Enforcing HOA Data Retention Policies
With all the changes going on in the world today surrounding consumers' data privacy rights concerning personal data collected by businesses, you may hear a lot of advice about building a solid data retention policy. However, what HOA boards and members need to know are ways to enforce a data retention policy.
Why Have a Data Retention Policy?
Compliance, legal, and regulatory reasons abound for adopting a data retention policy to ensure HOA compliance with an agency or legislative mandates or to stay prepared in the event of litigation on some issues. Here are a few examples of legislation that include data retention standards:
- Fair Labor Standards Act (minimum wage, hours, and recordkeeping requirements),
- Payment Card Industry Data Security (for HOA payments accepted via payment cards), and
- State Data Protection Laws (such as Texas' data security and breach notification laws or extensive data protection laws, like the CCPA).
The following paragraphs suggest two ways that an HOA may prepare to comply with this pivotal practice's enforcement.
Select a Data Protection Officer or Data Controller Position
Since 2018, the European Union has the most comprehensive consumer data protection rules. Suppose a business comes under the European Union's (EU) expansive General Data Protection Regulation (GDPR) purview. In that case, the law requires businesses of a specific size to hire/select a Data Protection Officer to oversee its data collection, retention, and deletion policies. This law's global arm extends to businesses that collect personal data on EU persons, even if they collect and process that data outside the EU's borders. GDPR requires businesses that collect private data from EU residents to designate a Data Protection Officer.
California leads the way in the data protection arena in the US. California's Consumer Protection Act (CCPA), effective in 2020, does not require businesses to hire a Data Protection Officer but does require that data processors keep confidential all the data that a company collects and processes.
The California legislature passed the most recent iteration of California's data privacy laws, The California Privacy Rights Act (CPRA), in November 2020. CPRA builds upon the foundation set by CCPA and moves even closer to the bar set by GDPR. For example, CPRA is not effective until 2023, but it creates significant modifications to consumer protection law:
- Creates the California Privacy Protection Agency
- Creates a sensitive personal information classification
- Expands consumer rights and data controller compliance
California is moving toward a data protection model that may make it advisable for businesses subject to CCPA to select an IT or records management staff member or assign a C-Suite level person to oversee compliance with their records' data protection facets retention policy.
To the extent that other states may follow California's lead, understanding the potential for expanded privacy laws in the HOA's jurisdiction is essential. As of June 2020, Texas did not have a data protection statute like CCPA, but that does not mean that the state takes a lax view of data protection rights. In addition to a consumer's rights under federal law, the Texas Constitution Article I (19) protects a consumer's privacy rights from invasion.
Texas also recognizes the common-law rights of privacy. Several statutes contain penalties, both civil and criminal, and apply injunctions to violate a person's privacy rights. For example, the Texas Business and Commercial Code requires businesses to adopt and maintain policies that protect personal data and sensitive financial information. Disclosure of Social Security numbers is restricted, and businesses must notify Texas residents when events indicate a compromise of their personal information.
Texas may not currently have laws governing private business websites' privacy policies, and CCPA is the first privacy data protection law in the US with a global reach. However, it may only take the passage of time before Texas, and other states follow California's lead. And a national data protection law becoming the law of the land is not beyond the realm of possibility. Knowledge enables preparation.
Proactively Manage Data Retention Policies With Third-Party Vendors/Providers
If the HOA partners with third-parties that hold personal data collected from HOA members, the Board members are responsible for what happens to the data they share with them for processing. The board's benefit is to ensure that third-party partners understand the rules and how to protect sensitive personal data. In addition to vetting prospective third-party partners, creating data retention questionnaires to share with them will go a long way to managing data retention compliance — no matter where the data sits at any given point.
To learn more about privacy enforcement in the US, you may enjoy the November 2020 article from law.com entitled "Businesses Should Prepare For A New Phase of Privacy Regulation and Enforcement in the United States."