July 1 Deadline Approaching — Do You Need To Comply with the CCPA’s Request Metrics Reporting Requirement?

The CCPA requires businesses over a certain threshold to disclose certain metrics about their CCPA compliance by July 1. 

This rule applies to a business that “that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more California residents in a calendar year.”

If this rule applies to your business, be aware that by July 1 the CCPA requires compiling and publishing the following metrics for the previous calendar year:

• The number of requests to know that the business received, complied with in whole or in part, and denied;

• The number of requests to delete that the business received, complied with in whole or in part, and denied;

• The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and

• The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

• A business may also choose to disclose the number of requests it denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

If applicable, these disclosures should be included in your public-facing California Privacy Notice.