First CCPA Rights Requests Deadline Looms
Organizations that comply with the CCPA should be aware of an upcoming public reporting requirement deadline, one of the first deadlines under the relatively new law.
If they aren’t already aware, businesses that oversee consumer data in accordance with the California Consumer Privacy Act (CCPA) have an upcoming deadline on their calendar: July 1.
As part of the CCPA's regulations, on that date, any organization "that knows or reasonably should know that it, alone, or in combination, buys, receives for the business's commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year" is subject to the CCPA’s reporting obligations regarding consumer rights requests metrics.
The CCPA, referred to be many as the most comprehensive data privacy legislation passed in the U.S. to date so far, went into effect in 2020. Similar to the European Union’s General Data Protection Regulation or GDPR, the CCPA notably gave consumers the right to know whether their information is collected, used, or shared by an organization, the ability to delete data businesses collect, and the right to opt out of the sale of their data.
- The number of requests to know that the business received, complied with in whole or in part, and denied;
- The number of requests to delete that the business received, complied with in whole or in part, and denied;
- The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
- The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
While this is the first reporting deadline for this regulation, it's worth noting that as far as the CCPA relates to record keeping, all businesses covered by the CCPA still need to maintain as business records the date, nature and method of each request and the date and nature of response, (including the basis for in denial) for a minimum of 24 months.
This requirement stems from Section 999.317 (b) and (c) of the CCPA.
The requests shouldn't be too onerous for businesses as the CCPA has hopefully made it easier for organizations to keep track of their data processing activities, including consumer information, to comply with the law and reporting needs like this.