The California Consumer Privacy Act (CCPA), California Civil Code §1798.100 and following, does not in itself outline specific training and record-keeping requirements that demonstrate business compliance with consumer requests. However, in October 2019, the California attorney general proposed additional CCPA Regulations intended to guide the application of the CCPA, and Section 999.317 of the proposed Regulations aims to detail what additional behaviors (such as training) and records are required under the CCPA for consumer requests.
Specifically, the proposed Regulations require that people who handle inquiries related to a business’s privacy practice or CCPA compliance be trained in all aspects of the CCPA, including the proposed Regulations. This expands a lesser requirement in the CCPA that originally required these individuals to understand only certain applicable portions of the CCPA. The proposed Regulations also require training that includes explanations to consumers of how they can exercise their CCPA rights (which would in turn incorporate the rights in the proposed Regulations). To accomplish this, businesses would therefore be required to develop, document and comply with a CCPA training policy.
To demonstrate compliance with the CCPA and the proposed Regulations, the proposed Regulations also specify record-keeping requirements, where required documentation should not be used for any other purpose. In short, affected businesses must document all CCPA-related consumer requests received and all responses to such requests. This record-keeping can be in various formats (including ticket or log form) but must include the following:
- The request date
- The nature of the request (e.g., deletion, opt-out)
- How the request was made (e.g., in person, online)
- The response date
- The nature of the response (e.g., complied, denied, partially denied)
- If denied, the reason for denying the request
And helpfully, according to the statement of reasons explaining the proposed Regulations, maintaining such records as required, assuming the information is not used for any other purpose, does not violate the CCPA. In addition, businesses are not otherwise required to keep any other information for purposes of demonstrating compliance with CCPA-related consumer requests.
The stated goal of the attorney general is to balance the need to prove compliance with the need to delete personal information upon request. The proposed Regulations aim to minimize the amount of data businesses need to keep in order to show compliance and to prevent businesses from using record-keeping as an excuse to avoid deletion obligations. While the consumer request records discussed above must only be retained for a minimum of 24 months, the statute of limitations for CCPA enforcement may be as long as four years – therefore businesses might consider retaining records for a longer length of time.