Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Data retention + deletion policy

data-retention-policyDomain: data-privacyType: policy

Description

A data retention policy converts the storage-limitation principle into concrete rules the engineering team can implement. The principle itself is widely shared (GDPR Article 5(1)(e), CCPA disclosure-of-retention requirements at §1798.100(a)(3), sectoral retention rules under HIPAA, PCI DSS, SOX, FINRA, and the equivalents elsewhere), but the operational gap between the principle and an actually-enforced retention schedule is where most program failures live. The policy document is the easy half; the deletion-automation layer that points at the actual data stores is the half that determines whether the policy means anything to a regulator inspecting the live retention behavior. The shape is a per-category table with five columns. Each row covers a category of personal or regulated data (user profile records, support-ticket text, payment-transaction metadata, marketing-event records, vendor-side records held under DPA terms, etc.). The retention period column sets the duration in concrete time units rather than vague "as long as necessary" language. The basis column documents the source of the period: regulatory minimum (tax records, AML records under BSA), regulatory maximum (some health-information regimes set ceilings), contractual obligation (commitments to enterprise customers about deletion windows), legitimate-interest balancing test (the GDPR Article 6(1)(f) analysis where retention sits on legitimate interest rather than another lawful basis), or statute of limitations for foreseeable claims. The deletion or archival mechanism column names the operational job that executes at end-of-period (which table the deletion targets, which job runs it, on what cadence, with what fallback if the job fails). The exception path covers legal-hold scenarios where deletion is suspended pending litigation or regulator inquiry. The trade-off pressure is structural: marketing teams want long retention for re-engagement and lifecycle modeling, product teams want long retention for cohort analysis, but the storage-limitation principle reads necessity narrowly, and a policy that promises 12 months while the analytics warehouse retains five years of the same data is the recurring gap that regulators find through data-inventory review. The statutory anchors define both the principle and the per-jurisdiction specifics. GDPR Article 5(1)(e) sets the storage-limitation principle with Articles 13 and 14 requiring transparency to data subjects about retention. CCPA §1798.100(a)(3) requires disclosure of retention periods for each category of personal information at or before the point of collection. PIPA Korea (Act No. 10465 as amended), KVKK (Turkey), Brazil Marco Civil da Internet (Lei nº 12.965/2014), and the California AADC layer parallel obligations. Sectoral regulators add retention floors that operate as minimums even where the privacy regime would otherwise permit deletion: SOX seven years for financial-reporting-relevant records, HIPAA six years at 45 CFR §164.530(j)(2), PCI DSS v4.0 Requirement 9.4.1.1 for media inventory, BSA five years for AML records. Evidence formats that satisfy a regulator inquiry include the retention schedule itself, the deletion-automation logs showing the schedule being honored in production (with timestamps tying deletion runs back to the policy), and the archival policy covering data that moves to cold storage rather than being purged.

Required by (11 regulations)

  • Marco Civil

    Lei nº 12.965, de 23 de abril de 2014 (Marco Civil da Internet), regulated by Decreto nº 8.771, de 11 de maio de 2016

  • CA AADC

    Cal. Civ. Code §§1798.99.28-1798.99.40 (AB 2273, 2022)

  • CCPA/CPRA

    CCPA §1798.100(a)(3) — disclose retention periods.

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

  • GDPR

    Article 5(1)(e) storage-limitation principle; Articles 13/14 transparency about retention.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • PIPA

    Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

  • KVKK
  • Texas CUBI

    Implements CUBI's destruction requirement — biometric identifiers destroyed within a reasonable time, no later than one year after the collection purpose expires.

    Capture or Use of Biometric Identifier Act (CUBI)

    Source →

  • Washington Biometric Privacy

    Implements RCW 19.375's requirement to retain biometric identifiers no longer than reasonably necessary for the enrollment purpose.

    Washington Biometric Identifiers Act (HB 1493, 2017)

    Source →

  • Illinois AIVIA

    Implements AIVIA's 30-day deletion-on-request duty for applicant videos, including instructing recipients to delete copies.

    Illinois Artificial Intelligence Video Interview Act

    Source →

  • Chile Law 19.628

    Chile's data-protection regime requires personal data not be retained beyond its collection purpose.

    Ley N° 19.628 sobre Protección de la Vida Privada (1999); to be substantially superseded by Ley N° 21.719 (2024) effective 2026-12-01

    Source →

  • UK GDPR

    UK GDPR Article 5(1)(e) storage-limitation requires a defined retention schedule.

Fulfilled by (2)

  • onetrust · partial · medium effort · $$
  • In-house build · medium effort

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • retention schedule
  • deletion automation logs
  • archival policy

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn