How Long We Keep Your Information Clause

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 03 August 2022.

How Long We Keep Your Information Clause

Most privacy laws cover how you can collect, use and share personal information, but that's not the end of the story. Some laws also say you must tell users how long you will keep their information before disposing of it.

Even if a law doesn't require it, giving users these details will make them more confident about providing their personal information.

Here's what you need to know about drafting and displaying this type of clause.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Rationale Behind a How Long We Keep Your Information Clause

When a privacy law says you must tell customers how long you will keep their information, it's usually designed to help them make informed decisions. This could be about whether to consent to data processing, whether to provide personal information, or whether to be a customer in the first place.

Many users view data processing as a matter of being reasonable. They understand you need to use their personal data as part of providing a service, or even as part of your business model, but don't want you to use it excessively or without restraint.

Knowing how long you will keep the data helps them decide whether you plan to use it in a reasonable and proportionate way. It also helps them better assess the risks to (and impacts on) their privacy.

For these reasons, it often makes sense to include a "how long we keep your information" clause even if you aren't covered by a privacy law that specifically requires you to do so.

Laws Requiring a How Long We Keep Your Information Clause

Laws Requiring a How Long We Keep Your Information Clause

The following laws explicitly or implicitly cover telling users how long you will keep their data.

The General Data Protection Regulation (GDPR)

The GDPR is a European Union law that affects businesses that operate in, serve customers in, or process data in, a European Union country. (At the time of writing, the same measures apply in the United Kingdom through its national laws.)

Article 13 (2a) of the GDPR says that "to ensure fair and transparent processing" you must tell people "the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period..."

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal law that affects most businesses processing personal information unless they are covered by an equivalent province or territory rule.

Although PIPEDA doesn't explicitly say you must tell people when you will disclose their data, its measures combine to that effect. It says you must only keep data for as long as necessary to fulfill the purposes for which you collect it. It also says you must give people clear information about your data use so that they can give meaningful consent.

Lei Geral de Proteção de Dados Pessoais (LGPD)

The LGPD is a Brazilian law that affects personal data processing where the data subject or the processing is in Brazil. It also applies if the data is collected in Brazil or the processing is done to offer goods or services in Brazil.

The need for a "how long we keep your information" clause is similar to that of PIPEDA. The law doesn't explicitly require such a clause but does say you must give clear information about your data processing, including the purpose, and that you must delete data once it's no longer needed for that purpose.

Other Laws

When other privacy laws do not require you to tell people how long you keep their data, doing so could still help compliance. That's because laws often say processing is only allowed in certain situations, including you having consent to collect and use data.

This consent is often only valid when users have clear information about your data use. Having told them how long you keep the data could help your case if you need to prove you were clear and the consent was meaningful.

What to Include in Your How Long We Keep Your Personal Information Clause

What to Include in Your How Long We Keep Your Personal Information Clause

First, you should give a specific timescale for how long you will keep the data. Make sure you are clear whether this time period is calculated from when you first collect the data, when you use the data, or when you have carried out a particular action.

It's useful to highlight where you are legally required to keep information for a certain amount of time, for example in case there's any future dispute or legal situation that requires reference to the information. Explaining this requirement will make clear you haven't set the timescale, particularly when it might seem unreasonably long without context.

Novum Law gives some examples of laws that mean it must keep data for a set period:

Novum Law Data Retention and Destruction Policy: SRA Accounts and AML Compliance sections

The second option for the clause is to explain how you will decide how long to keep the data. This will normally only be appropriate if you don't know a specific timetable.

Some common possibilities include:

  • Until you no longer need it for the stated purpose
  • Until somebody stops being a customer
  • Until the data subject withdraws consent for processing

Blackstone Chambers explains how circumstances affect the timescale:

Blackstone Chambers Personal Data and GDPR Policy: How long do we keep your personal data clause

Here's how Norton Rose Fulbright explains the logic behind its data retention timescales:

Norton Rose Fulbright Privacy Notice: How long we keep your personal data clause

Differing Timescales

The simplest approach is to have a standard timescale (or policy) for how long you keep any personal data. However, you may have a different policy for different types of data.

You could approach this by:

  • Listing the different timescales/policy in the clause
  • Setting out a general timescale and saying it applies unless you specifically say otherwise at the point of requesting or collecting personal information

Note that the California Consumer Privacy Act (CCPA) sets out specific categories of data to use when explaining the types of data you collect, process and sell.

You don't have to give a category-by-category breakdown of how long you keep data. However, doing so could be useful if it would offer extra clarity rather than making things more confusing.

Other Points to Note in a How Long We Keep Your Information Clause

Other Points to Note in a How Long We Keep Your Information Clause

Security

Most privacy laws require you to adequately secure personal data. This includes making sure you delete it in a way that can't be reversed, for example by somebody restoring files or accessing an old back-up without authorization.

If you take specific steps to make sure you dispose of data securely (whether or not the law requires it), you should mention this in your Privacy Policy. This will make customers more confident about providing data in the first place.

Madetech gives a clear assurance on this point:

Madetech Privacy Policy: Store data and securely delete it clause

Google details both its security measures and how this affects the timescales:

Google: How Google Retains Data we Collect page: Enabling Safe and Complete Deletion section

Third Parties

You may pass on data to a third party, for example when a sister company or sub-contractor helps you provide services, or when you sell data. You'll normally need to think about if and when the recipient will delete their own copy of the data.

For example, you may have a contract term that says they must delete it after a set period, when you ask them to, or after they have finished the relevant work. It may help customers and boost their confidence if you explain this arrangement in your Privacy Policy.

Anonymisation/Pseudonymization

Rather than delete data, you may (if the law allows it) have a policy of keeping it but hiding the data subject's identity. This could mean anonymizing the data (removing all identifying information) or using pseudonymization (removing enough data that it can only be linked to an individual when you combine it with other records).

For example, you might want to keep records for overall business analysis (such as tracking the average time of fulfilling orders) without needing to identify individuals.

If you plan to do this, you should not only check if doing so complies with relevant data laws, but also tell users. Ideally you should give the timescales (or relevant factors) both for using the data in its original identifiable format and for using it in an anonymized format.

Deletion Requests

Most privacy laws say you must either consider a request or follow a demand by the data subject to stop using personal data. A customer withdrawing consent (on which you relied to make data processing lawful) usually has the same effect.

Such laws usually say you must make the customer aware of this right through an explicit statement in your Privacy Policy. However, it can be useful to briefly remind the customer of this at the point where you explain your timescale or policy for stopping using data.

Where to Display a How Long We Keep Your Personal Information Clause

Where to Display a How Long We Keep Your Personal Information Clause

In most cases, the best place to address how long you keep data is in a dedicated Privacy Policy.

Unless your Privacy Policy is very short, it usually makes sense to cover this point in a standalone clause. This helps users find specific answers to specific questions, particularly if you use subheadings and menus to organize your Privacy Policy.

The Guardian uses a standalone clause that's easy to find thanks to its table of contents::

The Guardian Privacy Policy Table of Contents: How long we keep your personal data section highlighted

Some laws explicitly or implicitly say users must know how long you will keep their data before they provide it or consent to you using it.

You should do this by providing the details at the point somebody is about to provide data (for example on a sign-up or order form) by one of the following methods:

  • Include the details on the page itself
  • Include the details in a pop-up window
  • Explicitly link to your Privacy Policy. To be certain the user has made an informed decision, you can ask them to tick a box confirming they have opened the link and read the policy.

Summary

Let's recap what you need to know about a "how long we keep your information" clause:

  • Some privacy laws mean you must tell people how long you will keep their data, or how you'll decide how long:

    • The GDPR explicitly requires this
    • PIPEDA and the LGPD have measures that combine to require this in effect
    • With some other laws, this detail can help make sure processing based on consent is valid
  • Even if the law doesn't require it, telling people how long you'll keep their data will make them more comfortable about providing the data
  • You should either tell people how long you will keep their data and when this time period starts, or how you'll decide when to delete it
  • Other points to address include:

    • How you delete data securely
    • What happens to data you've shared with a third party
    • Whether you keep data in an anonymized or pseudonymized format
    • Whether the customer has the right to tell you to stop using the data
  • "How long we keep your information" works best as a standalone clause in your Privacy Policy. Make sure you either reproduce the details or link to the policy at any point when you are about to collect personal information.