Happy CCPA Metrics Day! As of today, July 1, 2021 certain businesses are now required by the California Consumer Privacy Act to report around how many data subject requests they process, what types, and how long it takes them to resolve the requests. And this reporting now has to happen every year, for the previous calendar year. The National Law Review and IAPP have both published solid write-ups. Here’s DataGrail’s take.
Which Businesses Have to Report on Metrics for CCPA?
Not every business subject to the CCPA has to report on these metrics. (You probably already know if your business is subject to the CCPA, but if not, take our CCPA/CPRA quiz to find out.)
Only businesses with PII records of 10 million or more California residents are required to report merics, specifically when a business “knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information.”
(Remember that the overall threshold for the CCPA compliance is having PII on 50,000 consumers, a far cry from 10 million.)
What Are the CCPA Metrics Required?
The metrics all concern the data subject requests a business receives.
Types of requests required to report on:
- Requests to know (aka access requests or DSARs)
- Requests to delete
- Requests to opt out (aka “Do Not Sell” requests)
The data you have to report for each type of request
- How many requests the business received
- How many requests complied with in whole or in part
- How many requests were denied
- The mean or median number of days within which the business “substantively responded”
What Are These Metrics For?
As with any regulation, some folks will likely view the metrics requirement as just another hoop for businesses to jump through. However, the California Office of the Attorney General published their Final Statement of Reasons (FSOR), in which they noted they had already increased the reporting threshold from 4 million to 10 million, to make it easier on smaller businesses. They also noted a few more reasons these metrics are important
- Compliance: Are businesses fulfilling requests within 45 days, as required by the CCPA?
- Are too many requests being systematically denied? As the OAG calls out in the FSOR, this could indicate a company making the exercise of privacy rights too “difficult to understand or unnecessarily complicated,” which is essentially saying a bad user experience around DSRs could be a violation of CCPA.
- Transparency is in the public interest: The OAG recognizes that the metrics will “enable academics, consumer advocates, business groups, and others to research and analyze this data.” Privacy has obviously become a key part of the public discourse, which means many different groups have a stake in understanding how customers are exercising their newfound privacy rights, and how businesses are responding.
From our point of view, this reporting ultimately comes down to providing transparency in order to build brand trust. Even if your business isn’t required to publish these metrics, your team should still consider doing so.
As DataGrail’s advisor, Steve Zalewski, CISO at Levi’s, has noted, compliance with regulations like the GDPR and the CCPA are an opportunity to prove, in a tangible way, that your brand is committed to your customers’ privacy. It’s all well and good to say “we believe in privacy” on a web page. It’s another thing to back that up with an easy, fast user experience for people making data subject requests, and then publishing these metrics in an equally easy-to-use location and format.
If you’re a DataGrail customer already, feel free to reach out to your customer success manager to review this new requirement.
If you’re not yet a DataGrail customer, and you’re thinking about how your privacy solution can set you up for success for CCPA compliance, including metrics reporting, let’s talk.