I don’t THINK I’m technically required to disclose those metrics (the threshold for the regulatory requirement is buying, receiving for commercial purposes, and/or selling personal information from 10 million or more consumers in a calendar year, and it would take some truly outlandish interpretation of the law’s definitions for me to come anywhere near that), but the extremely ominous warning email from the attorney general’s office put me in a “better safe than sorry” mood. (To be clear, it was a mass email not individually directed at me — I am, unhappily, on their CCPA mailing list — but it triggers a panic attack every single time.)
Figuring out how to calculate and present these metrics was challenging. The totals are not a big deal, but the disclosure requirements demand that you disclose the “median or mean” time it took you to “substantively” respond to each type of request, a term that the regulations don’t attempt to define. There are also some puzzling stipulations on distinguishing requests from “consumers” from requests from “all individuals”; I belatedly figured out that “consumers” probably means “California residents,” since the CCPA defines all natural persons who reside in California as “consumers.”
As with many aspects of these regulations, the disclosure requirements include a series of demands that are, as often as not, framed in ways that are not nearly as clear or understandable (to say nothing of practical) as the people who wrote the regulations seem to have thought. (For instance, I know that “mean” and “median” are not the same thing, but I’m not at all sure the attorney general’s office does.) Given that the potential consequences for even an accidental violation of any of the regulations to which they decide I’m subject are ruinously expensive, that is far from comforting.
Going through this much work and worry for a website for which I have created no new content in some time is really quite agonizing, so if you are annoyed by these updates, join the club!
(ETA: I originally called the applicable subsection “CCPA Request Metrics (Record-Keeping Disclosures)”; I renamed it to “California Privacy Request Metrics (Record-Keeping Disclosures)” on October 3, 2021, thinking that name might be a bit less opaque.)