Records Management Regulations California Businesses Need to Know

Knowing these essential ins and outs of records management regulations can keep California businesses protected from legal recourse.

Proper records management procedures should be a prerequisite for all businesses—but they’re not. Blame it on a global pandemic or lack of buy-in for a records management program.

The reality is, attention to records management is no longer something businesses can deprioritize. Document storage and shredding is a practice businesses need to comply with due to a myriad of regulations.

Consumer Privacy is (Really) Happening

According to an article in the National Law Review, “New data privacy laws in jurisdictions around the world, including a number of new state laws surrounding consumer data in the United States, have added urgency for organizations working to develop and improve their records management and information governance practices.”

In January 2023, The California Privacy Rights Act (CPRA) went into effect, requiring businesses to disclose the length of time they plan to keep personal information and respond to consumers who send their company a Data Subject Access Request.

As a result, records managers should be aware of their own records but also the consumer data that they collect, how it is collected, where it is collected, and how to retrieve it if requested. It’s a lot; we get it. But this is where CPRA employee training will help get everyone up to speed.

A Call for Employee Privacy

While we’ve talked about the kind of data the CPRA protects from a consumer standpoint, what’s also important to note is that data on employees, job applicants, independent contractors, and business-to-business operations must also be protected.

According to Bloomberg Law, California will be the first state in the U.S. require companies to give employees more control over what personal information is collected and how it’s used.

Additionally, as stated in the CPRA, former and current employees have the right to request a copy of their personnel records, including information about their performance. Examples of personnel records that may be requested include employment applications, payroll authorization forms, layoff, leave of absence, vacation, and related notices, performance reviews, or warnings, discipline, and/or termination notices.

Plus, on January 1, 2022, Governor Newsom signed Senate Bill 807, which requires employers to retain personnel records for applicants and employees for a minimum of four years (up from three years). The retention period of these files could be longer if the employer is notified that a complaint has been filed through the California Department of Fair Employment and Housing (DFEH).

Records Retention 2.0

You already know about the basics of records retention (we’ve talked about it a lot) and featured blogs by Helen Streck like this one on the importance of putting a records retention policy in place. A crucial part of this means creating a retention schedule (i.e., a master doc that shows what kind of information the company has and how long to keep it) that everyone sticks to.

There are some standard guidelines for building a retention schedule that explain how long the company needs to keep each type of record as part of its compliance requirements. For example, any financial records must be kept for seven years after they are created or received and should be stored securely. And all business tax records must be kept for five years after the filing due date.

Now it’s time to take it a step further and look at the actual statutes surrounding records management. Keep in mind, various records retention laws exist at federal, state, and local levels. For example:

  • Some states, like California, have specific laws that require businesses to keep records related to their activities in an organized and secure manner and actively maintain a retention schedule.
  • Under the CPRA, a business shall not retain a consumer’s personal information for longer than is reasonably necessary for the stated purpose it was collected.

Deconstructing Electronic Data

Obviously, records are kept in two different forms—electronic and paper. And depending on the type, different retention laws and policies may apply.

Just recently, new records mandates were issued by the National Archives and Records Administration to clarify a decade-old rule known as the Capstone approach for retaining electronic communications.

In 2013 the Capstone approach allowed for agencies to shift from having to print out and file all emails sent and received by officials to an automated system.

In the new update, the requirement has been expanded to include any electronic message, including email-based chats, independent chat messengers, and text messages. And these messages must be kept for 15-to-30 years, or after declassification review, whichever is later.

Expanding the Definition of a Data Breach

There’s no denying, the policies around consumer privacy continue to evolve. And along with them, so does the definition of a data breach. At the federal level, various sectors’ data breach reporting requirements continue to evolve.

At the state level, the California Data Breach Notification Law requires businesses operating in the state to report any breaches that involve the personal information of their customers.

Recently nine other states have amended their statutes to impose notice requirements broadening existing definitions of personal information, increasing the context of reporting requirements, requiring stricter notification timeframes, and allowing the Attorney General to publish data breach information.

While a data breach, due to non-compliance or malicious acts, is the worst-case scenario, staying up to date with the changing landscape and implementing a management program are essential to business operations.

Are you ready to get ahead of records management?

Whether you’re focused on electronic or paper records storage and destruction, Corodata can support you with a secure, compliant, and complete solution. Let’s get started.
Yes, I’m ready