Most privacy laws cover how you can collect, use and share personal information, but that's not the end of the story. Some laws also say you must tell users how long you will keep their information before disposing of it.
Even if a law doesn't require it, giving users these details will make them more confident about providing their personal information.
Here's what you need to know about drafting and displaying this type of clause.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Rationale Behind a How Long We Keep Your Information Clause
- 2. Laws Requiring a How Long We Keep Your Information Clause
- 2.1. The General Data Protection Regulation (GDPR)
- 2.2. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 2.3. Lei Geral de Proteção de Dados Pessoais (LGPD)
- 2.4. Other Laws
- 3. What to Include in Your How Long We Keep Your Personal Information Clause
- 3.1. Differing Timescales
- 4. Other Points to Note in a How Long We Keep Your Information Clause
- 4.1. Security
- 4.2. Third Parties
- 4.3. Anonymisation/Pseudonymization
- 4.4. Deletion Requests
- 6. Summary
Rationale Behind a How Long We Keep Your Information Clause
When a privacy law says you must tell customers how long you will keep their information, it's usually designed to help them make informed decisions. This could be about whether to consent to data processing, whether to provide personal information, or whether to be a customer in the first place.
Many users view data processing as a matter of being reasonable. They understand you need to use their personal data as part of providing a service, or even as part of your business model, but don't want you to use it excessively or without restraint.
Knowing how long you will keep the data helps them decide whether you plan to use it in a reasonable and proportionate way. It also helps them better assess the risks to (and impacts on) their privacy.
For these reasons, it often makes sense to include a "how long we keep your information" clause even if you aren't covered by a privacy law that specifically requires you to do so.
Laws Requiring a How Long We Keep Your Information Clause
The following laws explicitly or implicitly cover telling users how long you will keep their data.
The General Data Protection Regulation (GDPR)
The GDPR is a European Union law that affects businesses that operate in, serve customers in, or process data in, a European Union country. (At the time of writing, the same measures apply in the United Kingdom through its national laws.)
Article 13 (2a) of the GDPR says that "to ensure fair and transparent processing" you must tell people "the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period..."
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is a Canadian federal law that affects most businesses processing personal information unless they are covered by an equivalent province or territory rule.
Although PIPEDA doesn't explicitly say you must tell people when you will disclose their data, its measures combine to that effect. It says you must only keep data for as long as necessary to fulfill the purposes for which you collect it. It also says you must give people clear information about your data use so that they can give meaningful consent.
Lei Geral de Proteção de Dados Pessoais (LGPD)
The LGPD is a Brazilian law that affects personal data processing where the data subject or the processing is in Brazil. It also applies if the data is collected in Brazil or the processing is done to offer goods or services in Brazil.
The need for a "how long we keep your information" clause is similar to that of PIPEDA. The law doesn't explicitly require such a clause but does say you must give clear information about your data processing, including the purpose, and that you must delete data once it's no longer needed for that purpose.
When other privacy laws do not require you to tell people how long you keep their data, doing so could still help compliance. That's because laws often say processing is only allowed in certain situations, including you having consent to collect and use data.
This consent is often only valid when users have clear information about your data use. Having told them how long you keep the data could help your case if you need to prove you were clear and the consent was meaningful.
What to Include in Your How Long We Keep Your Personal Information Clause
First, you should give a specific timescale for how long you will keep the data. Make sure you are clear whether this time period is calculated from when you first collect the data, when you use the data, or when you have carried out a particular action.
It's useful to highlight where you are legally required to keep information for a certain amount of time, for example in case there's any future dispute or legal situation that requires reference to the information. Explaining this requirement will make clear you haven't set the timescale, particularly when it might seem unreasonably long without context.
Novum Law gives some examples of laws that mean it must keep data for a set period:
The second option for the clause is to explain how you will decide how long to keep the data. This will normally only be appropriate if you don't know a specific timetable.
Some common possibilities include:
- Until you no longer need it for the stated purpose
- Until somebody stops being a customer
- Until the data subject withdraws consent for processing
Blackstone Chambers explains how circumstances affect the timescale:
Here's how Norton Rose Fulbright explains the logic behind its data retention timescales:
The simplest approach is to have a standard timescale (or policy) for how long you keep any personal data. However, you may have a different policy for different types of data.
You could approach this by:
- Listing the different timescales/policy in the clause
- Setting out a general timescale and saying it applies unless you specifically say otherwise at the point of requesting or collecting personal information
Note that the California Consumer Privacy Act (CCPA/CPRA) sets out specific categories of data to use when explaining the types of data you collect, process and sell.
You don't have to give a category-by-category breakdown of how long you keep data. However, doing so could be useful if it would offer extra clarity rather than making things more confusing.
Other Points to Note in a How Long We Keep Your Information Clause
Most privacy laws require you to adequately secure personal data. This includes making sure you delete it in a way that can't be reversed, for example by somebody restoring files or accessing an old back-up without authorization.
Madetech gives a clear assurance on this point:
Google details both its security measures and how this affects the timescales:
You may pass on data to a third party, for example when a sister company or sub-contractor helps you provide services, or when you sell data. You'll normally need to think about if and when the recipient will delete their own copy of the data.
Rather than delete data, you may (if the law allows it) have a policy of keeping it but hiding the data subject's identity. This could mean anonymizing the data (removing all identifying information) or using pseudonymization (removing enough data that it can only be linked to an individual when you combine it with other records).
For example, you might want to keep records for overall business analysis (such as tracking the average time of fulfilling orders) without needing to identify individuals.
If you plan to do this, you should not only check if doing so complies with relevant data laws, but also tell users. Ideally you should give the timescales (or relevant factors) both for using the data in its original identifiable format and for using it in an anonymized format.
Most privacy laws say you must either consider a request or follow a demand by the data subject to stop using personal data. A customer withdrawing consent (on which you relied to make data processing lawful) usually has the same effect.
Here's how The Guardian uses a clause that's easy to find thanks to its table of contents:
Let's recap what you need to know about a "how long we keep your information" clause:
Some privacy laws mean you must tell people how long you will keep their data, or how you'll decide how long:
- The GDPR explicitly requires this
- PIPEDA and the LGPD have measures that combine to require this in effect
- With some other laws, this detail can help make sure processing based on consent is valid
- Even if the law doesn't require it, telling people how long you'll keep their data will make them more comfortable about providing the data
- You should either tell people how long you will keep their data and when this time period starts, or how you'll decide when to delete it
Other points to address include:
- How you delete data securely
- What happens to data you've shared with a third party
- Whether you keep data in an anonymized or pseudonymized format
- Whether the customer has the right to tell you to stop using the data