The CCPA metrics reporting requirement: What you need to know

August 11, 2021

Blue and violet gradient

The California Consumer Privacy Act (CCPA) has been in effect for over a year and a half, but certain requirements are still unfolding. As of July 1, 2021, the metrics reporting obligation took effect for certain organizations.

Keep up with CCPA Compliance and Download: Your Guide to California Privacy Law Compliance

What is the Metrics Reporting Requirement?

The metrics reporting provision, or Section 999.317(g) of the Attorney General’s CCPA regulations, applies to any business that is subject to the CCPA and buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 10 million or more California residents in a calendar year.

Such businesses must compile metrics related to data processing for the previous calendar year and post it in the business’s privacy policy or on another website page that is linked from the privacy policy. 

Businesses subject to these requirements, must also document a training policy to ensure employees responsible for handling these requests or the business’s compliance with the CCPA are appropriately aware of and trained on the CCPA and the regulations.

What information needs to be reported?

Under Section 999.317(g) there are four metrics that need to be accounted for: 

  • Requests to Know: The number of requests to know that the business received, complied with in whole or in part, and denied.  
  • Requests to Delete: The number of requests to delete that the business received, complied with in whole or in part, and denied.  
  • Requests to Opt-Out: The number of requests to opt-out that the business received, complied with in whole or in part, and denied.  
  • Provide the Median or Mean: Number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

These metrics should be compiled for each calendar year. By July 1 of each calendar year, businesses should release the metrics for the previous calendar year on their privacy policy or posted to their website and accessible via a link in their privacy policy.

Keep up with CCPA Compliance and Download: Your Guide to California Privacy Law Compliance

How OneTrust Helps

OneTrust Privacy Rights Management (DSAR) solution automates every step of the request process from intake to fulfillment, including data discovery, the redaction of sensitive information that shouldn’t be shared with the requestor, and robust reporting dashboards to track necessary metrics. The tool allows you to view, edit, and export executive dashboards and reports for internal and external review and benchmarking. You can also display metrics in your privacy policy through a pre-built report widget, making compliance with the CCPA metrics reporting requirement an automated part of your DSAR process. Customers can learn how to configure and optimize this feature on MyOneTrust

Further Resources for CCPA Metrics Reporting:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on ongoing CCPA compliance. 

You may also like


Consent & Preferences

Global Privacy Control: CCPA enforcement of GPC opt-out signals webinar

Watch this on-demand webinar to gain an overview of what Global Privacy Control (GPC) is, the benefits of the signal, and how it works.

October 30, 2022

Learn more


Privacy Management

Employee vs. consumer rights: Same concept, different reality

Join this webinar to learn about the rights request fulfillment complexities introduced by the end of the employee exclusion in the CPRA.

August 25, 2022

Learn more

White Paper

Privacy & Data Governance

How OneTrust helps with California privacy law compliance (CCPA & CPRA)

This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.

June 23, 2022

Learn more