How to: CCPA/CPRA Employee Training Requirements

Written By Haley Metteauer

As we recently reported, the California legislature is currently in the process of implementing the California Privacy Rights Act of 2020 (CPRA), which is posed to take effect in January of 2023 and will issue several amendments to the California Consumer Privacy Act of 2018 (CCPA), which has been in effect since January 1, 2020. Both of these laws require organizations to train employees on security and data privacy.

Under the CCPA, covered businesses are required to train employees responsible for compliance with the CCPA or for responding to consumer inquiries involving privacy concerns. In addition to the mandatory training procedures, businesses that know, or reasonably should know, that they transfer for commercial purposes the personal information of at least 10 million consumers in a year are required to establish, document, and maintain compliance with a training policy governing CCPA compliance.

Among other requirements, under the CCPA, the trainings must cover the following requirements for covered businesses:

  • Complying with a consumer's right to request a copy of their personal information that has been collected by the business, and that it be corrected and/or deleted. This includes categories of personal information that’s been collected and/or transffered, the business’s purpose for collecting or transferring this information, and which third parties have received that information via transfer in the last 12 months.

  • Limiting use and disclosure of consumer’s sensitive personal information.

  • Informing consumers about their rights under the CCPA or CPRA and instructions for how to exercise them without fear of discrimination by the business.

  • Offering consumers financial incentives in exchange for the covered businesses collection of their personal information—and the limitations and requirements of this practice.

This training requirement from the CCPA is not being amended by the CPRA. As such, a covered business that has been operating in compliance with the previously governing privacy act should be able to achieve compliance under the CPRA. 

Haley Metteauer
Previous

House Committee Advances Federal Privacy Bill
Next

FTC Commits to Enforcement Against Illegal Use and Sharing of Sensitive Data