Target · Target Privacy Policy

Data Retention Practices

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Target keeps your personal information for as long as it deems necessary for business or legal purposes, without specifying a maximum retention period for most data categories.

Consumer impact (what this means for users)

Target does not commit to specific maximum retention periods for your personal data, meaning your purchase history, browsing behavior, and other information could be retained for many years — you can request deletion to reset this by submitting a privacy request.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Within 45 days
    Submit a deletion request through Target's privacy portal to require Target to delete personal information it holds about you. Target must respond within 45 days and confirm deletion or explain any applicable exceptions.

Cross-platform context

See how other platforms handle Data Retention Practices and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

The absence of specific retention timeframes for different data categories means Target could retain your shopping history, behavioral data, and other personal information indefinitely, which creates ongoing data exposure risk.

View original clause language
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements, and to provide you with our products and services.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: CPRA §1798.100(a)(3) requires businesses to disclose retention periods for each category of personal information or the criteria used to determine retention. Vague 'as long as necessary' language may be insufficient under CPRA's specific disclosure requirements. GDPR Art. 5(1)(e) (storage limitation principle) requires data to be kept for no longer than necessary. FTC guidance on data minimization addresses indefinite retention as a deceptive practice risk.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has enforcement authority over data retention practices under Section 5 and has cited excessive retention as a factor in data security enforcement actions.
    File a complaint →
  • State AG
    The California Privacy Protection Agency enforces CPRA requirements for specific retention period disclosures; California AG has concurrent enforcement authority.
    File a complaint →

Provision details

Document information
Document
Target Privacy Policy
Entity
Target
Document last updated
April 29, 2026
Tracking information
First tracked
April 27, 2026
Last verified
April 27, 2026
Record ID
CA-P-003626
Document ID
CA-D-00260
Evidence Provenance
Source URL
https://www.target.com/spot/privacy-policy
Wayback Machine
View archived versions →
SHA-256
03ccef46ce3082873d9ba2a43ad976db66be09778b35474f113cb5a73fe11416
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Target | Document: Target Privacy Policy | Record: CA-P-003626
Captured: 2026-04-27 15:13:37 UTC | SHA-256: 03ccef46ce308287…
URL: https://conductatlas.com/platform/target/target-privacy-policy/data-retention-practices/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document