The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the speed with which they respond to the data subject requests that they received in the previous calendar year. Among other things, businesses must report the average or median number of days that elapse before they respond to Do Not Sell requests.1
A review of the websites of the Fortune 500 indicates that only one healthcare company disclosed its data subject request metrics. That company reported responding to DNS requests immediately (i.e., an average of “0” days to respond to such requests).
1 Cal. Code Regs. tit. 11, § 999.317(g) (2021).