I don’t THINK I’m technically required to disclose those metrics (the threshold for the regulatory requirement is buying, receiving for commercial purposes, and/or selling personal information from 10 million or more consumers in a calendar year, and it would take some truly outlandish interpretation of the law’s definitions for me to come anywhere near that), but the extremely ominous warning email from the attorney general’s office put me in a “better safe than sorry” mood. (To be clear, it was a mass email not individually directed at me — I am, unhappily, on their CCPA mailing list — but it triggers a panic attack every single time.)
Figuring out how to calculate and present these metrics was challenging. The totals are not a big deal, but the disclosure requirements demand that you disclose the “median or mean” time it took you to “substantively” respond to each type of request. There are also some mystifying stipulations on distinguishing requests from “consumers” from requests from “all individuals”; so far as I could see, the regulations don’t actually define either of these terms or explain how they’re supposed to be different for disclosure purposes, so I’m honestly unsure what they’re looking for.
As with many aspects of these regulations, the disclosure requirements include a series of demands that are, as often as not, framed in ways that are not nearly as clear or understandable (to say nothing of practical) as the people who wrote the regulations seem to have thought. (For instance, I know that mean and median are not the same thing, but I’m not at all sure the attorney general’s office does.) Given that the potential consequences for even an accidental violation of any of the regulations to which they decide I’m subject are ruinously expensive, that is far from comforting.
Going through this much work and worry for a website for which I have created no new content in some time is really quite agonizing, so if you are annoyed by these updates, join the club!