered businesses to use legally validated retention schedules and data deletion to curb inefficiency and cost in handling customer deletion requests:
- Indiana Consumer Data Privacy Act (ICDPA)(effective January 1, 2026): A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer, and controller must not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purposes for which the personal data is processed, unless the controller obtains the consumer’s consent. Ind. Code § 25-15-4-1(1)&(2). “Processing” includes storage and deletion of personal information. Ind. Code § 25-15-2-21. And in handling consumer data requests, the ICDPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations, such as retention requirements. See Ind. Code § 25-15-8-1(a)(1).
- Montana Consumer Data Privacy Act (MCDPA)(effective October 1, 2024): A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer; and must not, except as otherwise provided in the MCDPA, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer’s consent. MCDPA § 7(1)(a)&(2)(a). “Processing” includes storage and deletion of personal data. MCDPA § 2(17). And when handling consumer data requests, nothing in the MCDPA restricts a controller’s or processor’s ability to comply with federal, state, or municipal ordinances or regulations, such as retention requirements. See MCDPA § 11(1)(a).
- Tennessee Information Privacy Act (TIPA)(effective July 1, 2025): A controller must limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer; and, except as otherwise provided in TIPA, must not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. Tenn. Code Ann. § 47-18-3204(a)(1)&(2). “Processing” includes storage and deletion of personal information. Tenn. Code Ann. § 47-18-3201(18). And for responding to consumer data requests, TIPA does not restrict a controller’s or processor’s ability to comply with federal, state, or local laws, rules, or regulations, such as data retention requirements. See 47-18-3208(a)(1).
California set all of this in motion with the CCPA. But remember, this is not the first time that California has lit a match on data-related laws that then swept across the United States. Consider this: in 2003, only California had a state-level law requiring notification of individuals whose PII had been breached. By 2018, PII breach notifications were required by statute in all 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands.
And so, as comprehensive data privacy legislation ignites across the states in 2023 and beyond, the imperative will only escalate for businesses to manage their data with retention schedules and to dispose of unnecessary data.