First came privacy “nutrition labels” for apps on Apple’s platforms. Next, on January 1, 2023, companies subject to the CPRA will be required to label the expiration dates for categories of collected personal data. This task has been overshadowed by enforcement of global privacy controls and other 2023 state mandates, but a recent FTC consent agreement with Drizly, LLC warns that U.S.-based regulators expect companies to measurably limit how long they keep consumer data. This article discusses practical compliance strategies to address this new yardstick for data minimization – as well as the implications of the FTC’s groundbreaking penalization of Drizly’s CEO for data security failures. See “Show Me the Data: How to Conduct Audits for Data Minimization” (Nov. 18, 2020).