As we approach the July 1 enforcement date for the CCPA (California Consumer Privacy Act), organizations must act now to ensure they’re compliant.
One of the most important requirements is staff training, because it demonstrates that employees understand and are putting into practice the processes and policies you’ve implemented.
The CCPA states that organizations within its scope must provide training to:
- Employees who handle consumer inquiries regarding company privacy practices
- Anyone responsible for the organization’s CCPA compliance
In this blog, we explain how CCPA training fits within your wider compliance practices and how to prepare your staff for the upcoming changes.
What is the CCPA?
The CCPA is a data privacy law that applies to organizations that do business in California (regardless of where they are based) and:
- Have a gross annual turnover of $25 million or more
- Buy, receive, sell, or share the personal data of 50,000 or more consumers or
- Derive 50% or more of their annual revenue from selling consumers’ data.
If your organization meets those criteria, you must tell California-based data subjects when their personal data is being collected and what it’s being used for.
These individuals also have the right to:
- Access the personal information that organizations collect or process about them;
- Request that organizations delete their personal data under certain circumstances; and
- Require organizations not to sell their personal data to third parties.
Meeting these requirements is a two-step process. First, you need to implement processes to identify data subjects who are within the CCPA’s scope and provide them with the necessary information upon request.
Second, you need to teach these processes to your employees, explaining the challenges they will face and how to handle them.
If an employee fails to comply with the CCPA’s requirements, your organization could face civil penalties of up to $7,500 and a civil suit that gives every affected customer the right to seek between $100 and $750 in damages.
Training your employees
Your CCPA training procedure should begin by identifying relevant employees. Remember that these are employees who handle data privacy or who are involved in your CCPA compliance practices.
This could end up being a long list, given that it encompasses anyone who interacts with California-based consumers either directly or indirectly as part of their job, as well as their managers.
One way to manage this is to cordon off any practices that involve California residents from the rest of your business and apply the CCPA’s rules strictly to them.
If this is impractical, you could cast a wider net by, for example, creating a West Coast team or, if you’re an international business, a U.S. team, and then isolating Californians within that.
Whatever your approach, the aim is to limit the number of people and activities whose work is within the Act’s scope.
Once you’ve done that, it’s time to begin training. You will almost certainly benefit from using a third party rather than conducting it yourself, because the CCPA is nuanced and mistakes in your training are likely to result in non-compliances.
If you’re looking for an expert training provider, our California Consumer Privacy Act (CCPA) Foundation Online Training Course covers everything that employees need to know, including:
The course is led by a data privacy expert and delivered remotely, enabling you to receive the expertise that you’d find in a classroom course from the comfort and safety of your own home.