How to Document and Audit CCPA Compliance
You must maintain CCPA compliance records for 24 months, including the date of each request, what rights the consumer exercised, the contact method the consumer used to make the request, the date of your response, the nature of your response, and your basis for denying a request if you denied the request in whole or in part. If you receive a request to delete personal information, do not delete your associated compliance records.
Tools to Track Compliance
You can use a spreadsheet to keep track of consumer requests if you wish. To employ best practices, use privacy compliance tracking software from vendors like CCPA Toll Free, TrustArc and Securiti.ai. Readers who watch our video training course at CCPAfreetraining.com and obtain our training certificate will receive a 20% discount on CCPA Toll Free’s solution. Note you can sign up for a CCPA Toll Free trial account with no credit card required using the link at the top of this page.
Additional Security Measures
You must use reasonable security measures to protect your compliance records and you may only use them for compliance purposes.
- the number of requests to know, to opt out and to delete received;
- how many requests you complied with;
- how many requests you denied in whole or part, including how requests were unverifiable, not from a consumer, requested exempt information, or were denied for another reason; and
- the average number of days it took you to complete each type of request.
You can provide this information for all privacy requests or only requests from California consumers, but if you aggregate you must maintain separate internal records about California consumers.