CCPA Training Requirement – Section 1798.130(a)(6) Compliance
The CCPA has a training requirement for certain individuals at a company dealing with the California Consumer Privacy Act. It requires as part of compliance efforts that these individuals to be informed about certain requirements of the CCPA as well as the company’s procedures for exercising the consumer rights so that they can direct individuals how to do so.
The relevant section of the CCPA is contained in Section 1798.130(a)(6):
Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.
Who Must Be Trained
– All individuals responsible for handling consumer inquiries about company’s privacy practices
The goal of this requirement appears to be to ensure that consumer inquiries are handled appropriately under the law. If customer service representatives over the phone or cash register attendants are answering questions about the company’s privacy practices, then they need to be familiar with some of the core sections of the CCPA. On the other hand, if all customer questions asked of those individuals are referred to other employees, an organization may find the training of the specific members of the staff actually answering the questions sufficient. However, an organization would need to make sure that the individuals initially receiving the questions were trained not to answer the questions.
Because a consumer is defined as a natural person who is a California resident, individuals that do not handle inquiries from California residents would not need to be trained under this clause in the law.
– All individuals responsible for the CCPA compliance of the business
The CCPA affirmatively requires a company to ensure that the individuals responsible for compliance are informed of all the requirements of the specific sections identified. However, the CCPA does not define the term responsible in this section so there is some minor ambiguity around it. Nevertheless, an organization should ensure that all individuals executing on their CCPA compliance program are properly educated about the law to meet this requirement.
What Type of Training
The CCPA does not indicate what specific measures must be taken to ensure that an employee is “informed of all requirements” in the listed sections. Options that a company might use include external written training materials from an organization like Clarip or the International Association of Privacy Professionals (IAPP), in-house developed training materials that provided an education on the specific requirements of the particular sections of the CCPA as well as how the company permits consumers to exercise their rights, or a training program by an external CCPA consultant.
Since the law does not specify whether it should be a one-time or reoccurring process, the prudent course is probably to institute a quarterly or annual review of the law’s requirements and the company’s procedures for complying with them. This provides the organization the means to defend against an accusation that its employees are not informed, have forgotten their training because it has been too long, or that they are not familiar with the latest material information about the law.
The Relevant Sections of the CCPA for the Education / Training Efforts
Section 1798.110 – Creates consumer right to disclosures from businesses collecting personal information.
Section 1798.115 – Creates consumer right to disclosures from businesses selling or disclosing personal information.
Section 1798.125 – Businesses shall not discriminate against a consumer that exercises their rights, although they may create a financial incentive program meeting certain requirements.
Section 1798.130 – Sets forth the disclosures and other requirements for the right to access and right to delete.
The law also requires an individual to have an understanding of how to direct consumers to exercise their rights, so an understanding of the right of access, delete, data portability and the opt-out of the sale of personal information sufficient to tell a consumer how to exercise those rights is important as well.
There is also the possibility that the California Attorney General issues regulations to clarify this section. We will have a better idea in Fall 2019 after the draft regulations are released.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
Data Portability for CCPA DSAR Access Responses
What is a CCPA business purpose or commercial purpose?
The Broad CCPA Definition of Sale
CCPA Definition of Consumer
CCPA Look Back Period Requirement
CCPA Household Definition & Challenges
CCPA Regulations: Coming Soon from the California Attorney General
Loyalty Programs, AB-846, and the CCPA Anti-Discrimination Clause