What should be done with consumers' PII after it is no longer needed?

The proper course of action for handling consumers' personally identifiable information (PII) once it is no longer needed is to delete or destroy it. This approach is crucial for protecting consumer privacy and complying with various data protection regulations, which mandate that PII should not be retained longer than necessary for the purpose it was collected. By deleting or destroying this information, organizations minimize the risks of unauthorized access, potential data breaches, and identity theft.

Storing PII unnecessarily in a secure database can still leave it vulnerable to breaches and unauthorized access. Returning PII to the consumer is not a standard procedure and can lead to complications regarding data ownership and the responsibility of safeguarding that information. Archiving PII for future reference is often inconsistent with privacy best practices, as it can lead to unnecessary retention of sensitive data that may no longer serve any legitimate purpose. Therefore, the most responsible option is to securely delete or destroy any PII that is no longer required.