(a) All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all of the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.
(b) A business shall maintain records of consumer requests made pursuant to the CCPA and how it responded to the requests for at least 24 months. The business shall implement and maintain reasonable security procedures and practices in maintaining these records.
(c) The records may be maintained in a ticket or log format provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.
(d) A business’s maintenance of the information required by this section, where that information is not used for any other purpose, does not taken alone violate the CCPA or these regulations.
(e) Information maintained for record-keeping purposes shall not be used for any other purpose except as reasonably necessary for the business to review and modify its processes for compliance with the CCPA and these regulations. Information maintained for recordkeeping purposes shall not be shared with any third party except as necessary to comply with a legal obligation.
(f) Other than as required by subsection (b), a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA.
(g) A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year shall:
(1) Compile the following metrics for the previous calendar year: a. The number of requests to know that the business received, complied with in whole or in part, and denied; b. The number of requests to delete that the business received, complied with in whole or in part, and denied; c. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and d. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
(3) Establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.
(h) A business may choose to compile and disclose the information required by subsection (g)(1) for requests received from all individuals, rather than requests received from consumers. The business shall state whether it has done so in its disclosure and shall, upon request, compile and provide to the Attorney General the information required by subsection (g)(1) for requests received from consumers.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.120, 1798.130, 1798.135 and 1798.185, Civil Code.