On July 1, 2021, the California Consumer Privacy Act ("CCPA") imposes a deadline on businesses that buy, receive, sell and/or share for commercial purposes the personal information of 10,000,000 or more California residents in a calendar year. Originally, the CCPA regulations had established a threshold of 4,000,000 consumers. The California Attorney General's Office increased the threshold to 10,000,000 consumers (which is approximately twenty-five (25) percent of California's entire population) after receiving feedback during public comment that the 4,000,000 threshold would inflict a substantial burden on small businesses. In the eyes of the California State Attorney General, the CCPA reporting requirement satisfies two goals: 1) It imposes regulations on large businesses most in need of oversight; and 2) it provides consumers with more transparency on how businesses acquire, maintain and/or sell their personal information.

What are the CCPA Reporting Requirements?

CCPA Reporting

The CCPA regulations require that a business that "knows or reasonably should know that it, alone or in combination," buys, receives, sells or shares the personal information of 10,000,000 or more California consumers in a calendar year, disclose certain metrics. A business that reaches this threshold must, by July 1 of every calendar year, provide the following data in either a subsection of its privacy policy, or post the information on its website and provide a link within its privacy policy:

  • The number of "requests to know" that the business received, complied with in whole or in part, and denied;
  • The number of "requests to delete" that the business received, complied with in whole or in part, and denied;
  • The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
  • The median or mean number of days within which the business substantively responds to requests to know, requests to delete, and requests to opt-out.

Additionally, the CCPA reporting requirement directs each such business to "establish, document, and comply with a training policy" in order to confirm that the business is educating its employees on CCPA policies and complying with all CCPA regulations. If it is easier for a business, it may decide to disclose information received from all individuals, rather than requests received just from consumers.

Consumer Data Privacy Laws

As we have previous blogged, the CCPA is only one of a handful of states (including Virginia, Nevada and Colorado (awaiting Governor signature)) that have passed consumer data privacy legislation. Until the federal government enacts legislation that will provide businesses with a more uniform set of rules, businesses will have to monitor state consumer data privacy law developments and be aware of upcoming deadlines.

Similar Blog Posts:

Is A NY CCPA Law Coming Soon?

CCPA For Dummies

Colorado Privacy Law Heads To Governor's Desk For Signature

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.