The California Consumer Privacy Act (CCPA) does not in itself outline specific employee training or record-keeping requirements that demonstrate business compliance with the law. However, the California attorney general’s final CCPA Regulations, intended to guide the application of the CCPA, detail that specific types of employee training and record-keeping are required for CCPA compliance.

Specifically, the Regulations require that people who handle inquiries related to a business’s privacy practices, CCPA compliance or CCPA-related consumer requests be trained in all aspects of the CCPA, including the Regulations. This expands a lesser requirement in the CCPA that originally required these individuals to understand only certain applicable portions of the CCPA related to consumer requests. The Regulations also require training that includes explanations to consumers of how they can exercise their CCPA rights. To accomplish this, businesses are required to develop, document and comply with a CCPA training policy.

To demonstrate compliance with the CCPA, the Regulations also specify record-keeping requirements, where required documentation should not be used for any other purpose. In short, businesses must document all CCPA-related consumer requests received and all responses to such requests. This record-keeping can be in various formats (including ticket or log form) but must include the following:

  • The request date
  • The nature of the request (e.g., deletion, opt-out)
  • How the request was made (e.g., in person, online)
  • The response date(s)
  • The nature of the response (e.g., complied, denied, partially denied)
  • If denied, the reason for denying the request

If a business uses a verification method that includes signed consumer declarations made under penalty of perjury, the business must also retain the signed consumer declarations as part of the consumer request record-keeping obligation.

And helpfully, according to the Regulations, maintaining such records as required, assuming the information is not used for any other purpose, does not violate the CCPA. The Regulations restrict the use of these records to assessing and improving businesses’ CCPA compliance. Deletion records also may be used to ensure that consumers’ personal information remains deleted following a request. The records may not be shared with third parties absent a legal obligation to disclose the records. Businesses are not otherwise required to keep any other information for purposes of demonstrating compliance with CCPA-related consumer requests.

The stated goal of the attorney general is to balance the need to prove compliance with the need to delete personal information upon request. The Regulations aim to minimize the amount of personal information businesses need to keep in order to show compliance and to prevent businesses from using record-keeping as an excuse to avoid deletion obligations. While the consumer request records discussed above must be retained for a minimum of 24 months, the statute of limitations for CCPA enforcement may be as long as four years – therefore, businesses might consider retaining records for a longer time.

While the certainty is nice, the Regulations do place an additional burden on businesses that deal in large quantities of California consumer personal information. Businesses that buy, receive for commercial purposes, sell or share for commercial purposes the personal information of more than 10 million consumers in a calendar year must additionally compile annual metrics identifying the number of CCPA-related consumer requests received, complied with and denied, as well as the median or mean number of days it took for the business to provide a substantial response to each request. Businesses may also choose to disclose how many of these requests were denied for specific reasons (e.g., the request was not verifiable or not made by the consumer, or the personal information requested was exempt from disclosure). These metrics should be compiled separately for consumer requests to know, requests to delete and requests to opt out. This information must then be incorporated into the annual update of the business’s privacy policy or posted on its website – and be accessible via a link from the privacy policy – by July 1 of each year. Accordingly, if a business meets the threshold requirement in 2020, it must publish the required data by July 1, 2021.

Businesses will also want to keep an eye on a new law, the California Privacy Rights and Enforcement Act of 2020 (CPRA), which may be right around the proverbial corner. The CPRA is included on the November 2020 ballot in California and, if passed, will become operative on January 1, 2023, although it applies to personal information collected prior to that date. The CPRA includes additional considerations regarding how long businesses may keep records (no longer than necessary), the disclosure of record-retention periods to California consumers, and additional record-keeping requirements to be issued by the California Privacy Protection Agency (CCP Agency), a new enforcement agency contemplated by the CPRA.

The CCP Agency will issue and enforce regulations related to record-keeping. New regulations to be issued by the California AG under the CPRA will require businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to submit regularly to the CCP Agency “a risk assessment with respect to their processing of personal information.” Additionally, the CCP Agency must issue its own “regulations specifying record keeping requirements for businesses to ensure compliance with” the CPRA.

Under the CPRA, businesses must also inform California consumers at or before the point of collection of their information about “the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.” For example, the CPRA specifically points to personal information used solely for verifying a consumer request as the type of information that should not be retained beyond when it is needed for verification purposes. Under the CPRA, a business’s “collection, use, retention, and sharing of a consumer’s personal information” must be both “reasonably necessary and proportionate to achieve” either the purpose for which the personal information was collected or another compatible purpose. These new necessity- and proportionality-based requirements introduced by the CPRA mean that businesses may need to take a fresh look at their data maps and retention schedules to identify redundant personal information and ensure nonessential personal information is removed from their systems on a regular basis.