CCPA Record Keeping Requirements

ccpa record keeping
Print Friendly, PDF & Email

Despite the ongoing Covid-19 pandemic, the California Consumer Privacy Act (“CCPA”) enforcement date remains set at July 1, 2020. Readers of this blog know that we have been providing frequent updates on all things CCPA. In this post, we take a deep dive into the record keeping requirements contained in the CCPA.

What are the CCPA record keeping requirements?

Consumer Requests

Among other measures, the CCPA has codified California consumers’ rights to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information businesses have collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them. Businesses must comply with requests to opt-out no later than fifteen (15) business days from the date that the requests are received. If a business sells a consumer’s personal information after the request to opt-out has been received, but before that business has complied with the request, it must notify third parties that have received consumer personal information from the company in this interim period that the consumer has elected to opt-out and that these third parties may no longer sell that consumer’s personal information. Businesses must confirm receipt of right to know and deletion requests within ten (10) business days of receiving such requests and provide information as to how they will process these requests. Responses to such requests must be completed within forty-five (45) calendar days from the date that the subject requests were received. If necessary, businesses that are unable to respond to requests within the forty-five (45) calendar day period may take an additional forty-five (45) calendar days to respond, provided that they provide consumers with notice and explanation that an extension is required. 

CCPA Record Keeping Requirements

Section 999.317 of the CCPA regulations requires businesses to maintain records of all consumer requests and how those businesses responded to said requests for a period of at least twenty-four (24) months. The regulations are specific, detailing that “[t]he records may be maintained in a ticket or log format provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.” While maintaining these CCPA records, businesses must implement “reasonable security procedures and practices.” Although not contemplated by the CCPA, the California Attorney General has endorsed the Center for Internet Security’s (“CIS”) twenty (20) CIS Controls as the standard for “reasonable security procedures and practices.” It is important for businesses to comply with these standards because the CCPA provides for a private right of action that allows consumers to sue businesses for data breaches.  In addition, businesses should only maintain these CCPA records for statutory compliance purposes, should not use same for marketing, and cannot share the constituent consumer information with any third party, unless required to do so in order to comply with a legal obligation. 

By now, businesses should already be CCPA compliant. If not, working diligently to ensure compliance by the July 1 enforcement date is a must. 

If you are interested in learning more about this topic or require assistance in connection with consumer data privacy compliance for your business, please email us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney. 

Attorney Advertising

Related Blog Posts:

CCPA Regulations Revised, Again

CCPA Law: The Private Right of Action

CCPA Amended to Require California Data Broker Registration

David O. Klein

David O. Klein

David Klein is one of the most recognized attorneys in the telemarketing, technology, Internet marketing, sweepstakes and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Schedule a Call
In The Know

Trending Topics

New York Sweepstakes Law blog- Klein Moynihan Turco

New York Sweepstakes Law: Are You Compliant?

Print Friendly, PDF & Email

In general, a lottery exists when entrants pay for the chance to win a prize. States alone reserve the right to administer lotteries. Businesses can eliminate one element of what would otherwise be an illegal lottery, in order to transform it into a legal promotional game. If the requirement to

TCPA surveys

An Ad or not an Ad: NY Weighs in on TCPA Surveys

Print Friendly, PDF & Email

Another day, another court decision that refines constitutes a Telephone Consumer Protection Act (“TCPA”) unsolicited fax advertisement. A Manhattan-based federal court recently issued a decision that removes faxed invitations to participate in a survey from the TCPA definition of advertisement. In drawing this distinction for TCPA surveys, the Court held

NY sports gambling law- Klein Moynihan Turco

Agreement Reached to Enact NY Sports Gambling Law

Print Friendly, PDF & Email

This week, Governor Andrew Cuomo and the New York State Legislature agreed to a budget deal that will bring mobile sports betting to the State through a unique NY sports gambling law.  Upon the Governor’s signature, NY sports gambling is primed to become the nation’s largest market. However, New York

UK and US Social Media Influencer Laws

UK and US Social Media Influencer Laws

Print Friendly, PDF & Email

In September of 2020, the United Kingdom’s (“UK”) Committee of Advertising Practice (“CAP”) reviewed the Instagram accounts of 122 UK-based social media influencers to determine whether content was being properly flagged as advertising in accordance with applicable social media influencer laws. This past March, the UK Advertising Standards Authority (“ASA”)

Share on facebook
Share on google
Share on twitter
Share on linkedin