The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the quantity of data subject requests that they received in the previous calendar year. Among other things, businesses must publicly report the number of access requests that the business denied.1
Based upon a review of the websites of the Fortune 500, retailers denied on average 21.3% of the access requests that they received.2 It is important to note, however, that there may be little standardization between how companies count “denials.” Specifically, it is possible that two retailers could respond to an access request in the same manner by providing some personal information to the requesting data subject, but not providing other information (e.g., information that might violate the privacy rights of third parties), and yet one retailer might report the request as “denied” due to the partial denial, and the other might report the same request as “not denied” due to the partial grant. Another possible explanation for the denial rate may be that some retailers appear to be denying access requests from residents of states other than California – i.e., those that do not have a right of access under the CCPA. Those retailers may be including those denials when reporting denial rates under the CCPA.
1 Cal. Code Regs. tit. 11, § 999.317(g) (2021).
2 Review was conducted in August of 2021.