I would just add that, in a lot of the discussion around the right to be forgotten, which we've termed “the right of erasure”, I think there's a lot of scope for consumers to have information removed from marketing databases in the future. The right that the Europeans are focusing on is really that, a lot less about trying to take your information off Google, and a lot more about, “I'm tired of getting ads based on what my preferences were 20 years ago.” There's a big scope for adding that to the act, that right to erasure. At the moment, privacy policies are written without it.
Nexopia, the company I was talking about, didn't have a retention policy. Nobody knew how long they were going to keep their personal information. That just leads to conflicts.
Yes, you should have a more specific retention policy; but yes, it should be backed up with the right to remove your data within the borders of constitutionality, freedom of expression, and all the things that people have mentioned.