Walgreens keeps your personal data for as long as needed for business purposes, legal requirements, or to defend potential lawsuits, without specifying a maximum retention period.
This analysis describes what Walgreens's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The absence of specific retention periods for sensitive data categories including health and financial information means consumers cannot determine how long their most sensitive data will be held.
Interpretive note: Whether this provision satisfies CCPA and CPRA's retention disclosure requirements depends on regulatory interpretation of whether criteria-based disclosure is sufficient or whether specific timeframes are required by category.
Your personal data including health, financial, and pharmacy records may be retained indefinitely under the broad justifications provided, since no specific maximum retention periods are disclosed for most data categories.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Walgreens has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.— Excerpt from Walgreens's Walgreens Privacy Policy
REGULATORY LANDSCAPE: CCPA and CPRA require that privacy policies disclose retention periods or the criteria used to determine retention periods for each category of personal information. HIPAA establishes specific retention requirements for medical records. State consumer privacy laws in Colorado, Virginia, and others similarly require disclosure of retention practices. Regulators in California have scrutinized vague retention disclosures as potentially non-compliant with CCPA disclosure requirements. GOVERNANCE EXPOSURE: Medium. The provision's broad justifications for retention without specific timeframes may not satisfy CCPA and CPRA's requirement to disclose retention periods or criteria by category. Indefinite retention of sensitive health and financial data increases the risk profile for data breach incidents. JURISDICTION FLAGS: California CPRA requires specific retention period disclosures by data category. Colorado and Virginia privacy laws have similar requirements. HIPAA imposes specific retention schedules for medical records that may vary by state. Heightened exposure in California for CPRA compliance. CONTRACT AND VENDOR IMPLICATIONS: Service provider and vendor contracts should align with Walgreens' stated retention practices and specify deletion obligations upon contract termination. Data processing agreements should include deletion or return of personal information provisions consistent with applicable retention requirements. COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether current retention period disclosures satisfy CCPA and CPRA's category-specific disclosure requirements; develop and document retention schedules for each personal information category including health, financial, and geolocation data; implement automated deletion processes where retention periods are met; and review vendor and service provider contracts for aligned retention and deletion obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The absence of specific retention periods for sensitive data categories including health and financial information means consumers cannot determine how long their most sensitive data will be held.
Your personal data including health, financial, and pharmacy records may be retained indefinitely under the broad justifications provided, since no specific maximum retention periods are disclosed for most data categories.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Walgreens.