Under CCPA, businesses must maintain DSR records for 24 months, logging date, type, channel, response, and denial basis. Large processors face additional reporting rules.
How to Document CCPA DSR Activity: The 24-Month Record-keeping Rule
What is CCPA DSR documentation?
CCPA DSR documentation is the structured process of recording how a business receives, processes, and responds to consumer privacy requests under the California Consumer Privacy Act. The CPPA requires businesses to retain these records for at least 24 months.
In our previous articles, we explored what a CCPA data subject request looks like in practice and discussed the baseline DSR intake requirements. Those steps dictate how a privacy request begins. This article addresses the end of the lifecycle: documentation.
When managing data subject requests, fulfilling the consumer’s request is only part of the obligation. Regulators expect organizations to show how the request was handled through structured record-keeping.
The 24-month rule: CCPA record-keeping requirements
The California Consumer Privacy Act requires businesses to maintain records of consumer requests and how they responded for at least 24 months. This record-keeping obligation appears in the CCPA and related regulations governing request handling and business record retention. As an authority signal, Cal. Civ. Code § 1798.130 sets the core disclosure and response framework for consumer requests, while the CCPA regulations require businesses to keep request records for 24 months.
This is not a minor administrative detail. In a September 2025 enforcement update, the CPPA reported 8,265 consumer complaints received between July 6, 2023 and September 8, 2025, and identified the right to delete and issues involving the collection, use, storing, or sharing of personal information among the most common complaint categories.
That makes request documentation and retention a practical audit issue, not just a back-office task.
Required fields for a CCPA DSR log
To satisfy CPPA requirements, a business must capture specific data points for every request. A simple “completed” status is not sufficient.
A structured DSR log should include:
Log Data Point | Description | Example | Where to log it |
|---|---|---|---|
Date of request | The exact date the consumer initiated the request | October 12, 2026 | – |
Nature of request | The specific right exercised | Request to delete | – |
Manner of request | The intake channel used | Web form / toll-free number | – |
Date of response | When the request was completed or denied | November 1, 2026 | – |
Nature of response | Outcome of the request | Fulfilled in part | – |
Basis for denial | Legal or factual reason for denial | Legal retention obligation | – |
How CCPA limits the use of personal information in DSR records
The personal information collected to fulfill and document a request is subject to strict purpose limitations.
Information stored for record-keeping cannot be reused for unrelated purposes such as marketing or profiling. It may only be used to process the request, maintain records, or improve internal handling procedures.
Example:
- Compliant scenario:
A business stores a consumer’s email address in its DSR log to demonstrate verification and fulfillment history. - Non-compliant scenario:
The same email address is added to a marketing campaign list after the request is completed.
This distinction is critical. Mixing DSR records with marketing or CRM systems can create unintended regulatory exposure.
Additional reporting requirements for businesses handling 10,000,000+ consumers
Businesses that buy, receive, sell, or share the personal information of 10,000,000 or more consumers per calendar year must meet additional reporting obligations.
These organizations must publish aggregated request metrics in their privacy policy and update them by July 1 each year, which means July 1, 2027 is the next deadline for compliance.
Required disclosures include:
Required metric | Request types to track |
|---|---|
Total received | Requests to delete, correct, know, opt out, and limit |
Total complied with | Requests fulfilled in whole or in part |
Total denied | Requests refused |
Response time | Average or median days to respond |
These reporting obligations extend the role of documentation beyond internal tracking into public transparency.
Common record-keeping mistakes in CCPA request management
Operational gaps often appear when documentation is handled manually or across disconnected systems.
Common issues include:
- Failing to document the basis for denial: Logs must explain why a request was denied.
- Using scattered systems: Requests tracked across emails, spreadsheets, and tickets become difficult to audit.
- Violating purpose limitations: DSR data reused for marketing or analytics.
- Not separating DSR records from customer databases: Mixing systems increases the risk of unintended data reuse.
- Failing to retain records for the full 24 months: System migrations or data cleanup processes can result in lost records.
If you want to see where these breakdowns begin, review our related guides on common CCPA DSR mistakes and on automating CCPA DSR responses.
How Clym supports DSR documentation workflows
Documenting requests manually often leads to gaps in timestamps, missing fields, or inconsistent retention.
Clym provides a structured environment where each step of the request lifecycle is recorded as it happens.
When a consumer submits a request through the Clym Widget or Governance Portal, the system creates a case record that includes intake timing, request type, and submission channel. Inside the Control Center, teams can track response timelines, document outcomes, and record reasons for denial.
This approach supports key CCPA documentation requirements, such as maintaining request history, tracking response timing, and preserving records over the 24-month period. It also reduces reliance on spreadsheets and disconnected systems.
Frequently asked questions
A business must maintain records of consumer privacy requests, along with details of how it responded, for at least 24 months.
The log must capture the date of the request, the nature of the request, the intake method, the response date, the outcome, and the basis for denial where applicable.
No. Information collected for DSR processing and documentation cannot be reused for unrelated purposes such as marketing.
The business must still document the request and clearly state the reason for denial in its records.
Yes. Businesses handling data from 10 million or more consumers must publish annual request metrics in their privacy policy.
Regulators may investigate failures to maintain required records. Civil penalties for intentional violations can reach $7,500 per violation under the CCPA.
Service providers operate under contractual obligations with the business, but the primary record-keeping responsibility rests with the business that receives the consumer request.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex