That’s quite a question in the title! And the answer is yes. As I discussed in my last blog post, personally identifiable information (PII) is the property of the person it’s about, and you need to get permission to use it after a clear disclosure of what you intend to use it for. And, you can keep it only so long as needed for that original purpose, so it’s not a bad idea to state that retention period in the disclosures.
The Problem of Provability
So far, so good – a simple and perfectly reasonable proposition. But, in most cases, that simple proposition is enforced by a legal regime that imposes penalties on the collecting organization for failing to do so. Those penalties may be arbitrarily large, as in the E.U., where the local Data Privacy Authority (DPA) can impose pretty much whatever penalties it sees fit to get the message across, or they can be seemingly small penalties imposed by statute according to some schedule. Here’s the rub about that seemingly small penalty: Multiplication being what it is, a small number multiplied by a large number equals a large number. That $100 fine per violation might seem like it’s not worth bothering too much about, but if each individual person is a violation, and the violation involves 50,000 people, the aggregate penalty gets very big very quickly. And failure to collect all of the needed permissions on something like a website could easily hit a number like that.
As a practical matter, this means that it’s not enough to make the disclosure and obtain the permissions, you have to be able to prove you did it. And that means keeping records of it. And so the small irony of it all is that laws that urge and require you to keep as few records containing PII for as short a period of time as possible pretty much require you to create new records to prove compliance, even if they don’t explicitly say so. And of course, those new records contain PII, showing as they do that you made a particular disclosure to a specific person and obtained the permission of that person to collect and use their information. Likewise, your new permission and disclosure records are subject to the same privacy laws as your other records containing PII, and you can keep them only as long as needed. So, you need to determine and enforce a retention period for them.
In practice, this can be a lot of records. Even very small businesses with a web presence, or a heavily customer-facing business model, can touch a lot of people, and will have a great many reasons to collect information about as many of them as possible. And customers and prospects aren’t the only ones you need to think about either. In some places, you need to make pretty much the same disclosures to employees and others, so that just adds to the mix and the complications. Very quickly, it gets way past the we’ll-track-it-on-a-spreadsheet phase and into some sort of automated management regime that, for example, tracks the people who opt in to information collection on a website. Any sort of web-enabled form fill-in is amenable to this, and most of you had undoubtedly encountered web forms with disclosures and opt-in check boxes concerning privacy. The owner is undoubtedly tracking your opt-in for exactly the reasons we just discussed. If you were to file a complaint – and people do – they would respond by producing a record of the date and time you opted in, and probably a copy of the language of the disclosures and permissions.
Establish A “Reasonable” Retention Period
All of this raises the inevitable question, how long do we keep this stuff? Well, a reasonable period, whatever that is. In the absence of a hard requirement, which may be there someplace or not, you need to determine what the applicable statute of limitations is for privacy violations in the jurisdiction(s) in question. It might be a specific statute of limitation for privacy violations, or it might be a more general one. Whichever, that’s your starting point. Remember, you’re allowed to keep these records long enough to defend yourself in a legal action or administrative investigation, but if you think you might want to keep them longer than that, do so advisedly, and make sure your reasoning is sound and strong.
The last thing you need is a privacy violation for trying to avoid a privacy violation.
For more on how to ensure PII consent can be responsibly managed, check out this webcast recording: Webcast: Privacy Impact Assessments – Why You Need Them, What You Need to Know