US Privacy Compliance: Step 6 ...
US Privacy Compliance: Step 6 – Data P...

US Privacy Compliance: Step 6 – Data Policy Management

Discover the importance of implementing and managing data policies with the final installment of this six-part series

Bex Evans OneTrust, Product Marketing Manager, CIPP/E

clock7 Min Read

Featured Image

In the final part of this US privacy compliance series, we look at the importance of data policy management when working towards compliance with US state privacy laws. In previous installments of the series, we dove into the key compliance areas organizations should consider when dealing with the provisions of the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA).

We have looked at the fundamental steps on the road to compliance, such as data discovery and data mapping exercises, as well as requirements for conducting privacy impact assessments (PIAs), consumer privacy rights, opt-out of sale, and managing sensitive personal information. However, these compliance efforts may fall flat if the appropriate data management policies are not put in place or properly enforced. In this blog, we take a closer look at what initiatives organizations can implement to enforce data policies, including managing access to data assets, data retention, and data minimization, as well as the different regulatory requirements that each law outlines.

How Does Data Policy Management Differ Across California, Virginia, and Colorado?

Before we can understand how to manage data policies, we should first understand what policies should be developed and what legal requirements organizations have to meet to fulfill these policies.

Retention Policies

These place a responsibility on the organization to manage the information they hold about data subjects and set limits on the length of time this information can be held for. While the CCPA and the CPRA do not provide direct obligations for businesses in relation to data retention, there are statutory and recommended retention periods for certain records within the state. For example, the California Fair Employment and Housing Act (FEHA) sets out statutory minimum periods that employers should keep employment records, such as successful and unsuccessful candidate information, employee medical records, and information relating to the right to work. Additionally, Division 3 of the California Civil Code highlights recommended retention periods for sales and marketing information such as customer records, marketing records including data used for direct marketing, and data subject access request (DSAR) records.

In comparison, there are fewer retention periods specified in law in Virginia however, § 59.1-579(b)(2) of the CDPA outlines a general provision for data controllers, stating that controller-processor contracts provide that the processor must, among other things, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law. The CPA also uses similar language in its text but doesn’t elaborate on specific retention schedules for personal information.

One of the central challenges for managing data retention policies is that required and recommended retention periods don’t only vary by state, but they also vary drastically according to the type of data record. Therefore, documenting the retention periods that need to be applied to each type of data record in your data map is critical. Once you’ve set the appropriate retention periods, these can subsequently be managed by automating the destruction, archiving, or redaction of that data and communicating the expiration of these policies downstream to the relevant stakeholders and third parties.

Data Minimization

Data minimization is not a term that is readily seen within the text of US privacy laws, but its sentiment is contained within each of the CPRA, CDPA, and CPA. The CPA is the only law that includes the term data minimization, listing it as one of the duties of the data controller. Whereas the CPRA and CDPA include a similar provision but do not reference the term explicitly. When you compare the language used by the CPRA and the CDPA with the language used by the CPA and the GDPR when referring to the data minimization principle under Article 5, you can soon see the similarities.

GDPR – Article 5(1)(c) Personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
CPRA – Section 3(B)(3) “Businesses should collect consumers’ personal information only to the extent that it is relevant and limited to what Is necessary in relation to the purposes for which it is being collected, used, and shared.”
CDPA – §59.1-574.2 A controller shall “Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
CPA – §6-1-1308.3 “A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”


To manage data minimization policies effectively, companies should regularly scan and review data records from across the organization. This exercise can help identify personal data, and sensitive data, that was previously unknown to the organization or that has been found in an unexpected location. By automating this process, personal data that is not necessary for the purposes of the processing can be flagged to the appropriate team and trigger remediation workflows to ensure that the data held by the organization is adequate, relevant, and limited to what is necessary.

Data Access

Organizations should pay close attention to how they manage data access policies. In one form or another, the CPRA, CDPA, and CPA require organizations to implement reasonable measures to protect personal data from unauthorized access. While these requirements are often viewed through the lens of external actors obtaining unauthorized access to personal data, by introducing appropriate data access policies to your data governance framework you can help reduce the security risks associated with unauthorized access by internal actors.

CPRA – Section 3(B)(6) “Businesses should take reasonable precautions to protect consumers’ personal information from a security breach.”
CDPA – §59.1-574.3 A controller shall “Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
CPA – § 6-1-1308.5 “A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. the data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.”


In California, there is also a training requirement aimed specifically at employees who handle consumer access requests. This requirement states that organizations must establish role-based access to employees that handle DSARs once the appropriate employee training has been completed. Records of completed training should be documented in order to correctly enforce access policies.

To manage data access policies, organizations should already have a good understanding of the classification and sensitivity of the data that they hold through data discovery and mapping exercises. Mapped and classified data can help to form the basis of access controls and highlight areas where access should be restricted or instances where data should be masked based on the roles of the user. For example, role-based access can be applied to user profiles who have completed the adequate training program as stipulated by the CCPA to give them the correct access to personal data necessary for fulfilling DSARs.

How Can Data Policy Management Be Enforced?

​Businesses should develop and implement effective privacy governance programs to manage personal information in line with multiple state laws and their varying requirements. Integrating privacy governance workflows into compliance efforts for US state laws can assist with mapping data flows and applying the relevant rules to datasets based on specific provisions under the CCPA, CPRA, CDPA, and CPA. Data governance policies help organizations take a proactive approach to managing incidents, increasing data quality, and mitigating potential violations of state-specific data privacy laws.

Organizations with strong governance processes in place can easily understand what data they have where, how it is classified, and what risk it brings to the business. Additionally, automation simplifies data policy management by helping to automate the enforcement of retention policies, the population of a centralized data catalog, reducing the footprint of at-risk data, and enabling trusted data use across the organization.

Trust Intelligence Platform

You Might Also Be Interested In

SEPTEMBER 20, 2022

Anne Kenyon


Kelly Maxwell


Julie Yamamoto

AUGUST 31, 2022

Julie Yamamoto

AUGUST 30, 2022

Jason Koestenblatt

AUGUST 29, 2022

Kelly Maxwell

AUGUST 29, 2022

Ashlea Cartee

AUGUST 26, 2022

What is GPC and How Can the OneTrust Consent Management Platform (CMP) Support?

Onetrust All Rights Reserved