The California Consumer Privacy Act (CCPA) has been in effect for over a year and a half, but certain requirements are still unfolding. As of July 1, 2021, the metrics reporting obligation took effect for certain organizations. 

Keep up with CCPA Compliance and Download: Your Guide to California Privacy Law Compliance 

What is the Metrics Reporting Requirement? 

The metrics reporting provision, or Section 999.317(g) of the Attorney General’s CCPA regulations, applies to any business that is subject to the CCPA and buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 10 million or more California residents in a calendar year. 

Such businesses must compile metrics related to data processing for the previous calendar year and post it in the business’s privacy policy or on another website page that is linked from the privacy policy.  

Businesses subject to these requirements, must also document a training policy to ensure employees responsible for handling these requests or the business’s compliance with the CCPA are appropriately aware of and trained on the CCPA and the regulations. 

What information needs to be reported? 

Under Section 999.317(g) there are four metrics that need to be accounted for:  

  •  Requests to Know: The number ofrequests to knowthat the business received, complied with in whole or in part, and denied.  
  • Requests to Delete: The number ofrequests to deletethat the business received, complied with in whole or in part, and denied.  
  • Requests to Opt-Out: The number ofrequests to opt-outthat the business received, complied with in whole or in part, and denied.  
  • Provide theMedian or Mean: Number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

These metrics should be compiled for each calendar year. By July 1 of each calendar year, businesses should release the metrics for the previous calendar year on their privacy policy or posted to their website and accessible via a link in their privacy policy. 

Keep up with CCPA Compliance and Download: Your Guide to California Privacy Law Compliance 

How OneTrust Helps 

OneTrust Privacy Rights Management (DSAR) solution automates every step of the request process from intake to fulfillment, including data discovery, the redaction of sensitive information that shouldn’t be shared with the requestor, and robust reporting dashboards to track necessary metrics. The tool allows you to view, edit, and export executive dashboards and reports for internal and external review and benchmarking. You can also display metrics in your privacy policy through a pre-built report widget, making compliance with the CCPA metrics reporting requirement an automated part of your DSAR process. Customers can learn how to configure and optimize this feature on MyOneTrust 

Further Resources for CCPA Metrics Reporting: 


Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on ongoing CCPA compliance.