Does the US have data retention laws?

Can the IRS audit you after 7 years?

Yes, the IRS can audit you after 7 years, though it's rare; the standard is 3 years, extending to 6 years for significant income omissions (over 25%) or foreign assets over $5,000, and there's no limit for fraud or never filing, meaning they can go back indefinitely. While usually focusing on the past few years, the IRS can reopen audits, and sometimes ask you to sign waivers to extend the assessment period, so keeping records longer than 3 years is wise. 

What records must be kept for 6 years?

Records Retention Guideline #3: Keep tax records for 6 years

The IRS may go back 6 years to audit your tax returns for errors or incorrectly claimed deductions – so it's important that you keep all tax-related documents for that length of time, including: Bank records. Personnel and payroll records.

Which US states have data privacy laws?

At the time of publication, 20 U.S. states have enacted comprehensive consumer data privacy laws, which are detailed below.

• California. ...
• Colorado. ...
• Connecticut. ...
• Delaware. ...
• Florida. ...
• Indiana. ...
• Iowa. ...
• Kentucky.

Does the US have a law similar to GDPR?

While there is no GDPR US equivalent at the federal level, individual states, such as California, have implemented similar policies. Staying on top of local, federal, and international regulatory requirements is essential to your business staying compliant and avoiding hefty fines.

Is the USA GDPR compliant?

No, the U.S. as a whole doesn't "comply" with GDPR because it's a federal regulation from the EU, but U.S. companies must comply with GDPR if they handle data of EU residents, a concept known as "extraterritorial scope". The U.S. has no single federal equivalent, relying instead on state laws like California's CCPA/CPRA, but GDPR's reach means U.S. businesses serving EU customers must meet strict EU standards for data consent, privacy rights (like access/erasure), and security, facing hefty fines for non-compliance. 

What records must be kept forever?

Keep Forever

• Birth certificate or adoption papers.
• Social Security cards.
• Valid passports and citizenship or residency papers.
• Marriage licenses and divorce decrees.
• Military records.
• Wills, living wills, powers of attorney, and retirement and pension plans.
• Death certificates of family members.

What records should you keep for 7 years?

You generally need to keep tax-related records, supporting documents for tax returns (like W-2s, 1099s, receipts), bank statements, cancelled checks, and payroll records for 7 years, especially to cover potential IRS audits or claims for worthless securities/bad debt deductions, though some records like deeds or birth certificates are kept indefinitely, and others (like pay stubs) might be shorter. 

What records need to be kept for 6 years?

You must keep records for 6 years from the end of the last company financial year they relate to, or longer if: they show a transaction that covers more than one of the company's accounting periods. the company has bought something that it expects to last more than 6 years, like equipment or machinery.

What is the 7 year retention rule?

A 7-year retention policy requires keeping specific business records, like tax-related documents (bad debt/worthless securities), financial statements, audit workpapers, and certain employment/HR files (like promotion/discharge records), for seven years to meet IRS, SEC, and other regulatory requirements, preventing legal issues and streamlining audits, though some records might need longer retention or permanent storage, as detailed in SEC.gov rules and IRS guidelines. 

How long are you allowed to keep data?

You should only keep personal data for as long as you need it. There aren't any set time limits in data protection law because it depends on your situation.

What records need to be kept for 5 years?

If your business sells or disposes of an asset, you must keep records of the purchase, improvements, and sale for at least five years after the CGT event occurs. However, if the CGT event results in a capital loss, records must be kept for five years after the loss is claimed in a tax return.

Do all 50 states have data breach laws?

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving personally identifiable information.

What is the difference between GDPR and CCPA?

GDPR requires companies to have legal basis before processing data about residents. CCPA does not. GDPR applies to all businesses that meet the legal basis requirement mentioned above. CCPA applies only to businesses with an annual gross revenue of more than $25 million.

What is the 2025 data privacy law?

In 2025, roughly half of states with existing privacy statutes—including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and Kentucky—approved significant amendments that either expanded coverage to more businesses, refined key definitions, or enhanced regulator authority and enforcement tools.

Should I keep my 20 year old tax returns?

You generally don't need to keep 20-year-old tax returns, as the IRS recommends keeping records for 3 to 7 years, but you should keep the actual return indefinitely as proof you filed, especially if you might need it for mortgage applications or future tax verification, while keeping supporting documents (W-2s, receipts) for 3-7 years or until you're sure they won't be needed, shredding them securely when you do dispose of them. 

What is the federal record retention policy?

Per 2 CFR 200.334, “Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, ...

What is the 17a 4 rule?

SEC Rule 17a-4 is a regulation issued by the U.S. Securities and Exchange Commission pursuant to its regulatory authority under the US Securities Exchange Act of 1934 (Known simply as the "Exchange Act") which outlines requirements for data retention, indexing, and accessibility for companies which deal in the trade or ...

What is the $600 rule in the IRS?

The IRS $600 rule refers to the reporting threshold for third-party payment apps (like PayPal, Venmo, Cash App) for income from goods/services, where they send Form 1099-K to you and the IRS for payments over $600 in a year. While the American Rescue Plan initially set this lower threshold for 2022 and beyond, the IRS delayed implementation, keeping the old rule ($20,000 and 200+ transactions) for 2022 and 2023, then phasing in a $5,000 threshold for 2024, before recent legislation reverted the federal threshold back to the old $20,000 and 200+ transactions for 2023 and future years (as of late 2025/early 2026), aiming to reduce confusion. 

What is most likely to trigger an IRS audit in 2025?

In 2025, the IRS is most likely to audit returns with unreported income, disproportionate deductions (especially high charitable donations or large business losses), math errors, claiming 100% business use of a vehicle, or issues with digital asset transactions and Schedule C (self-employment) filings, with high-income earners ($200k+) being a significant focus, though anomalies across income levels raise flags.