?When covered businesses collect personal information about employees and job applicants, the California Consumer Privacy Act (CCPA) requires them to comply with certain disclosure obligations.
Covered businesses need to prepare for major changes to the law, which were approved by California voters under Prop 24’s California Privacy Rights Act (CPRA). Most notably, a CCPA exception for employee and job applicant data will end on Jan. 1, 2023 and provide employees and applicants with the same CCPA rights that have applied to consumers since 2020.
The CPRA also will add new rights. Employers should be keenly aware of their obligations under the CCPA and CPRA, as litigation and enforcement actions are likely to increase, and the deadline to comply is fast approaching.
With so many requirements to review, you may have missed a lesser known, but important, obligation to provide sufficient training to everyone who is responsible for your CCPA and CPRA compliance measures, or for handling consumer inquiries about your privacy practices.
What Are the Current Training Requirements?
Under the CCPA, which took effect on Jan. 1, 2020, covered businesses must ensure that all individuals responsible for the business’s compliance with the CCPA or handling the business’s response to consumer inquiries about privacy practices are informed of all applicable CCPA requirements. This includes knowing how to direct consumers to exercise their rights under the CCPA.
The CCPA regulations contain a similar training obligation and require that such individuals also be informed of the regulations and how to direct consumers to exercise their rights. They also require businesses to establish, document, and comply with a training policy if they know, or reasonably should know, that they buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of 10 million or more consumers in a calendar year.
Fortunately, the training requirement will not change when the remainder of the CPRA goes into effect on Jan. 1, 2023. The language in the CPRA amendments and proposed regulations mirror current law and regulations under the CCPA.
Who Should Be Trained?
To comply with the law, employers should ensure that any employee involved in implementing, managing, or overseeing compliance with the CCPA and CPRA receives training. For example, such employees may include executives, general managers, human resources employees, directors of marketing, social media managers, and information technology employees.
Additionally, any employee who is involved with receiving and responding to requests from consumers through the business’s CCPA toll-free hotline must receive the training. Finally, employees that regularly interface with consumers, such as sales representatives, should receive training on the basic requirements of the CCPA and CPRA and know where to direct consumer questions and requests regarding data privacy.
What Must the Training Cover?
Employers should ensure employees understand their role in the business’s overall compliance with the CCPA and CPRA. This includes understanding that employees and job applicants are just like any other consumer under the law and will have the same rights, including the right to be free of retaliation based on their exercise of a CCPA or CPRA right.
Overall, the training must cover CCPA and CPRA requirements as set forth in the California Civil Code and California Code of Regulations, including but not limited to the following:
- A consumer’s right to request a copy of the specific personal information collected by the business.
- A consumer’s right to request that a business delete any personal information collected about the consumer.
- A consumer’s right to request that a business disclose categories of personal information collected about the consumer, the sources from which information was collected, the business purpose for collecting or selling such information, and the categories of third parties with which the information was shared in the last 12 months.
- A consumer’s right to request that a business disclose the categories of personal information collected, sold, or disclosed.
- A consumer’s right to request certain limits on the business’s use or disclosure of the consumer’s sensitive personal information.
- A consumer’s right to request correction of their personal information.
- A consumer’s right to not be discriminated against for exercising any right under the CCPA or CPRA.
- How a business must inform a consumer of their rights under the CCPA or CPRA.
- Requirements for offering financial incentives to consumers in exchange for the collection of personal information.
- Methods for delivering requested information to a consumer after receiving a consumer’s request.
The law does not establish how long the training should be. Practically, however, the training for managerial employees may take up to two hours, as it should cover all aspects of compliance with the CCPA and CPRA, which are lengthy indeed.
The training for non-managerial, consumer-facing employees may be shorter and cover the main provisions of the CCPA and CPRA, based on the employees’ level of involvement with compliance and what they need to know.
The law does not require any minimum qualifications for who may provide the training. As the CCPA and CPRA are highly technical, we recommend that someone with data privacy experience provide the training.
How Often is the Training Required?
The law does not specify how often employers must provide training. However, the new regulations under the CPRA may provide additional guidance on this point, though the recently proposed draft of the regulations does not. For now, we recommend that employees receive a refresh on compliance with the CCPA and CPRA every year.
Will Businesses Face Penalties for Failing to Provide Training?
Any business that violates a provision of the CCPA or CPRA may be liable for a civil penalty up to $2,500 for each violation or $7,500 for each intentional violation.
In the context of training, it is yet to be determined whether the penalty would be on a per employee basis or a single violation for not providing adequate training to everyone who had to receive this training. Therefore, it is important to comply with your training obligation and document employees’ attendance to demonstrate the business’s compliance under the law.
Usama Kahf is a lawyer with Fisher Phillips in Irvine, Calif. Jenna Rogenski is a lawyer with Fisher Phillips in San Francisco. © 2022. All rights reserved. Reprinted with permission.