The CCPA’s 12-Month Look Back Period May Extend Beyond That

Privacy & Cybersecurity Newsletter
June 2023

The California Consumer Privacy Act (“CCPA”) provides consumers various rights regarding their personal information including the right to know what personal information a business has collected about the consumer and the right to request that a business delete personal information that has been collected, subject to certain exceptions. (Cal. Code Regs. tit. 11, § 7011 (e)(2)(A)-(B)) The current CCPA regulations, which were finalized on March 29, 2023, modify what has commonly been referred to as “the look back period.” While a business is still required to provide “all personal information it has collected and maintains about the consumer during the 12-month period preceding the business’s receipt of [a request to know],” “[a] consumer may request that the business provide personal information that the business collected beyond the 12-month period, as long as it was collected on or after January 1, 2022, and the business shall be required to provide that information...” (Cal. Code Regs. tit. 11, § 7024 (h)) (Emphasis added.) Accordingly, the originally contemplated 12-month look back
period,[1] could in fact extend to as early as January 1, 2022 at the consumer’s request regardless of when the request to know was made.

An extended look back period will certainly place more of a burden on businesses as the time period for which a business may be required to provide information that has been collected about a consumer would be longer than the originally-contemplated 12-month period. By the same token, an extended look back period would impact businesses with respect to a consumer’s right to delete as it could be necessary to delete personal information collected from as early as January 1, 2022.

Notably, a business need not provide personal information extending beyond a 12-month period preceding a request to know if “doing so proves impossible or would involve disproportionate effort.” Id. If that is the case, the business is required to

[provide] the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period. The business shall not simply state that it is impossible or would require disproportionate effort. Id.

Compounding the challenge for businesses, the socalled “personnel exemption” and business to business or “B2B exemption” to the CCPA expired on January 1, 2023. As a result, the personal information of employees, job applicants, officers, directors, owners, medical staff members, and independent contractors (“personnel”) and prospective business customers, vendors, and suppliers (“business contacts”) is now subject to the CCPA. For many businesses, the expiration of these exemptions meant that they needed to fully comply with the requirements of the CCPA for the first time.

Accordingly, personnel and business contacts may assert a request to know which could include a request that the business provide personal information that the business collected beyond the 12-month period, from as early as January 1, 2022. Businesses may want to ensure that their data inventory for personal information of personnel and business contacts extends to January 1, 2022.

It is important to note that the consumer rights of the CCPA and the regulations do not impose an obligation to retain personal information at all or for any particular time. The statute does require businesses to inform consumers, at or before the point of collection, as to “the length of time the business intends to retain each category of personal information,” (Cal. Civ. Code § 1798.100(a)(3)), but it does not mandate any time period. Therefore, although businesses may be required to provide, correct or delete a consumer’s personal information in response to a request, and although the personal information may have been collected prior to 12 months before the request, businesses are not required to retain information in the event that a consumer may request it.

Now would be a good time for businesses to revisit their information retention and destruction policies. Section 7002(a) restricts the ability to retain personal information beyond what is reasonably necessary and proportionate to achieve permitted purposes. In addition, minimizing data retention can avoid the additional burden on the data inventory, and on CCPA compliance procedures. However, any decision to delete data should comply with applicable employment law requirements as well as take into account any anticipated or pending litigation, which may require the retention of certain data.


[1] The proposed regulations provided: “Unless otherwise specified by the business to cover a longer period of time, the 12-month period covered by a consumer’s verifiable request to know referenced in Civil Code section 1798.130, subdivision (a)(2), shall run from the date the business receives the request, regardless of the time required to verify the request.”