Blog

Checking Your Foundation: The Role of the Retention Schedule in CCPA Compliance

Reggie Pool | June 24, 2020

For companies still conducting business remotely, the days leading up to the July 1 enforcement date for the California Consumer Privacy Act (CCPA) will be busy -- putting in place essential elements to comply with the country’s most comprehensive privacy law and trying to anticipate amendments to come. We have written elsewhere about privacy data maps, typically manifest as tables detailing the information a company possesses and the path it travels through various systems before landing in its final storage location. But little attention has been paid to the data map’s counterpart: a company’s records retention schedule. While tools like a data map are important elements of successful CCPA compliance, an important preliminary step is to make sure your business has a strong foundation in place, including a functional records retention schedule.

How a Records Retention Schedule Relates to CCPA Compliance

As a cornerstone in any sound information governance program, a schedule gathers business documents into categories based on their content (what the document discusses within the body), context (how the document demonstrates business activity, obligations or strategy), construction (whether the document is a project plan, general ledger, binding contract, etc.) and controller (who is responsible for ensuring the official business document is securely stored in a controlled repository). The current industry standard calls for each category to be accompanied by a narrative description of the documents within a specific category with a few representative examples. With few exceptions, records must be securely destroyed when the assigned retention period expires.

A true media-agnostic schedule – encompassing paper and electronically stored records – can give companies with stable information governance infrastructure a head-start on constructing a process for fulfilling obligations stated in the CCPA, even in the absence of a data map.

Right to Access Personal Information

Like foundation stakes, the record retention schedule and its interaction with other systems puts back-end structure in place for consistently organizing content so as to be able to respond to consumers’ right to access personal information. The CCPA gives California consumers the right to know what personal information covered companies have collected about them. Under this right to access, companies not only have to disclose the categories of personal information collected, but are also obligated to provide a list of the individual pieces of information collected once the consumer’s identity is verified. The ability to fashion a timely response to a consumer depends upon a company’s ability to locate, isolate and produce sensitive information within the time allotted by the Act (45 calendar days, plus an additional 45 calendar days the company notifies the requesting consumer that it needs additional response time).

Complying with the right to access is the first area where we see the utility of a retention schedule beyond mere retention guidance. When the schedule is also used as the basis for taxonomies, naming conventions and file plans, documents containing relevant personal information can more quickly be identified. Narrative descriptions found in the schedule can indicate when a group of documents contain content like account, payer identification and social security numbers, along with other identifying information. A simple reference to a key word or phrase from a stated record category or the alpha-numeric code included in a file name can help cut down on the time needed to locate data to respond to a customer. Further, using information technology resources to integrate a schedule into existing systems (e.g., Office 365, iManage) only makes the connection between unstructured data and record categories stronger.

Right to Delete Personal Information

Well-crafted retention schedules that ensure timely records destruction help companies guard against and check for foundation “cracks,” helping them comply with consumers’ right to have their information deleted. Even with the exceptions listed in the law, the right to delete granted to California consumers in the CCPA is powerful. More than just obstructing the constant flow of pop-ups, follow-ups, email and mailers, customers can truly sever contact by pulling their valuable personal information from a business’ corporate repositories, blocking the future sale of products and services. A customer may also be presented with the choice to delete certain portions of personal information if a “global” delete function exists and is prominently displayed among all available options. At the end of the legally prescribed time, a business must completely and permanently delete all personal information from its repositories that could be used to facilitate future contact.

Executing a request to delete personal information involves not only knowing where relevant information resides, but being confident that redundant, outdated and trivial information is not allowed to establish extended residence in corporate repositories after it should have been destroyed. At its core, a records retention schedule prompts the timely destruction of expired information and discourages data sprawl. Uncontrolled growth of data makes fulfillment of the CCPA obligation to destroy all of a customer’s personal information upon request nearly impossible, as the amount of effort needed to conduct thorough searches multiplies. Disciplined implementation of a records retention schedule also ensures that truly important documentation is maintained over time. Compliance with the right to delete necessitates the use of a ticketing system, logging the receipt of consumer requests through formal response, and a register of deleted consumers. Evidence of compliance is the key to thwarting any enforcement action or demand for money damages.

Right to Opt-Out of Sale of Personal Information

Under the CCPA, subject companies must prominently display a web link “Do Not Sell My Personal Information” that enables a California customer to opt-out of the sale of personal information to other companies. The right California consumers now have to prevent the sale of their personal information goes beyond the mere exchange of data for money: it also covers disclosure of personal information to third parties for services like marketing, targeted data collection and cookie delivery. Even third-party services received for “free” are covered by the CCPA’s definition of “sale.” As a result, businesses must track all third parties to which its customers’ personal information is provided and the conditions under which it is managed. The California Privacy Rights Act (CPRA), already slated to appear on the California 2020 ballot, will further reinforce consumer rights granted in the CCPA. Proposed language in the (“CPRA”) extends data protection obligations to include third parties, and in the meantime, it is unlikely that companies will be able to avoid blowback to corporate reputation if opt-out is not honored by third-party business partners.

The ability to fully comply with the CCPA depends upon having strong relationships with third parties so a company can confirm the destruction of personal information and cessation any additional contact based on agreed-upon data handling guidelines. Only once a company is comfortable with executing its own schedule will it be able to recognize the lack of retention discipline in third parties and head off any potential issues when a customer exercises the right to opt-out. A business with mature information governance practices will require third parties to apply retention requirements like those in its own schedule before entrusting them with its customers’ personal information. Before contracting with a third party that will have access to customer personal information, a company should perform due diligence on the data handling practices of that service provider. A third party that does not have a strong records retention program likely does not have naming conventions or file plans in place for the efficient retrieval of data. Further, the exercise of a customer’s opt-out right will likely fall through cracks in the third party’s process.

Conclusion

A records retention schedule is the bedrock of solid records management on which most other compliance-oriented programs are built, including processes to fulfill CCPA obligations. Whether helping to cut down on the time needed to find relevant information to respond to an access request, protecting a company from being crushed by the weight of unnecessarily accumulated information, or engendering a better understanding of what type of information handling standards need to be imposed on third parties, a fully functioning schedule provides a proper foundation on which other information governance activities can stand. For more information about developing a strong records retention program, please feel free to contact me or another member of HBR’s information governance team.