The California Privacy Rights Act comes into effect on January 1, 2023. Among its new requirements is a new data retention provision. Personal and sensitive information must be disposed of when its purpose has been fulfilled, and the organization must disclose the retention policy at the time of collection. Additionally, the data retention policies apply to data collected on or after January 1, 2022. Under CPRA, companies can no longer simply hold individuals’ personal data forever; they must have robust data retention and disposal practices.
Every organization has data retention policies, but very few actually operationalize them. CPRA shines a light on these practices and holds organizations accountable for them. The regulation also establishes a new enforcement agency, which indicates increasingly vigorous enforcement as CPRA goes into effect. Data breach risks are also heightened, as litigators can easily show negligence when data is kept beyond its retention period.