Skip to content

The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the quantity of data subject requests that they received in the previous calendar year. Specifically, businesses must publicly report:

  • The number of access requests that the business received, complied with in whole or in part, and denied;
  • The number of deletion requests that the business received, complied with in whole or in part, and denied;
  • The number of do-not-sell requests that the business received, complied with in whole or in part, and denied; and
  • The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt out. [1]

Based upon a review of the websites of the Fortune 500, 40.5% of Fortune 500 retailers have reported the metrics referenced in the CCPA Regulations.[2]


[1] Cal. Code Regs. tit. 11, § 999.317(g) (2021).

[2] Review was conducted in August 2021.