Data Retention Policy
CCPA, HIPAA, SOX & FTC Data Minimization
[Company Name]
[Company Street], [Company City], [State] [Company Zip]
Effective Date: [Policy Date]
1. PURPOSE AND SCOPE
1.1 This Data Retention Policy is issued by [Company Name] to establish retention periods for all categories of personal data and business records, and to ensure that data is not retained longer than necessary for the purposes for which it was collected, in accordance with applicable federal and state data privacy and records retention laws.
1.2 This Policy applies to all personal data and business records held by [Company Name] in any format, including paper records, electronic files, email communications, databases, cloud storage, and backup systems. It applies to all employees, officers, contractors, and third-party service providers.
1.3 The Privacy Officer responsible for this Policy is [Privacy Officer Name], [Privacy Officer Title].
2. LEGAL FRAMEWORK
2.1 This Policy is designed to ensure compliance with the following principal federal and state laws:
- California Consumer Privacy Act (CCPA) (Cal. Civ. Code 1798.100 et seq.) and the California Privacy Rights Act (CPRA) — requiring data minimization and limiting retention of personal information to what is reasonably necessary for the disclosed purpose.
- Health Insurance Portability and Accountability Act (HIPAA) (45 CFR 164.530(j)) — requiring covered entities to retain HIPAA-related documentation for at least 6 years.
- Sarbanes-Oxley Act (SOX), Section 802 (18 U.S.C. 1519-1520) — requiring retention of audit work papers for 7 years and prohibiting knowing destruction of documents relevant to a federal investigation.
- Fair Labor Standards Act (FLSA) (29 U.S.C. 211(c)) — requiring payroll records to be retained for at least 3 years.
- Fair and Accurate Credit Transactions Act (FACTA), FTC Disposal Rule (16 CFR Part 682) — requiring reasonable measures to protect consumer information during disposal.
- IRS requirements (26 CFR 31.6001-1) — requiring payroll tax records for at least 4 years and general tax records for 3-7 years depending on the circumstances.
- State data privacy laws of the State of [State], including applicable data breach notification and records retention requirements.
2.2 Additional state privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and similar state statutes, may impose further data minimization and retention requirements.
3. DATA RETENTION SCHEDULE
3.1 The following retention schedule sets out the maximum period for which each category of data will be retained. At the end of the retention period, records will be securely destroyed in accordance with Section 4 of this Policy.
3.2 Employee Records — Personnel files, employment contracts, performance reviews, I-9 forms, payroll records, and benefits documentation: [Employee Records Retention]. Legal basis: FLSA (3 years for payroll), EEOC (1 year from termination, 29 CFR 1602.14), IRS (4 years for payroll tax records), IRCA (3 years or 1 year after termination for I-9 forms, whichever is later).
3.3 Financial and Accounting Records — General ledger, invoices, receipts, bank statements, tax returns, and audit documentation: [Financial Records Retention]. Legal basis: IRS (generally 3-7 years), SOX Section 802 (7 years for audit work papers for public companies), state corporate records requirements.
3.4 Customer and Consumer Data — Contact information, transaction history, correspondence, and service records: [Customer Records Retention]. Legal basis: CCPA/CPRA (retain only as long as reasonably necessary for the disclosed purpose), applicable state statute of limitations for contract claims.
4. SECURE DESTRUCTION PROCEDURES
4.1 At the end of the applicable retention period, records must be destroyed securely to prevent unauthorized access or disclosure. [Company Name] uses the following primary method of destruction: [Destruction Method].
4.2 Paper records containing personally identifiable information (PII) or sensitive data must be cross-cut shredded to a particle size meeting DIN 66399 P-4 or higher, or placed in a locked confidential waste bin for collection by an approved destruction vendor.
4.3 Electronic records must be permanently deleted using methods compliant with NIST SP 800-88 (Guidelines for Media Sanitization). Simple file deletion or formatting does not constitute secure destruction. Storage media being decommissioned must be physically destroyed or degaussed before disposal.
4.4 Consumer report information must be disposed of in compliance with the FTC Disposal Rule (16 CFR Part 682), which requires reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal.
4.5 A destruction log must be maintained recording: the description of records destroyed, the retention category, the date of destruction, the method used, and the name of the person who authorized the destruction. The destruction log itself is retained for 7 years.
5. RESPONSIBILITIES
5.1 The Privacy Officer ([Privacy Officer Name], [Privacy Officer Title]) is responsible for: maintaining and updating this Policy; providing training and guidance to staff on data retention obligations; conducting periodic audits of data holdings; and reporting material non-compliance to senior management.
5.2 All employees and contractors are responsible for: managing records in accordance with this Policy; not retaining personal data beyond the periods set out in the retention schedule; reporting suspected breaches of this Policy to the Privacy Officer; and cooperating with retention audits.
5.3 Department heads are responsible for ensuring that their teams comply with this Policy and for identifying any categories of records not addressed in the schedule that require a retention decision.
6. LEGAL HOLDS AND EXCEPTIONS
6.1 Records subject to a legal hold must not be destroyed even if the standard retention period has expired. A legal hold is triggered by: notice of actual or threatened litigation; receipt of a government investigation or subpoena; a regulatory inquiry; a consumer data access or deletion request under the CCPA that requires investigation; or any other circumstance where destruction of records could constitute spoliation of evidence.
6.2 Under SOX Section 802 (18 U.S.C. 1519), knowingly destroying, altering, or concealing documents with intent to obstruct, influence, or impede a federal investigation or bankruptcy proceeding is a federal crime punishable by fine and up to 20 years imprisonment.
6.3 Where a record falls under two or more retention categories, the longer retention period applies.
7. CONSUMER DATA RIGHTS
7.1 Under the CCPA (Cal. Civ. Code 1798.105), consumers have the right to request deletion of their personal information. Upon receiving a verified deletion request, [Company Name] will delete the consumer's personal information unless an exception applies, including where retention is necessary to complete a transaction, detect security incidents, comply with a legal obligation, or exercise or defend legal claims.
7.2 Similar deletion rights are provided under the VCDPA, CPA, CTDPA, and other state privacy laws. [Company Name] will process all deletion requests in accordance with applicable law and this Policy.
7.3 Records of consumer data access and deletion requests, and the actions taken in response, will be retained for a minimum of 24 months as required by the CCPA regulations (11 CCR 999.317).
8. REVIEW AND AUDIT
8.1 This Policy will be reviewed [Review Frequency] by the Privacy Officer, or sooner if required by a material change in applicable law or the organization's data processing activities.
8.2 The Privacy Officer will conduct an annual audit of data holdings to verify that records are being retained and destroyed in accordance with this Policy.
8.3 Next scheduled review date: [Review Date].
9. BREACH OF THIS POLICY
9.1 Failure to comply with this Policy may result in: a data breach requiring notification under applicable state data breach notification laws; enforcement action by the California Attorney General, FTC, or other regulatory authorities; civil litigation and damages; and disciplinary action up to and including termination.
9.2 Deliberate breach of this Policy — including the unauthorized destruction of records before the retention period has elapsed or the willful retention of data beyond the maximum retention period — may result in disciplinary action up to and including termination.
10. POLICY APPROVAL
This Data Retention Policy was approved on [Policy Date] and is effective as of that date.
Policy Owner: [Policy Owner]
Approved By: [Approved By]
Next Review Date: [Review Date]
This Policy is governed by the laws of the State of [State] and applicable federal law.
Approved By / Authorized Signatory
[Approved By]
Signature
Date: ________________
What Is a Data Retention Policy?
A Data Retention Policy in the United States establishes the obligations and procedures governing the conduct it regulates.
In the United States, data retention is governed by a patchwork of federal and state laws. There is no single complete federal data retention statute. Instead, various sector-specific laws establish minimum retention periods for specific categories of records. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to retain HIPAA-related documentation for at least 6 years from the date of creation or the date it was last in effect (45 CFR 164.530(j)). The Sarbanes-Oxley Act (SOX) Section 802 requires public companies to retain audit work papers for 7 years and criminalizes the knowing destruction of documents relevant to federal investigations (18 U.S.C. 1519).
The Fair Labor Standards Act (FLSA) requires employers to retain payroll records for at least 3 years (29 U.S.C. 211(c)). The IRS requires payroll tax records for 4 years and general tax records for 3-7 years depending on the circumstances. The Equal Employment Opportunity Commission (EEOC) requires personnel and employment records to be retained for at least 1 year from termination (29 CFR 1602.14).
At the state level, the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), introduced data minimization principles requiring businesses to retain personal information only for as long as reasonably necessary for the disclosed purpose. Similar requirements exist under the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA). The FTC has also emphasized data minimization as a key principle of fair information practices.
When Do You Need a Data Retention Policy?
A Data Retention Policy is needed by every organization that collects, stores, or processes personal data or business records. This includes virtually all businesses operating in the United States, regardless of size or industry.
Organizations subject to HIPAA — including healthcare providers, health plans, healthcare clearinghouses, and their business associates — must have documented retention policies for protected health information and HIPAA compliance documentation. The 6-year minimum retention period under 45 CFR 164.530(j) applies to policies, procedures, complaints, and disposition records.
Publicly traded companies subject to the Sarbanes-Oxley Act must retain audit work papers and related documentation for 7 years under SOX Section 802. The intentional destruction of documents relevant to a federal investigation is a criminal offense under 18 U.S.C. 1519.
Businesses operating in California or collecting personal information from California residents must comply with the CCPA's data minimization requirements and must be able to respond to consumer deletion requests within 45 days. Similar requirements apply in Virginia, Colorado, Connecticut, and other states that have enacted complete privacy laws.
The FTC has brought enforcement actions against companies that retained consumer data longer than necessary or failed to securely dispose of personal information. The FTC Disposal Rule (16 CFR Part 682) specifically requires businesses to take reasonable measures to protect consumer information during disposal.
A Data Retention Policy should be established when the organization is formed and should be reviewed at least annually. It must be updated whenever there is a material change in applicable law, the organization's data processing activities, or its business operations.
What to Include in Your Data Retention Policy
A complete Data Retention Policy must address several essential elements to comply with the complex environment of federal and state data retention requirements.
The legal framework section should identify all applicable federal laws (CCPA, HIPAA, SOX, FLSA, FACTA, IRS requirements) and state-specific privacy and records retention laws. The scope should define what data and records are covered and who is subject to the policy.
The retention schedule is the core of the policy. It must specify maximum retention periods for each category of data, including employee records, financial and accounting records, customer and consumer data, health information, and tax records. Each retention period should reference the specific legal basis.
Secure destruction procedures must comply with the FTC Disposal Rule (16 CFR Part 682) and NIST SP 800-88 guidelines for media sanitization. The policy should specify methods for destroying paper records, electronic records, and storage media, and should require a destruction log.
Legal hold procedures are critical. The policy must establish a process for suspending routine destruction when litigation, government investigation, or regulatory inquiry is anticipated or pending. SOX Section 802 criminal penalties make legal hold compliance essential for public companies.
Consumer data rights must be addressed, including the right to request deletion under the CCPA and similar state laws. The policy should describe the process for verifying and responding to deletion requests and the exceptions that may apply.
Responsibilities should be assigned to the privacy officer, department heads, and all employees. The policy review schedule, audit process, and consequences for non-compliance should be clearly stated. The policy should designate a policy owner and require annual review at minimum.
Sources & Citations
Statutory citations link to official government sources.
- 18 U.S.C. 1519US – Cornell LII
- 29 U.S.C. 211US – Cornell LII
- 45 CFR 164.530US – eCFR
- 29 CFR 1602.14US – eCFR
- Fair Labor Standards ActUS – Cornell LII
- FLSAUS – Cornell LII
- Health Insurance Portability and Accountability ActUS – Cornell LII
- HIPAAUS – Cornell LII
- Sarbanes-Oxley ActUS – Cornell LII
- SOXUS – Cornell LII
- California Consumer Privacy ActCA (US) official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Retention Policy (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/policies/data-retention-policy
"Data Retention Policy (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/policies/data-retention-policy.
@misc{formslegal-data-retention-policy,
author = {{Forms Legal}},
title = {Data Retention Policy (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/policies/data-retention-policy}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}Also available for these jurisdictions:
Frequently Asked Questions
A data retention policy is a written policy that an organization adopts to govern a specific aspect of its operations and to set clear expectations for employees or users. A data retention policy governs how long an organization keeps different types of data and when and how it disposes of data, balancing legal requirements, business needs, and privacy. Having a written policy is important because it communicates the organization's rules and expectations consistently, helps ensure compliance with applicable laws and regulations, provides a basis for fair and uniform enforcement, and can protect the organization in disputes by documenting its standards and procedures. The policy should be clearly written, communicated to those it covers, and applied consistently, and it should be reviewed and updated as laws and circumstances change. Because the policy guides behavior and supports compliance, it should be tailored to the organization's actual practices and the relevant legal requirements rather than copied generically. A well-drafted data retention policy reduces confusion, supports consistent treatment, and helps the organization manage the area it addresses, while giving employees or users clear guidance on what is expected and what the organization's standards are.
A data retention policy should include the categories of data the organization handles, the retention period for each category, the legal and business reasons for those periods, and the procedures for securely disposing of data when the retention period ends. Different data types have different retention requirements: tax and financial records, employment records, contracts, and certain regulated data each have legal retention periods, while other data should be kept only as long as needed for business purposes. The policy should specify who is responsible for managing retention, how data is stored and protected during the retention period, and how it is securely deleted or destroyed afterward. It should also address legal holds, which suspend normal deletion when litigation or an investigation is anticipated. Because retaining data too long increases privacy and security risk and storage costs, while deleting it too soon can violate legal requirements, the policy should balance these concerns. A well-drafted data retention policy ensures the organization keeps data for the required periods, disposes of it properly afterward, and complies with applicable legal and regulatory retention obligations.
How long a business should retain records depends on the type of record and the applicable legal, tax, and regulatory requirements, which vary by category. Tax records are commonly kept for several years, with the IRS generally recommending at least three years and longer in certain situations; employment records have retention periods set by various laws; and contracts, corporate documents, and regulated industry records have their own requirements. Beyond legal minimums, businesses consider how long records are useful for business and potential litigation needs. Some records, such as those subject to a legal hold for anticipated or pending litigation, must be preserved regardless of the normal schedule. Because the required retention periods differ by record type and jurisdiction, a business should base its data retention policy on the specific legal requirements that apply to its records, rather than a single blanket period. Keeping records for the required time supports compliance and the ability to respond to audits or disputes, while disposing of them afterward reduces risk and cost. The policy should reflect these category-specific retention periods.
Keeping data too long creates several risks, including greater exposure in a data breach, higher privacy and compliance liability, increased storage costs, and more burden in litigation. The more personal and sensitive data an organization retains, the more is exposed if a breach occurs, increasing potential harm and notification obligations. Privacy laws, such as the General Data Protection Regulation and various state laws, embrace the principle of data minimization, expecting organizations to keep personal data only as long as necessary, so retaining it beyond the needed period can create compliance issues. Excess data also raises storage costs and can become a liability in litigation, where retained records may have to be searched and produced in discovery. By contrast, deleting data too soon can violate legal retention requirements. Because over-retention increases risk while under-retention can violate the law, a data retention policy should keep data for the required periods and securely dispose of it afterward. Disposing of data that is no longer needed reduces breach exposure, supports privacy compliance, and limits the costs and risks of holding unnecessary information.
A legal hold is a directive that suspends the normal deletion of data and requires the preservation of records when litigation, an investigation, or an audit is reasonably anticipated or pending. Under the rules governing litigation, a party has a duty to preserve potentially relevant evidence once it reasonably anticipates litigation, and failing to do so, including by deleting data under a routine retention schedule, can lead to serious consequences such as sanctions for spoliation of evidence. A legal hold overrides the data retention policy's normal disposal schedule for the affected data, ensuring relevant records are not destroyed. The organization issues the hold to the people who possess relevant information, identifies the data to be preserved, and suspends deletion until the matter is resolved and the hold is lifted. Because destroying data subject to a duty to preserve can result in penalties, a data retention policy should include a legal hold process that takes precedence over routine deletion. Implementing legal holds promptly when litigation is anticipated protects the organization from spoliation sanctions and ensures it meets its preservation obligations.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy
Running a website or app that collects any user data — even just an email for a newsletter? You legally need a Privacy Policy. It's not optional; regulations like GDPR and CCPA require you to tell users what data you collect, why you collect it, and how you protect it. Without one, you risk fines and lost trust. Our free template helps you cover data collection practices, cookie usage, third-party sharing, user rights, and contact information. Fill in the details, preview your policy, and download it as PDF or Word — no account needed.
Employee Handbook
Create a comprehensive workplace policy guide with this US Employee Handbook. Covers at-will employment, anti-discrimination policies, leave entitlements, code of conduct, benefits overview, disciplinary procedures, and technology use in compliance with federal and state employment law.
Whistleblower Policy
Create a comprehensive Whistleblower Policy compliant with the Sarbanes-Oxley Act Section 806, Dodd-Frank Act Section 922, and the False Claims Act. Covers designated compliance officers, confidential reporting channels, anonymous reporting, investigation procedures, anti-retaliation protections, SEC whistleblower program, and external regulatory agency reporting.