If they aren’t already aware, businesses that oversee consumer data in accordance with the California Consumer Privacy Act (CCPA) have an upcoming deadline on their calendar: July 1.

As part of the CCPA's regulations, on that date, any organization "that knows or reasonably should know that it, alone, or in combination, buys, receives for the business's commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year" is subject to the CCPA’s reporting obligations regarding consumer rights requests metrics.

The CCPA, referred to be many as the most comprehensive data privacy legislation passed in the U.S. to date so far, went into effect in 2020. Similar to the European Union’s General Data Protection Regulation or GDPR, the CCPA notably gave consumers the right to know whether their information is collected, used, or shared by an organization, the ability to delete data businesses collect, and the right to opt out of the sale of their data.

The idea behind the obligations – outlined in Section 999.317(g) of the legislation - is mostly rooted in transparency. Businesses must post, either in its Privacy Policy or somewhere online with a link to it in their Privacy Policy, the following metrics from the last calendar year:

• The number of requests to know that the business received, complied with in whole or in part, and denied;
• The number of requests to delete that the business received, complied with in whole or in part, and denied;
• The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
• The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

While this is the first reporting deadline for this regulation, it's worth noting that as far as the CCPA relates to record keeping, all businesses covered by the CCPA still need to maintain as business records the date, nature and method of each request and the date and nature of response, (including the basis for in denial) for a minimum of 24 months.

This requirement stems from Section 999.317 (b) and (c) of the CCPA.

The requests shouldn't be too onerous for businesses as the CCPA has hopefully made it easier for organizations to keep track of their data processing activities, including consumer information, to comply with the law and reporting needs like this.