Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
Data privacy is a new and rapidly evolving area of law. New laws are being passed, regulations written, and court cases resolved. While that may be exciting for privacy professionals, for businesses that have to comply with laws like the California Consumer Privacy Act (CCPA), it means they can’t just become privacy compliant and then forget about it.
Continuous compliance requires staying up to date with all of these developments and adjusting your practices accordingly. Here we’ll explain why that is (with examples), and what you can do about it.
If you’re not a legal professional, it would be understandable to think that once a statute is passed by a legislature, that’s the law and nothing about it changes unless the legislature passes a new statute.
However, in the United States and many other countries, “the law” is formed from multiple sources, such as regulations and judicial opinions, and evolves over time even if the statute itself never changes.
Take the CCPA, for example. It’s a comprehensive law, but the legislators knew they couldn’t predict every eventuality, so they delegated authority to the California Privacy Protection Agency to create and revise regulations. These regulations have to stay within the boundaries created by the CCPA, but they still have the force of law and can be changed relatively easily.
Now imagine that a business has been accused of violating the CCPA and fights that accusation in court. The judge will look at the various sources of law (the CCPA, the Agency’s regulations, and what other judges have decided in the past), and apply the rules to the specific facts of the case in front of them. Afterwards, that judicial decision itself becomes a new source of law, and any businesses who are engaging in similar behavior will have to examine the decision carefully and figure out how it applies to them.
Don’t feel bad if this is a little confusing. Lawyers study for years learning to determine what the law is in a specific situation, and then spend the rest of their careers disagreeing with each other about it.
The main point to understand is that privacy laws are not static; they can change greatly over time, and businesses have to keep up or face repercussions.
Comprehensive data privacy laws are a recent phenomenon; the EU passed its how long they intend to retain all categories of personal information
This is by no means an exhaustive list, and the changes are still coming. For example, the CPPA is currently drafting rules regarding when and how businesses must submit risk assessments for their data processing. Once that happens, all businesses will have to look at the new rules and decide what it means for them.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.