iJuly 1, 2021 marks the deadline for certain businesses to comply with the metrics reporting obligations under the California Consumer Privacy Act of 2018 (“CCPA”) regulations. Section 999.317(g) of the regulations applies to any business that is subject to the CCPA and that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more California residents in a calendar year.
Businesses subject to the metrics reporting requirement must disclose by July 1 of every calendar year the following metrics for the previous calendar year:
-
The number of requests to know that the business received, complied with in whole or in part, and denied;
-
The number of requests to delete that the business received, complied with in whole or in part, and denied;
-
The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
-
The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
The metrics must be disclosed in the business’s privacy policy or posted on the business’s website and accessible via a link in the business’s privacy policy. Businesses may choose to compile the metrics based on requests received from all individuals or requests received solely from consumers (i.e., California residents). In the event the business discloses metrics based on requests received from all individuals, the California Attorney General may request that the business provide to it the metrics based on requests from consumers.
