Privacy Training is Mandatory Under the CCPA due to the Fundamental Change in Approach to Privacy from Sectoral to Comprehensive, Reflecting the Broad Definition of Personal Information
Under the CCPA privacy training is mandatory for most, if not all the employees of a company. Why? Because the CCPA fundamentally changes the nature of privacy law in the United States. For decades privacy law in the U.S has been sectoral, with separate federal laws for each business sector such as finance (Gramm-Leach Bliley Act), health care (HIPAA), direct marketing (CAN-SPAM), etc. The CCPA changes that approach with an extremely broad definition of personal information. While the CCPA is not officially a national law, it is a law with which many companies will have to comply because California is the fifth largest economy in the world and companies want to do business with California consumers. So as not to create a conflict with the sectoral laws it excludes data covered by them, but still covers a huge swath of information as personal. When the personal information of consumers enters a business it floods the organization, like a flood of water might inundate a village.
Watch our video on this topic:
Privacy Training is Mandatory Under the CCPA
Your Business is Like a Village Flooded by Personal Information
Imagine that your business is a village. Each building is a separate department. Then one day your village is flooded – with personal information that flows in and around all parts of your village. You want to continue to live in the village, so all the inhabitants need to learn to swim and use boats. You must train them. If you don’t, there could be serious consequences.
If the CCPA is preempted by state law, the federal law will probably have a similar comprehensive training requirement reflecting the change in approach to the scope of what is personal information. The proposed Consumer Online Privacy Act, for example, calls for training of “all employees with access to covered data”. Effectively the training scope is tied to the scope of the data. Covered data is defined broadly as “information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data”. COPRA would exclude employee data, de-identified data and public records, still leaving a lot to be covered. The point is that whether or not the CCPA is preempted by federal law, a broadened definition of what is personal information in either case will require a much broader set of people to be trained on how to handle it.
Under the CCPA and accompanying regulations, there are several sections that call out requirements for privacy training.
CCPA Proposed Regs § 999.317 (g) (3) calls for a privacy training policy for businesses that sell or share personal information of 4 million or more consumers.
CCPA Proposed Regs § 999.330 (a) (2) requires “trained personnel” for handling requests regarding the personal information of children coming in through a 1-800 number, video conference or in-person (e.g. retail personnel).
CCPA § 1798.135 (a) (3) requires businesses that sell personal information to inform “all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance of all requirements of the opt-out section and how to direct consumers to exercise their rights under those sections.
CCPA § 1798.130 (a) (6) similarly requires “all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business compliance …” be informed of the requirements of 5 sections regarding requests for categories, requests for specific pieces of personal information, requests to delete, obligations of businesses that collect personal information, obligations of businesses that sell personal information and non-discrimination.
Finally, CCPA Proposed Regs § 999.317 requires “all individuals responsible for handling consumer inquiries about the business’ privacy practice or the business compliance with the CCPA to be informed of all requirements of both the CCPA and regulations.
Section 317 is a global training requirement because arguably everyone in a business has some responsibility for privacy compliance. Executives are accountable for compliance itself. Managers are responsible for the oversight of compliance implementation and operation. HR is responsible for privacy training and awareness. Legal is responsible for the legal and regulatory requirements (e.g., privacy policy). Product developers are responsible for privacy by design. Web site developers are responsible for inserting and implementing do-not-sell. Data base folks are responsible for data retention and deletion requirements. Operations, customer service and retail folks are responsible for handling requests. Sales, marketing and advertising are responsible for do-net-sell. Etc. These are examples. As goes personal information, goes the responsibility to handle it appropriately.
Don’t hide behind the word “inform”. Just listing requirements on a web page or sending an email to employees is not going to be sufficient to adequately insure that employees understand and abide by the requirements. The CCPA and regulations are complicated. A comprehensive privacy training is needed. An untrained workforce is dangerous. The CCPA enables large penalties through both Attorney General actions and privacy law suits, including class actions.
Don’t think that if you trained some employees about the GDPR, the same sort of training will suffice for the CCPA. It won’t. The CCPA is much more explicit regarding training requirements.
In sum, train all employees responsible for any aspect of compliance on all requirements of the CCPA and regulations, especially around consumer requests, opt-outs and where children are involved. Create and maintain a privacy training policy as part of a comprehensive privacy training program.