Do CCPA Section 7102 metrics apply if we had zero consumer requests?

Yes. Brokers must still publish metrics for the reporting period, including zero counts where applicable, and link the disclosure from the privacy policy by July 1. Absence of a metrics page is treated as non-compliance in diligence reviews.

Where must the metrics disclosure be linked?

Link it from the broker's privacy policy. Consumers and auditors should reach the metrics table without hunting through unrelated site sections. A dedicated trust or privacy subpage with stable URLs works best.

How should buyers use metrics in vendor selection?

Use the July 1 disclosure as primary evidence alongside AG registration, deletion SLAs, and propagation logs. Rising denials, slow response medians, or missing pages should trigger legal review before production joins. Use the RFP scorecard governance rows.

Are partner-handled CPRA requests counted on the broker's metrics?

Only requests directed to the broker under California's data broker rules belong on the broker's §1798.99.85 table. Partner CMP traffic may be separate, but buyers should still verify deletion propagation from broker to partners when consumers exercise rights against the broker.

What if our broker metrics URL broke after July 1?

Fix the link immediately and retain archives showing prior compliance. Enterprise customers may treat broken July links as a material governance defect in renewal cycles. Run quarterly link checks on privacy hubs, not only at annual registration renewals.

CCPA §7102 Metrics Disclosure 2026

California's data broker law requires annual metrics disclosure under Cal. Civ. Code §1798.99.85, commonly cited as CCPA Section 7102 in procurement packets. By July 1 each year, registered brokers must publish how many consumer requests they received in the prior calendar year (access, deletion, correction, opt-out of sale/sharing), how many they complied with in whole or in part, how many they denied, and the median or mean response time in days. Even brokers with zero requests still report. Silence is not compliance. Enterprise buyers licensing Core Email File, MAID Feed, or clickstream and web intent should treat the July 1 page as a primary diligence artifact, not a footnote. Read this alongside state broker registration diligence, data broker registration packet, and GSDSI sourcing methodology before you renew California-facing programs.

Key Takeaways

July 1 is a hard calendar gate: metrics must cover the prior calendar year and stay accessible from the broker's privacy policy.
Zero-request brokers still file: publish zeros explicitly; missing metrics pages trigger procurement red flags.
Metrics are broker-owned: downstream buyers cannot outsource verification to a partner CMP.
Response-time medians reveal operational maturity: double-digit day counts warrant deletion-propagation questions.
Link integrity matters: broken privacy-policy anchors fail both law and enterprise security questionnaires.

What §1798.99.85 Requires (Plain Language)

Section 1798.99.85 sits in California's data broker registration chapter. It sits next to but distinct from CPRA consumer rights enforced against everyday businesses. A data broker under California law sells personal information about consumers with whom the broker lacks a direct relationship. That definition covers most B2B identity, email, mobility, and intent resellers even when their customers are brands, not individuals. The metrics rule asks brokers to quantify how they operationalized consumer-facing rights directed at the broker itself: not only rights exercised on a publisher partner's site, but requests that landed on the broker's privacy inbox, web form, or registered agent.

The California Attorney General's data broker registration portal lists registrants and renewal deadlines; metrics disclosure is the public accountability layer on top of registration fees and statements. Buyers should capture a PDF or timestamped archive of the metrics page each July: brokers update registration annually, but procurement teams need year-over-year comparability when evaluating vendors for audience targeting or risk and fraud programs.

Requests received: count by type where the statute or CPPA regulations require segmentation.
Requests complied with: whole or partial fulfillment counts; partial compliance should be explained in footnotes.
Requests denied: include legal bases or exceptions cited.
Response time: median or mean days from receipt to action, as specified in implementing guidance.
Privacy-policy link: a conspicuous path from the policy consumers actually receive.

Zero-Request Reporting Is Still Reporting

Many brokers, especially those with thin consumer touchpoints, assume no inbound requests means no July 1 obligation. That is a common mistake. Zero is a reportable number. Publish a table showing zeros across categories, the reporting period, and contact information for submitting future requests. Buyers treat a missing page as either non-registration or an immature compliance program. For feeds built from licensed voter rolls, public records, and panel SDKs, zero requests may be common early in a broker's lifecycle. The disclosure still proves the broker tracked the metric.

Contrast zero broker-direct requests with high upstream deletion volume. A broker may show zero consumer emails while processing thousands of partner propagation deletes. Those operational stats belong in contract exhibits and DROP-style workflows, not in §7102 metrics, but buyers should ask both questions in the same diligence call. A mismatch is a red flag: zero on the public metrics page while still reselling global mobility with contested consent chains.

Confirm the broker appears on the AG registration list for the current year.
Locate the July 1 metrics URL linked from the privacy policy footer.
Archive the page; verify the reporting year matches the prior calendar year.
If all zeros, request written confirmation that no requests were mis-routed to partners only.
Compare response-time fields year over year after renewal.

Privacy Policy Link and Discoverability

The statute expects consumers to find metrics from the privacy policy, not buried in a PDF investor deck. Most teams use a dedicated /privacy/metrics or /trust/broker-metrics route linked in the policy's California data broker section with anchor text that names §1798.99.85. Avoid JavaScript-only tabs that fail prerender checks. Compliance pages should match the AI search readiness pattern so auditors and agents read the same HTML buyers see.

Broken links peak in the first week of July when brokers paste new tables but forget footer updates. Run automated link checks on privacy hubs quarterly, not only at renewal. If you sublicense broker data to ad platforms, require flow-down language that your privacy policy identifies upstream brokers and links to their metrics. Enterprise customers increasingly ask for subgraph transparency under CPRA service provider and third party labels.

The FTC's guidance on privacy and security programs is not California-specific, but FTC consent orders against data brokers emphasize clear consumer pathways. California metrics pages are where those pathways become auditable numbers.

Buyer Diligence: Questions Beyond the Table

The table tells you what happened. In diligence, ask why and what next. Request: (1) sample consumer request logs with redacted PII; (2) deletion propagation SLAs to partners; (3) training materials for privacy inbox staff; (4) escalation paths when a request implicates multiple SKUs (real estate data plus email on the same individual); (5) correction workflows when broker-enriched fields are wrong. Score responses in the RFP scorecard governance column, not only latency and match rate.

High request volume with high denial rates triggers legal review before pilot expansion. High volume with fast median response times but no downstream propagation evidence may indicate cosmetic compliance: the broker answered the consumer but left copies in activation segments. Cross-check against data licensing red flags on deletion and audit rights.

Ask for year-over-year deltas: spikes may follow news coverage or partner breaches.
Map request types to SKUs: deletion on mobility should not leave email keys active.
Verify multilingual notice if the broker serves California residents in Spanish or Chinese.
Confirm registered agent matches the entity on the contract, not a shell brand.

Operational Playbook for Brokers Before July 1

Strong programs start metrics tracking on January 1, not June 15. Tag privacy inbox tickets by request type at intake; reconcile partial fulfillments weekly; document denial codes aligned with CPRA exceptions. Publish draft tables internally in May for legal review. GSDSI, founded in 2018, maintains broker registration and California disclosures alongside privacy policy materials: buyers should expect the same discipline from any vendor handling statewide identity or intent volumes.

Engineering should expose metrics pages as static HTML with immutable URLs per year (/trust/broker-metrics/2025) so old links in procurement archives stay valid. Include a methodology footnote: how requests received via registered agent mail were counted, whether phone requests are included, and how duplicate requests were deduplicated. Transparency on methodology reduces back-and-forth during enterprise audits.

When metrics reveal rising deletion volume, treat it as a product signal: sources, consent, or notice may be misaligned. Fix upstream before the next July 1 cycle; buyers read trend lines as quality indicators, not only compliance checkboxes. Pair remediation with updated state broker registration diligence packets sent proactively to top accounts.

Sublicensees and clean-room participants should receive annual metrics attestations from upstream brokers. A downstream ad platform cannot answer enterprise security questionnaires about California broker posture with its own zeros while relying on unaudited feeds.

Board-ready summaries can cite §7102 compliance as one line in risk committees, but only when the underlying ticketing and propagation systems were audited, not when marketing published a static zero table without operational proof.

Frequently Asked Questions

Do CCPA Section 7102 metrics apply if we had zero consumer requests?: Yes. Brokers must still publish metrics for the reporting period, including zero counts where applicable, and link the disclosure from the privacy policy by July 1. Absence of a metrics page is treated as non-compliance in diligence reviews.
Where must the metrics disclosure be linked?: Link it from the broker's privacy policy. Consumers and auditors should reach the metrics table without hunting through unrelated site sections. A dedicated trust or privacy subpage with stable URLs works best.
How should buyers use metrics in vendor selection?: Use the July 1 disclosure as primary evidence alongside AG registration, deletion SLAs, and propagation logs. Rising denials, slow response medians, or missing pages should trigger legal review before production joins. Use the RFP scorecard governance rows.
Are partner-handled CPRA requests counted on the broker's metrics?: Only requests directed to the broker under California's data broker rules belong on the broker's §1798.99.85 table. Partner CMP traffic may be separate, but buyers should still verify deletion propagation from broker to partners when consumers exercise rights against the broker.
What if our broker metrics URL broke after July 1?: Fix the link immediately and retain archives showing prior compliance. Enterprise customers may treat broken July links as a material governance defect in renewal cycles. Run quarterly link checks on privacy hubs, not only at annual registration renewals.