You need a data retention plan. No really.

And not just in the European Union. In California too.

Commission Nationale de l’Informatique et des Libertés (CNIL) has fined messaging platform Discord 800,000 EUR for (non breach) GDPR violations.

Key points:

  • You need to develop and abide by a data retention plan to comply with GDPR, CPRA and other new state privacy laws, as well as Federal Trade Commission requirements (eg CafePress). Two years after last account activity was held to be reasonable. Three and five years were not.
  • You need to provide clear, granular disclosure regarding your data retention practices (specific periods or criteria for determining them). The revised Discord notice provides such disclosure.
  • If you use a known icon (like an X in the top right corner) for a different action than expected, you have to notify the users in advance. (Instead of leaving a Discord voice room, the X just put the application in the background. The user remained logged into the voice room with their conversations capable of being overheard. Discord has now set up a pop-up window when the window is closed for the first time to alert people connected to a voice room that the Discord application is still running and that this setting can be changed directly by the user.)
  • You must have adequate password requirements. 6 characters were not deemed sufficient. A policy deemed sufficient required a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters). After ten unsuccessful login attempts, the company required a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.
  • If you process a high volume of data and your services are used by minors, you need to conduct a DPIA.