--- title: "US CPRA Retention Guide" canonical_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/retention" source_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/retention" author: "Sorena AI" description: "US CPRA guidance for Retention, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "US CPRA" - "Retention" - "US CPRA Retention" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # US CPRA Retention Guide US CPRA guidance for Retention, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *US* *Retention* ## US CPRA Retention Retention under the US CPRA is about setting a real retention period, saying it in the notice, and keeping personal information only as long as the disclosed purpose needs it. This page shows what to disclose, how to pick a reasonable period or criteria, and what evidence teams should keep. Confirm legal and policy assumptions before implementation. Retention under the US CPRA means telling consumers how long each category of personal information will be kept, or the criteria used to decide that period, and then keeping the data only for as long as is reasonably necessary and proportionate for the disclosed purpose. This page explains the core rule, the disclosure needed in the privacy notice, and the practical checks teams should use when they set or review retention periods. ## What does CPRA retention require? The CPRA does not set one fixed number of days or months for every business. Instead, a business must disclose the length of time it intends to retain each category of personal information, including sensitive personal information, or, if that is not possible, the criteria it uses to decide that period. The same section also says a business must not retain personal information or sensitive personal information for each disclosed purpose longer than is reasonably necessary for that purpose, and the CPPA FAQ says collection, use, and retention must be reasonably necessary and proportionate to the disclosed or expected purposes. - List each personal information category and the retention period for that category. - If a exact period is not practical, state the criteria used to choose the period. - Keep the period tied to a disclosed purpose, such as account servicing, fraud prevention, tax, or legal defense. - Delete or deidentify the data when the disclosed purpose no longer needs it. Sources for this answer: - [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.100.&lawCode=CIV&ref=sorena.io) - Requires disclosure of retention length or criteria and limits retention to what is reasonably necessary for the disclosed purpose. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Explains that retention must be reasonably necessary and proportionate to disclosed or expected purposes. *Recommended next step* *Placement: after the practical guidance* ## Turn US CPRA Retention into assigned work This US CPRA guide turns turn Retention into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena. - [Open Assessment Autopilot for US CPRA](/solutions/assessment.md): Turn Retention into scoped questions, evidence fields, and review tasks. - [Review US CPRA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. ## How should a business pick a reasonable retention period? Start with the purpose for collecting the data, then ask how long the data is actually needed to complete that purpose and any closely related legal or operational obligations. Do not keep the data just because storage is cheap or because the system has no deletion rule yet. A reasonable retention period should reflect the shortest period that still supports the disclosed purpose, any required backup or dispute window, and any legal hold or legal obligation that applies. - Tie the period to a specific purpose instead of a general business preference. - Review whether a shorter operational period would still work. - Separate ordinary retention from any legal-hold exception. - Document why the chosen period is proportionate to the purpose. Sources for this answer: - [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.100.&lawCode=CIV&ref=sorena.io) - Limits retention to what is reasonably necessary for the disclosed purpose. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Confirms the CPRA's reasonably necessary and proportionate standard. ## Who should own the retention decision and what evidence should support it? The owner should be the team that can change the privacy notice, the data map, deletion rules, and the retention schedule, usually privacy, legal, data governance, or product operations. The reviewer should confirm the period matches the disclosed purpose and the actual business process. Keep evidence that shows the retention period, the reason for the period, the privacy notice wording, and any later review or deletion workflow update. - Keep the approved retention schedule with the privacy notice language. - Save the business rationale for each retained category. - Record when the schedule was last reviewed and who approved it. - Keep deletion or deidentification steps documented so the schedule can be audited. Sources for this answer: - [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.100.&lawCode=CIV&ref=sorena.io) - Requires notice of retention length or criteria and supports documented retention decisions. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Explains the CPRA's notice and retention expectations for businesses. ## What should teams check before they publish or update a retention notice? Check that the notice names each category of personal information and either gives the retention period or explains the criteria used to set it. If the business uses different periods for different systems, the notice should not hide that fact behind one generic statement. Also check whether any data category is kept for a separate legal reason, such as a legal hold or a required recordkeeping rule, so the notice and the internal deletion workflow stay aligned. - Use category-level wording, not a single catch-all period for all data. - Confirm the notice matches the actual deletion logic in production systems. - Flag any exception that keeps data longer than the normal schedule. - Review the notice again when the purpose, system, or legal obligation changes. Sources for this answer: - [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.100.&lawCode=CIV&ref=sorena.io) - Requires retention disclosure at or before collection. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Notes that businesses must make certain disclosures, such as posting a privacy policy. ## Primary sources - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations page for current CCPA/CPRA regulatory text and update history. - Quote: "approved the California Privacy Protection Agency's regulations" - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ explaining that retention must be reasonably necessary and proportionate to disclosed or expected purposes. - Quote: "collection, use, and retention of the consumer's information must be reasonably necessary and proportionate" - [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.100.&lawCode=CIV&ref=sorena.io) - California statutory source for notice, purpose limitation, and retention-period disclosure obligations. - Quote: "length of time the business intends to retain each category of personal information" - [California Privacy Protection Agency - CCPA Updates rulemaking](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - CPPA rulemaking page for updates that may affect privacy workflows, risk assessments, and audit-related retention evidence. - Quote: "updated existing CCPA regulations" ## Related Topic Guides - [California CPRA Checklist](/artifacts/us/california-privacy-rights-act/checklist.md): Practical guidance for the California CPRA checklist, with practical decisions, evidence, edge cases, and external source citations. - [California CPRA FAQ](/artifacts/us/california-privacy-rights-act/faq.md): Practical California CPRA FAQ guidance with implementation decisions, evidence, edge cases, and official California source citations. - [California CPRA penalties and fines Guide](/artifacts/us/california-privacy-rights-act/penalties-and-fines.md): US CPRA guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations. - [California CPRA Requirements Guide](/artifacts/us/california-privacy-rights-act/requirements.md): Practical guidance for California CPRA requirements, with practical decisions, evidence, edge cases, and external source citations. - [California CPRA Risk Assessments, Cybersecurity Audits, and ADMT Guide](/artifacts/us/california-privacy-rights-act/risk-assessments-cybersecurity-audits-and-admt.md): California CPRA guidance for risk assessments, cybersecurity audits, and ADMT, with practical decisions, evidence, edge cases, and external source citations. - [California Data Broker Deletion Workflow Guide](/artifacts/us/california-privacy-rights-act/data-broker-deletion-workflow.md): California Delete Act and CPRA-adjacent guidance for data broker deletion workflows, with practical decisions, evidence, edge cases, and official citations. - [California Data Broker Registry and DROP Guide](/artifacts/us/california-privacy-rights-act/data-broker-registry-and-drop.md): California Delete Act guide to the Data Broker Registry and DROP, with practical decisions, evidence, edge cases, and official source citations. - [California Delete Act data broker registry and DROP guide](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md): California Delete Act guidance for the data broker registry and Delete Request and Opt-Out Platform (DROP), with owners, evidence, and official sources. - [CPRA enforcement advisories: CPPA investigations, fines, and risk mitigation](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md): US CPRA guidance for Enforcement Advisories, with practical decisions, evidence, edge cases, and external source citations. - [CPRA Global Privacy Control (GPC): opt-out requirements and enforcement FAQ](/artifacts/us/california-privacy-rights-act/faq/gpc.md): US CPRA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Applicability Test Guide](/artifacts/us/california-privacy-rights-act/applicability-test.md): Practical guidance for the US CPRA applicability test, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA CCPA vs CPRA Guide](/artifacts/us/california-privacy-rights-act/ccpa-vs-cpra.md): US CPRA guidance for CCPA vs CPRA, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Compliance Guide](/artifacts/us/california-privacy-rights-act/compliance.md): Practical guidance for the US CPRA compliance, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Consumer Rights Workflow Guide](/artifacts/us/california-privacy-rights-act/consumer-rights-workflow.md): US CPRA guidance for Consumer Rights Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Contract Terms Guide](/artifacts/us/california-privacy-rights-act/contract-terms.md): US CPRA guidance for Contract Terms, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Contracts Contractors And Service Providers Guide](/artifacts/us/california-privacy-rights-act/contracts-contractors-and-service-providers.md): US CPRA guidance for Contracts Contractors And Service Providers, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Correction Rights Guide](/artifacts/us/california-privacy-rights-act/correction-rights.md): US CPRA guidance for Correction Rights, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Cppa Regulations Tracker Guide](/artifacts/us/california-privacy-rights-act/cppa-regulations-tracker.md): US CPRA guidance for Cppa Regulations Tracker, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Cyber Audit Readiness Workflow Guide](/artifacts/us/california-privacy-rights-act/cyber-audit-readiness-workflow.md): US CPRA guidance for Cyber Audit Readiness Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Deadlines and Compliance Calendar Guide](/artifacts/us/california-privacy-rights-act/deadlines-and-compliance-calendar.md): US CPRA guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA DSAR And Correction Workflow Guide](/artifacts/us/california-privacy-rights-act/dsar-and-correction-workflow.md): US CPRA guidance for DSAR And Correction Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA GPC Handling Guide](/artifacts/us/california-privacy-rights-act/gpc-handling.md): US CPRA guidance for GPC Handling, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA GPC Handling Workflow Guide](/artifacts/us/california-privacy-rights-act/gpc-handling-workflow.md): US CPRA guidance for GPC Handling Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Risk Assessment Intake Workflow Guide](/artifacts/us/california-privacy-rights-act/risk-assessment-intake-workflow.md): US CPRA guidance for Risk Assessment Intake Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Risk Assessment Template Guide](/artifacts/us/california-privacy-rights-act/cpra-risk-assessment-template.md): US CPRA guidance for CPRA Risk Assessment Template, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Risk Assessments And Cybersecurity Audits Guide](/artifacts/us/california-privacy-rights-act/risk-assessments-and-cybersecurity-audits.md): US CPRA guidance for Risk Assessments And Cybersecurity Audits, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Sensitive Personal Information Guide](/artifacts/us/california-privacy-rights-act/sensitive-personal-information.md): US CPRA guidance for Sensitive Personal Information, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Sensitive Personal Information Limits Guide](/artifacts/us/california-privacy-rights-act/sensitive-personal-information-limits.md): US CPRA guidance for Sensitive Personal Information Limits, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA Sharing and Cross-Context Behavioral Advertising Guide](/artifacts/us/california-privacy-rights-act/sharing-and-cross-context-behavioral-advertising.md): US CPRA guidance for Sharing and Cross-Context Behavioral Advertising, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA vs Colorado Privacy Act Guide](/artifacts/us/california-privacy-rights-act/cpra-vs-colorado-privacy-act.md): US CPRA guidance for CPRA vs Colorado Privacy Act, with practical decisions, evidence, edge cases, and external source citations. - [US CPRA vs Virginia Vcdpa Guide](/artifacts/us/california-privacy-rights-act/cpra-vs-virginia-vcdpa.md): US CPRA guidance for CPRA vs Virginia Vcdpa, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md): US CPRA guidance for ADMT, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md): US CPRA guidance for Contract Terms, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Correction Rights under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md): US CPRA guidance for Correction Rights, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md): US CPRA guidance for Cybersecurity Audits, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md): California CPRA guidance for retention, including data minimization, privacy policy disclosures, evidence records, and official source citations. - [What should teams do about Risk Assessments under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md): US CPRA guidance for Risk Assessments, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md): US CPRA guidance for Sensitive Personal Information Limits, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md): California CPRA guidance for Sharing and Cross-Context Behavioral Advertising, with practical decisions, evidence, edge cases, and external source citations. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/us/california-privacy-rights-act/retention