July 23, 2021

Volume XI, Number 204

Advertisement

July 23, 2021

Subscribe to Latest Legal News and Analysis

July 22, 2021

Subscribe to Latest Legal News and Analysis

July 21, 2021

Subscribe to Latest Legal News and Analysis

First CA Consumer Rights Requests Metrics Reporting Due

The deadline is fast approaching for businesses that buy, receive, sell, or share the personal information of 10 million or more California consumers to report their California Consumer Privacy Act (“CCPA”) rights requests metrics. On July 1, 2021, these businesses must report certain data (outlined below) in their privacy policy or elsewhere online accessible via a link in their privacy policy.

Section 999.317(g) of the CCPA’s implementing regulations (“Regs”) imposes these public reporting requirements to any business that is subject to the CCPA and “that knows or reasonably should know that it, alone, or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year.” Specifically, the CCPA requires these businesses to collect and ultimately disclose certain metrics (that Bytes has previously covered: here and here, such as:

  • The number of requests to know that the business received, complied with in whole or in part, and denied;

    • Note: Under the CCPA, consumers have the right to know what personal information a business collects about them, and how it is used and disclosed and for what purposes, and to obtain transportable copies of their personal information.

  • The number of requests to delete that the business received, complied with in whole or in part, and denied;

  • The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and

  • The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

In doing so, a reporting business has the option to disclose statistics as to all individuals, as opposed to only consumers, but must explain that in its notice and have consumer-specific reporting statistics available for inspection by the Attorney General. A reporting business my, but is not required to choose to also identify the number of requests denied because the request was not verified, not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

While these publication requirements are limited to businesses that meet the reporting thresholds, Regs Section 999.317(b) and (c) require all businesses that are covered by the CCPA to maintain as business records at least the date, nature and method of each request and the date and nature of response, (including the basis for in denial, in whole or in part), for a minimum of 24 months (the statute of limitations is 4 years, so that longer period is a reasonable retention term).

The first reporting deadline, applicable to calendar year 2020, is July 1, 2021. Relatedly, Regs Section 999.317(g)(5) also requires businesses that meet the reporting thresholds to establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA are informed of all CCPA requirements. All businesses, regardless of the public reporting thresholds, are responsible for informing persons responsible for handling privacy inquires of CCPA compliance of all of the requirements of the CCPA and how to direct consumers on how to exercise their rights. A documented training program would establish this more general obligation was met and accordingly is recommended for all businesses.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 167
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA
Partner

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

213-689-6518
Associate

Katie Sharpless is a member of the Litigation Practice. She advises companies on complex business disputes.

Prior to joining the firm, Katie served as Judicial Extern to the Honorable Michael H. Simon, United States District Court, in Portland, Oregon. She also was a Submissions Editor and an Associate Editor on the Environmental Law Review. Katie also served as a research assistant, conducting extensive research on family separation and DACA litigation. She also helped draft articles, essays and book chapters on immigration law.

415-954-0254
Advertisement
Advertisement