Home Consumer resources What Employers Need to Know About California Consumer Privacy Act Education Requirements

What Employers Need to Know About California Consumer Privacy Act Education Requirements


When Covered Businesses collect personal information about employees and job applicants, the California Consumer Privacy Act (CCPA) requires them to comply with certain disclosure obligations.

Covered businesses should prepare for major changes in the law, which were approved by California voters under the California Privacy Rights Act (CPRA) at Prop 24. Most notably, a CCPA exception for employee and party data. job applicants will end on January 1, 2023 and will provide employees and job applicants with the same CCPA rights that have applied to consumers since 2020.

CPRA will also add new rights. Employers should be fully aware of their obligations under the CCPA and CPRA as litigation and enforcement actions are likely to increase and the deadline for compliance is fast approaching.

With so many requirements to review, you may have missed a lesser-known, but important obligation to provide sufficient training to all those responsible for your CCPA and CPRA compliance measures, or handling consumer inquiries. about your privacy practices.

WhWhat are the current training requirements?

Under the CCPA, which came into effect on January 1, 2020, covered businesses must ensure that all persons responsible for the business’ compliance with the CCPA or the business’s response to consumer inquiries about privacy practices are informed of all applicable CCPA requirements. This includes knowing how to direct consumers towards exercising their rights under the CCPA.

The CCPA regulations contain a similar training obligation and require that these persons also be informed of the regulations and how to direct consumers towards the exercise of their rights. They also require companies to establish, document and follow a training policy if they know, or reasonably should know, that they are buying, receiving for business purposes, selling or sharing for business purposes the personal information of 10 million or more consumers in a calendar year.

Fortunately, the education requirement will not change when the rest of the CPRA comes into effect on January 1, 2023. The wording of the CPRA amendments and proposed regulations reflect current law and regulations under the CCPA.

Who Do you need to be trained?

To comply with the law, employers must ensure that any employee involved in implementing, managing or monitoring CCPA and CPRA compliance receives training. For example, these employees may include executives, general managers, human resources employees, marketing managers, social media managers, and information technology employees.

Additionally, any employee involved in receiving and responding to consumer inquiries through the Company’s CCPA toll-free hotline should receive the training. Finally, employees who regularly interact with consumers, such as sales representatives, should receive training on basic CCPA and CPRA requirements and know where to direct consumer questions and requests regarding data privacy.

What should the training cover?

Employers must ensure that employees understand their role in the company’s overall compliance with the CCPA and CPRA. This includes understanding that employees and applicants for employment are like any other consumer under the law and will have the same rights, including the right not to suffer retaliation because of their exercise of a CCPA right or CPR.

Overall, training should cover CCPA and CPRA requirements as set forth in the California Civil Code and California Code of Regulations, including, but not limited to, the following:

  • The consumer’s right to request a copy of specific personal information collected by the business.
  • The right of a consumer to ask a company to delete any personal information collected about the consumer.
  • A consumer’s right to ask a business to disclose the categories of personal information collected about the consumer, the sources from which the information was collected, the business purpose for collecting or selling the information, and the categories of third parties with whom the information has been shared in the last 12 months.
  • A consumer’s right to ask a business to disclose the categories of personal information collected, sold or disclosed.
  • A consumer’s right to request certain limits on the company’s use or disclosure of the consumer’s sensitive personal information.
  • The consumer’s right to request the correction of their personal information.
  • A consumer’s right not to be discriminated against for exercising a right under the CCPA or CPRA.
  • How a business should inform a consumer of their rights under the CCPA or CPRA.
  • Requirements for offering financial incentives to consumers in exchange for collecting personal information.
  • Methods for providing requested information to a consumer after receiving a consumer’s request are provided.

The law does not set the duration of the training. In practice, however, executive training can take up to two hours, as it should cover all aspects of CCPA and CPRA compliance, which are indeed time-consuming.

Training for non-managerial consumer-facing employees may be shorter and cover key provisions of the CCPA and CPRA, depending on the level of compliance involvement of employees and what they need to know .

The law does not require any minimum qualification for who can provide the training. Since the CCPA and CPRA are very technical, we recommend that someone with data privacy experience conduct the training.

How is often the Training required?

The law does not specify how often employers must provide training. However, new regulations made under the CPRA may provide additional guidance on this point, although the recently proposed draft regulations do not. At this time, we recommend that employees receive an annual CCPA and CPRA compliance update.

Does Busiface penalties for failing to provide training?

Any company that violates any provision of the CCPA or CPRA may be subject to a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.

In the context of training, it remains to be determined whether the sanction would be on a per employee basis or a single violation for failing to provide adequate training to all those who were to receive such training. Therefore, it is important to meet your training obligation and document employee attendance to demonstrate company compliance with the law.

Usama Kahf is an attorney at Fisher Phillips in Irvine, California. Jenna Rogenski is an attorney at Fisher Phillips in San Francisco. © 2022. All rights reserved. Reprinted with permission.