Elizabeth Balfour
Partner, Sheppard, Mullin, Richter & Hampton LLP
Email: ebalfour@sheppardmullin.com
There can be no dispute that it is a best practice for any organization to have a document-retention policy. Identifying an appropriate period of time for documents to be kept, and disposing of documents after they are no longer of use, keeps storage costs down and makes it easier to find the documents that are actually needed. In the litigation context, the costs of having to review and produce documents responsive to discovery requests increase exponentially depending on the amount of data falling within the scope of the requests. If a complex litigation involves 10-15 records custodians and a total of 130 gigabytes of responsive data, this is the equivalent of 6.5 million pages, or 100 truckloads of paper.
According to MarketWatch, with most Fortune 1000 companies spending between $5 and $10 million on ediscovery each year, the market for ediscovery services is expected to grow from $10.76 billion in 2018 to $17.32 billion by 2023.
In light of the astronomical expenses associated with ediscovery, a document-retention policy is best referred to as a "permission to destroy" policy, as it allows the organization to destroy, in an even-handed manner without regard to the substance of the documents, all materials falling within a particular document category, after the identified retention period has expired. Of course, disposal of documents pursuant to a retention period must be suspended once a dispute has arisen or a litigation hold has issued. But even when disposal of documents relevant to litigation occurs, having a retention policy can reduce the risk of terminating sanctions.
In a recent case in the Southern District of California, the defendant company allegedly recorded incoming phone calls without consent and had a two-year retention policy for such calls. Calls were accidentally deleted pursuant to such policy, in violation of a litigation hold. Magistrate Judge Andrew Schopler found that the deletion was pursuant to a retention policy and not done with the intent to deprive the other party of the use of the information, and therefore he declined to award terminating sanctions or an adverse-inference jury instruction under Federal Rule of Civil Procedure 37(e)(2) (Failure to Make Disclosures or to Cooperate in Discovery; Sanctions). The company was required to pay attorney fees associated with litigating the issue and was precluded from introducing call recordings in its defense. Mahboob v. Educ. Credit Mgmt. Corp., 15-cv-0628-TWR-AGS (March 2, 2021).
Until the recent passage of the California Privacy Rights Act, a document-retention policy afforded protection to litigants, reduced storage expenses, and streamlined access to documents. With the arrival of the CPRA, a document-retention policy is now critical to privacy compliance. Fist, a quick recap: The California Consumer Privacy Act was signed into law in 2018. Civil Code Section 1798.100 et seq. It applies to businesses with over $25 million in gross revenues or that buy or sell personal information from 50,000 or more consumers, or that derive more than one-half of revenues from selling personal information. Civil Code Section 1798.140(c)(1). The CCPA gives consumers the right to limit the collection, use or disclosure of their personal information; the right to request that a business delete their personal information; and the right to sue a business if it failed to implement reasonable security procedures and the consumer's data was breached. The CCPA expanded the definition of "personal information" to include a identifiers, biometric data, contact information, internet activity information, and other data tied to a particular individual. Civil Code Section 1798.140(o). The CCPA went into effect January 1, 2020, but had a one-year "look-back" such that businesses needed to be in a position to respond to consumer requests dating back to January 1, 2019.
The CCPA's enactment heralded a flurry of activity by retailers, technology companies and other consumer-facing businesses to conduct data mapping, develop systems to respond to consumer requests, and implement improved security features to protect personal information.
Just as businesses rolled out new systems and procedures to comply with CCPA, California voters approved Proposition 24 in November 2020 -- this is the CPRA (also known as CCPA 2.0).
When the CPRA goes into effect on January 1, 2023, it will replace the CCPA. The CPRA clarifies the definition of which businesses are subject to it, adds a new category of "sensitive personal information" (including Social Security number, driver's license number, financial information, and genetic, biometric, or health information), gives consumers new rights to limit the use of "sensitive personal information," and adds third-party obligations for service providers and contractors to whom a business makes available a consumer's personal information pursuant to contract. The CPRA has enhanced enforcement provisions, including the creation of a new state agency to enforce the law, the California Privacy Protection Agency, and the expansion of a private right of action to apply to data breaches resulting in the compromise of a consumer's email address in combination with a password or security question and answer. It also extends the moratoria for certain personal information collected in the employment and business-to-business contexts to January 1, 2023.
Document retention is front and center in the CPRA. At or before the point of collection, the business must inform consumers of "the length of time the business intends to retain each category of personal information ... or if that is not possible, the criteria used to determine such period." Civil Code Section 1789.100(a)(3). Whereas the CCPA required businesses to identify what personal information was collected and for what purpose, the CPRA adds the requirement that businesses disclose for how long the personal information is kept. The CPRA further requires that the retention of personal information "shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed." Civil Code Section 1789.100(c).
The challenge imposed by the CPRA is to commit to and implement a specific time period for retention, or identify the criteria upon which a specific time period will be assigned, for each category of personal information. A typical document-retention policy is comprised of policy language and an illustrative list of categories of documents with the corresponding retention periods. The retention period applies to documents that may contain numerous different types of information. This inexact method of applying retention meets the pre-CPRA objectives for a document-retention policy.
CPRA has complicated the mission. Now, businesses must assess which categories of personal information may be stored in a particular document, and more thoughtfully consider the appropriate retention period in light of the purposes for which each category of personal information is collected.
In designing a document-retention policy, is it a best practice is to retain documents based on a contractual or statutory requirement, business operations requirements, or the need to preserve the ability to pursue or defend a claim. Most companies err on the side of caution, and assign longer retention periods than may actually be required. Surely, there is comfort in holding onto records "just in case." The CPRA requires a paradigm shift in the context of document retention. In the case of personal information, businesses must be zealous in destroying (in a secure fashion) personal information as soon as keeping it no longer serves the business purpose for which it was collected.
A rigorous review of existing document retention policies and an assessment of their implementation is in order. Like the CCPA, the CPRA has a one-year "look-back" which starts January 1, 2022. Now is the time to (1) scrutinize the document-retention policy for any records that contain personal information; (2) map which categories of personal information are stored in which documents; (3) determine for how long such documents are kept and evaluate whether the retention period aligns with the categories of personal information at issue and the purposes for which such information is collected; and (4) adjust the document list and retention periods to align with the CPRA's principle of data minimization: "a business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose." Civil Code Section 1789.100(a)(3). Finally, consumer disclosures must be updated to include the length of time for which each category of personal information that is collected by the business is kept (or the criteria upon which the length of time is determined).
If a business covered by the CPRA does not currently have a document-retention policy, putting one in place should be a high priority. Implementation is also critical. An analysis should be conducted of whether the business is well-equipped from a people, process and technology standpoint to carry out the identified retention periods. It may be necessary to evaluate whether existing technology tools are adequate to ensure accurate and timely disposition of documents. In light of the CPRA requirements, renewed attention to information governance is warranted. Adjusting or creating a document-retention policy requires engagement from the business' information technology, legal, and management teams. New regulations under the CPRA are contemplated by July 1, 2022, but the focus on data retention is expected to remain. Make sure to check off "Document Retention" on the list of New Year's resolutions.