The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the quantity of data subject requests that they received in the previous calendar year. Among other things, businesses must publicly report the number of access and deletion requests that the business denied.1
A review of the websites of the Fortune 500 indicates that only one healthcare company disclosed its data subject request metrics. While the limited quantity of companies that reported metrics makes extrapolating trends or conclusions impossible, extrapolation is further complicated as the one company that reported its volume of access and deletion requests chose not to indicate the percentage of those requests that were granted or denied.
1 Cal. Code Regs. tit. 11, § 999.317(g) (2021).