Original broadcast date: 22 July 2021
The California Privacy Rights Act comes into effect on January 1, 2023. Among its new requirements is a new data retention provision. Personal and sensitive information must be disposed of when its purpose has been fulfilled, and the organization must disclose the retention policy at the time of collection. Additionally, the data retention policies apply to data collected on or after January 1, 2022. Under CPRA, companies can no longer simply hold individuals’ personal data forever; they must have robust data retention and disposal practices.
Every organization has data retention policies, but very few actually operationalize them. CPRA shines a light on these practices and holds organizations accountable for them. The regulation also establishes a new enforcement agency, which indicates increasingly vigorous enforcement as CPRA goes into effect. Data breach risks are also heightened, as litigators can easily show negligence when data is kept beyond its retention period.
Dave Cohen, CIPP/E, CIPP/US, Senior Knowledge Manager, IAPP
Dan Sholler, Product Marketing Manager, Exterro
Matt Dumiak, CIPP/E, CIPP/US, Director of Privacy Services, CompliancePoint
Andrew Serwin, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, US Chair and Global Co-Chair, Data Protection, Privacy and Security Practice, DLA Piper