Skip to content

The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the speed with which they respond to the data subject requests that they received in the previous calendar year. Among other things, businesses must report on the average or median number of days that elapse before they respond to Do Not Sell requests.1

Based upon a review of the websites of the Fortune 500, retailers spent an average of three days to respond to the Do Not Sell requests that they received.2 It is important to note, however, that there was a wide dispersion within the industry in the amount of time that was needed to respond to DNS requests. Specifically, some companies reported responding immediately whereas other companies responded in seven days. It is also worth noting that many companies did not clearly indicate whether they reported based upon their average or median response times.

1 Cal. Code Regs. tit. 11, § 999.317(g) (2021).

2 Review was conducted in August of 2021.