How to Document and Audit CCPA Compliance

You must maintain CCPA compliance records for 24 months, including the date of each request, what rights the consumer exercised, the contact method the consumer used to make the request, the date of your response, the nature of your response, and your basis for denying a request if you denied the request in whole or in part. If you receive a request to delete personal information, do not delete your associated compliance records.

Maintain Records for 24 Months

Tools to Track Compliance

You can use a spreadsheet to keep track of consumer requests if you wish. To employ best practices, use privacy compliance tracking software from vendors like CCPA Toll Free, TrustArc and Readers who watch our video training course at and obtain our training certificate will receive a 20% discount on CCPA Toll Free’s solution. Note you can sign up for a CCPA Toll Free trial account with no credit card required using the link at the top of this page. 

Additional Security Measures

You must use reasonable security measures to protect your compliance records and you may only use them for compliance purposes. 

Businesses that process large volumes of consumer information are subject to additional record keeping requirements. If you process information from more than 10 million consumers in a calendar year, you must update your privacy policy annually to include certain information about the prior year:

  1. the number of requests to know, to opt out and to delete received;
  2. how many requests you complied with;
  3. how many requests you denied in whole or part, including how requests were unverifiable, not from a consumer, requested exempt information, or were denied for another reason; and
  4. the average number of days it took you to complete each type of request.

You can provide this information for all privacy requests or only requests from California consumers, but if you aggregate you must maintain separate internal records about California consumers.

Workflows for Responding to CCPA RequestsCCPA vs. COPPA: Working with Children’s Information