Target keeps your personal information for as long as it considers necessary for business, legal, or operational reasons, without specifying a defined maximum retention period for most data types.
This analysis describes what Target's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention language means Target does not commit to deleting your data after a fixed period, which has practical implications for the scope of data available for advertising, legal discovery, or potential data breaches over time.
Interpretive note: The adequacy of open-ended retention language under CPRA's specific retention schedule disclosure requirement is subject to ongoing regulatory interpretation by the California Privacy Protection Agency.
The removal of explicit data retention policy language eliminates transparency about how long personal data is maintained, which is a notable gap in privacy disclosures.
View full change record →Without defined retention periods for specific data types, your personal information, including purchase history, behavioral data, and inferences, may be retained indefinitely as long as Target identifies a legitimate business purpose. Consumers in states with privacy rights can submit deletion requests to remove data that is no longer necessary.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Target has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to provide you with our products and services, to comply with our legal obligations, to resolve disputes, to enforce our agreements, and for other legitimate and lawful business purposes.— Excerpt from Target's Target Privacy Policy
1. REGULATORY LANDSCAPE: CPRA requires that personal information be retained only as long as reasonably necessary for each disclosed purpose, and the California Privacy Protection Agency has signaled enforcement interest in retention practices. GDPR's storage limitation principle requires that personal data not be kept in identifiable form longer than necessary for the specified purpose; this applies if Target processes EU residents' data. State comprehensive privacy laws in Virginia, Colorado, and Texas similarly require that data not be retained beyond what is necessary for disclosed purposes. 2. GOVERNANCE EXPOSURE: Medium. Open-ended retention language is common in retail privacy policies but creates risk if challenged under CPRA's data minimization and retention requirements, particularly for sensitive data categories such as biometric data, precise geolocation, and health information. The absence of specific retention schedules for specific data types may be insufficient to demonstrate compliance with CPRA's regulations. 3. JURISDICTION FLAGS: California CPRA regulations require retention schedules to be disclosed for each category of personal information. The CPPA has indicated that vague retention language may not satisfy this requirement. Illinois BIPA mandates specific retention and destruction schedules for biometric data, which should be publicly available. EU and UK GDPR require retention periods to be specified in the privacy notice. 4. CONTRACT AND VENDOR IMPLICATIONS: Service provider agreements should align with Target's retention policies and require deletion of consumer data at the end of the service relationship or upon consumer deletion requests. Vendors holding long-term data archives should be assessed for compliance with applicable state retention requirements. 5. COMPLIANCE CONSIDERATIONS: The compliance team should develop category-specific retention schedules that can be publicly disclosed, particularly for sensitive personal information categories. Automated deletion processes tied to the published retention schedules should be implemented and periodically audited. The biometric data retention and destruction schedule required by BIPA should be separately documented and publicly available.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention language means Target does not commit to deleting your data after a fixed period, which has practical implications for the scope of data available for advertising, legal discovery, or potential data breaches over time.
Without defined retention periods for specific data types, your personal information, including purchase history, behavioral data, and inferences, may be retained indefinitely as long as Target identifies a legitimate business purpose. Consumers in states with privacy rights can submit deletion requests to remove data that is no longer necessary.
ConductAtlas has identified this type of provision across 15 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Target.