The deadline is fast approaching for businesses that buy, receive, sell, or share the personal information of 10 million or more California consumers to report their California Consumer Privacy Act (“CCPA”) rights requests metrics. On July 1, 2021, these businesses must report certain data (outlined below) in their privacy policy or elsewhere online accessible via a link in their privacy policy.
Section 999.317(g) of the CCPA’s implementing regulations (“Regs”) imposes these public reporting requirements to any business that is subject to the CCPA and “that knows or reasonably should know that it, alone, or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year.” Specifically, the CCPA requires these businesses to collect and ultimately disclose certain metrics (that Bytes has previously covered: here and here, such as:
-
The number of requests to know that the business received, complied with in whole or in part, and denied;
-
Note: Under the CCPA, consumers have the right to know what personal information a business collects about them, and how it is used and disclosed and for what purposes, and to obtain transportable copies of their personal information.
-
-
The number of requests to delete that the business received, complied with in whole or in part, and denied;
-
The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
-
The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
In doing so, a reporting business has the option to disclose statistics as to all individuals, as opposed to only consumers, but must explain that in its notice and have consumer-specific reporting statistics available for inspection by the Attorney General. A reporting business my, but is not required to choose to also identify the number of requests denied because the request was not verified, not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.
While these publication requirements are limited to businesses that meet the reporting thresholds, Regs Section 999.317(b) and (c) require all businesses that are covered by the CCPA to maintain as business records at least the date, nature and method of each request and the date and nature of response, (including the basis for in denial, in whole or in part), for a minimum of 24 months (the statute of limitations is 4 years, so that longer period is a reasonable retention term).
The first reporting deadline, applicable to calendar year 2020, is July 1, 2021. Relatedly, Regs Section 999.317(g)(5) also requires businesses that meet the reporting thresholds to establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA are informed of all CCPA requirements. All businesses, regardless of the public reporting thresholds, are responsible for informing persons responsible for handling privacy inquires of CCPA compliance of all of the requirements of the CCPA and how to direct consumers on how to exercise their rights. A documented training program would establish this more general obligation was met and accordingly is recommended for all businesses.