Q&A: What Employers Need to Know About the California Consumer Privacy Act’s Training Requirement
Insights
7.18.22
When covered businesses collect personal information about consumers – including employees and job applicants – the California Consumer Privacy Act (CCPA) requires them to comply with certain disclosure obligations, among many other requirements. Covered businesses need to prepare for major changes to the law which were approved by California voters under Prop 24’s California Privacy Rights Act (CPRA). Most notably, a current CCPA exception for employee and job applicant data will end on January 1, 2023 (when the CPRA fully takes effect) and provide employees and applicants with the same CCPA rights that have applied to all other “consumers” since 2020. The CPRA will also add new rights. As a result, employers should be keenly aware of their obligations under the CCPA and CPRA, as litigation and enforcement actions are likely to increase – and the deadline to comply is fast approaching. With so many requirements to review, you may have missed a lesser known but important obligation to provide sufficient training to everyone who is responsible for your CCPA and CPRA compliance measures or for handling consumer inquiries about your privacy practices. What do you need to know about your training obligations under these laws?
- What Are the Current Training Requirements Under the CCPA?
Under the CCPA, which took effect on January 1, 2020 (with regulations taking effect on August 14, 2020) covered businesses must ensure that all individuals responsible for the business’s compliance with the CCPA or handling the business’s response to consumer inquiries about its privacy practices are informed of all applicable CCPA requirements. This includes knowing how to direct consumers to exercise their rights under the CCPA.
The CCPA regulations contain a similar training obligation and require that such individuals also be informed of the regulations and how to direct consumers to exercise their rights. They also require businesses to establish, document, and comply with a training policy if they know, or reasonably should know, that they buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of 10 million or more consumers in a calendar year.
- Will the Training Requirements Change in January When the CPRA Goes Fully into Effect?
Fortunately, the training requirement will not change when the remainder of the CPRA goes into effect on January 1, 2023. The language in the CPRA amendments and proposed regulations mirror current law and regulations under the CCPA.
- Who Should Be Trained?
To comply with the law, employers should ensure that any employee involved in implementing, managing, or overseeing compliance with the CCPA and CPRA receives training. For example, such employees may include executives, general managers, human resources employees, directors of marketing, social media managers, and information technology employees. Additionally, any employee who is involved with receiving and responding to requests from consumers through the business’s CCPA toll-free hotline must receive the training. Finally, employees that regularly interface with consumers – such as sales representatives – should receive training on the basic requirements of the CCPA and CPRA and know where to direct consumer questions and requests regarding data privacy.
- What Must the Training Cover?
Employers should ensure employees understand their role in the business’s overall compliance with the CCPA and CPRA. This includes understanding that employees and job applicants (starting on January 1, 2023) are just like any other “consumer” under the law and will have the same rights, including the right to be free of retaliation based on their exercise of a CCPA or CPRA right.
Overall, the training must cover CCPA and CPRA requirements as set forth in the California Civil Code and California Code of Regulations, including but not limited to the following:
- A consumer’s right to request a copy of the specific personal information collected by the business;
- A consumer’s right to request that a business delete any personal information collected about the consumer;
- A consumer’s right to request that a business disclose categories of personal information collected about the consumer, the sources from which such information was collected, the business purpose for collecting or selling such information, and the categories of third parties with which the information was shared in the last 12 months;
- A consumer’s right to request that a business that sells the consumer’s information or discloses the consumer’s information for a business purpose disclose the categories of personal information collected, sold, or disclosed;
- A consumer’s right to request certain limits on the business’s use or disclosure of the consumer’s “sensitive personal information” (which is a more limited sub-category of personal information);
- A consumer’s right to request correction of their personal information;
- A consumer’s right to not be discriminated against for exercising any right under the CCPA or CPRA;
- How a business must inform a consumer of their rights under the CCPA or CPRA;
- Requirements for offering financial incentives to consumers in exchange for the collection of personal information; and
- Methods for delivering requested information to a consumer after receiving a consumer’s request.
- How Long Must the Training Be?
The law does not establish how long the training should be. Practically, however, the training for managerial employees may take up to two hours in length, as it should cover all aspects of compliance with the CCPA and CPRA – which are lengthy indeed. The training for non-managerial, consumer-facing employees may be shorter and cover the main provisions of the CCPA and CPRA based on the employees’ level of involvement with compliance and what they need to know. For example, they may need to know about the specific forms and notices they may need to give consumers.
- Who Can Provide the Training?
The law does not require any minimum qualifications for who may provide the training. As the CCPA and CPRA are highly technical, we recommend that someone with data privacy experience provide the training. Members of the Fisher Phillips Consumer Privacy Team have been providing this training for employers and can do so across all industries.
- How Often is the Training Required?
The law does not specify how often employers must provide training. However, the new regulations under the CPRA may provide additional guidance on this point, though the recently proposed draft of the regulations does not. For now, we recommend that employees receive a refresh on compliance with the CCPA and CPRA every year.
- Will Businesses Face Penalties for Failing to Provide Training?
Any business that violates a provision of the CCPA or CPRA may be liable for a civil penalty up to $2,500 for each violation or $7,500 for each intentional violation. In the context of training, it is yet to be determined whether the penalty would be on a “per employee basis” (for each employee who did not receive adequate training) or a single violation for not providing adequate training to everyone who had to receive this training. Therefore, it is important to comply with your training obligation and document employees’ attendance at such training to demonstrate the business’s compliance under the law.
Conclusion
Fisher Phillips will continue to monitor guidance for compliance with the CCPA and CPRA. Make sure you are subscribed to Fisher Phillips’ Alert System to get the most up-to-date information. For further information, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney on our Consumer Privacy Team.
Related People
-
- Usama Kahf, CIPP/US
- Partner