A Data Retention Policy is a formal document that establishes an organization's procedures for retaining, managing, and securely destroying personal data and business records. The policy specifies how long different categories of data will be kept, the legal basis for each retention period, the methods of secure destruction, and the responsibilities of personnel involved in data management.

In the United States, data retention is governed by a patchwork of federal and state laws. There is no single comprehensive federal data retention statute. Instead, various sector-specific laws establish minimum retention periods for specific categories of records. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to retain HIPAA-related documentation for at least 6 years from the date of creation or the date it was last in effect (45 CFR 164.530(j)). The Sarbanes-Oxley Act (SOX) Section 802 requires public companies to retain audit work papers for 7 years and criminalizes the knowing destruction of documents relevant to federal investigations (18 U.S.C. 1519).

The Fair Labor Standards Act (FLSA) requires employers to retain payroll records for at least 3 years (29 U.S.C. 211(c)). The IRS requires payroll tax records for 4 years and general tax records for 3-7 years depending on the circumstances. The Equal Employment Opportunity Commission (EEOC) requires personnel and employment records to be retained for at least 1 year from termination (29 CFR 1602.14).

At the state level, the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), introduced data minimization principles requiring businesses to retain personal information only for as long as reasonably necessary for the disclosed purpose. Similar requirements exist under the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA). The FTC has also emphasized data minimization as a key principle of fair information practices.

A Data Retention Policy is needed by every organization that collects, stores, or processes personal data or business records. This includes virtually all businesses operating in the United States, regardless of size or industry.

Organizations subject to HIPAA — including healthcare providers, health plans, healthcare clearinghouses, and their business associates — must have documented retention policies for protected health information and HIPAA compliance documentation. The 6-year minimum retention period under 45 CFR 164.530(j) applies to policies, procedures, complaints, and disposition records.

Publicly traded companies subject to the Sarbanes-Oxley Act must retain audit work papers and related documentation for 7 years under SOX Section 802. The intentional destruction of documents relevant to a federal investigation is a criminal offense under 18 U.S.C. 1519.

Businesses operating in California or collecting personal information from California residents must comply with the CCPA's data minimization requirements and must be able to respond to consumer deletion requests within 45 days. Similar requirements apply in Virginia, Colorado, Connecticut, and other states that have enacted comprehensive privacy laws.

The FTC has brought enforcement actions against companies that retained consumer data longer than necessary or failed to securely dispose of personal information. The FTC Disposal Rule (16 CFR Part 682) specifically requires businesses to take reasonable measures to protect consumer information during disposal.

A Data Retention Policy should be established when the organization is formed and should be reviewed at least annually. It must be updated whenever there is a material change in applicable law, the organization's data processing activities, or its business operations.

A comprehensive Data Retention Policy must address several essential elements to comply with the complex landscape of federal and state data retention requirements.

The legal framework section should identify all applicable federal laws (CCPA, HIPAA, SOX, FLSA, FACTA, IRS requirements) and state-specific privacy and records retention laws. The scope should define what data and records are covered and who is subject to the policy.

The retention schedule is the core of the policy. It must specify maximum retention periods for each category of data, including employee records, financial and accounting records, customer and consumer data, health information, and tax records. Each retention period should reference the specific legal basis.

Secure destruction procedures must comply with the FTC Disposal Rule (16 CFR Part 682) and NIST SP 800-88 guidelines for media sanitization. The policy should specify methods for destroying paper records, electronic records, and storage media, and should require a destruction log.

Legal hold procedures are critical. The policy must establish a process for suspending routine destruction when litigation, government investigation, or regulatory inquiry is anticipated or pending. SOX Section 802 criminal penalties make legal hold compliance essential for public companies.

Consumer data rights must be addressed, including the right to request deletion under the CCPA and similar state laws. The policy should describe the process for verifying and responding to deletion requests and the exceptions that may apply.

Responsibilities should be assigned to the privacy officer, department heads, and all employees. The policy review schedule, audit process, and consequences for non-compliance should be clearly stated. The policy should designate a policy owner and require annual review at minimum.