With the GDPR and CPRA setting the stage for the privacy landscape over the last several years, organizations are still working through how best to fulfill their compliance obligations. An area of the law that teams must navigate is data retention and its complex relationship with user consent.
One question looms large: how long does consent last?
The law is clear on one front: privacy policies must reflect precise terms regarding data retention. But for consent to be valid, organizations must also be able to justify and maintain meticulous records of how and why they’re using data downstream from the point of collection.
Data retention policies should extend beyond compliance and factor trust into the equation. Just because it may be lawful to retain data doesn’t mean it remains in the best interest of fostering strong, trusted relationships that are critical in driving long-term value for your customers and your business.
This is why it’s so necessary for maturing privacy programs to explore the relationship between user consent and data retention policy development. In this post, you can expect to gain a better understanding of the complex nuances presented by the GDPR and US privacy laws. We’ll also explore leading approaches to align compliant data retention policies with trust strategy.
GDPR, CPRA, and Consent
According to the GDPR, consent doesn’t last forever. The quality of user consent will degrade at varying rates — depending on how, when, and for what purpose(s) you collected it. As a result, context is highly relevant to how long consent remains valid.
But the GDPR does not define consent validity in any certain terms. An organization’s obligation under the law is to document its justifications for use and align them with timestamped consent records.
In the US privacy landscape, the CPRA defines consent and its validity similarly to the GDPR.
It also defines that an organization must let their customers know how long they’re keeping each category of their personal information and what basis and rationale they’re using to finalize the retention periods. Other US privacy laws apply similar obligations to organizations, requiring them to have valid data retention schedules and provide clear reasons for keeping data for certain periods of time.
Within the overarching question of how long consent truly lasts, there are two follow-up questions teams must ask themselves. How long is it permissible for companies to retain data collected with consent? And what is a reasonable cadence to remind consumers of the data they consented to share?
Privacy teams need to look at these factors when refining data retention policies and enacting overarching strategies that build customer trust. User expectations must also play a significant role in how long organizations retain personal data.
Data retention and trust
The GDPR and CPRA permit organizations to retain data for as long as is “necessary” — but stops short of placing clear boundaries around how and when consent remains valid. Further complicating the issue, what is “necessary” can carry different definitions and expectations between consumers and businesses.
In the age of digital marketing and online remarketing, businesses can continue to derive value from user data several years later. By appropriately documenting these potential use cases, organizations may be able to establish lawful justification.
But some consumers hold different views regarding consent. They may view “necessary” data retention more closely aligning with the immediate purpose they originally signed up for.
While factoring in consent degradation isn’t explicitly a lawful obligation (at least not at this time), it aligns with your organization’s ability to build and sustain consumer trust. How consumers perceive the limits of consent matters — both to the customers themselves and those responsible for enforcement within the Information Commissioner’s Office (ICO).
Defining your data retention policy
When users believe that a business is not abusing the privilege of maintaining access to their personal data, they’ll be more likely to stay plugged into the value exchange you provide them.
Building consumer trust through your data retention policy requires implementing a consent renewal program based on purpose. This will help your organization maintain clear consent records, which should align with compliance objectives, and allow users to provide up-to-date, informed consent based on real-time conditions.
Next, you must embed a retention schedule within the program that deletes different data types based on your established rules.
Applying a consent renewal program may look like reminding subscribers of what they’ve opted into: newsletters, personalized product recommendations, promotional offers, and more.
For example, if someone signs up to take a survey, and the results come out six months later, the consumer may expect the lifecycle of their data to end there. Compare that to a long-term customer. In that case, they may expect consent for marketing to persist for a longer period, as well as regular reminders to view and manage preferences.
Your data policies must consider the real-time use cases of collecting and applying user data and implement actions that align with compliance and empathy for the end-user experience.
Partner with OneTrust for Consent and Preference Management
Executing a data retention program that respects the ins and outs of consent can be complex. OneTrust Consent and Preference Management streamlines the effort by unifying how and where you apply your retention policies through intelligent automation.
Find out how easy it is to get started by requesting a demo today.
