CCPA/CPRA: California Businesses Must Complete Required Privacy Training

California’s dedication to privacy protection began when the Legislature passed the California Consumer Privacy Act (CCPA) in 2018, and that dedication was further solidified when voters passed the California Privacy Rights Act (CPRA) in 2020. The CCPA/CPRA provides consumers with various rights regarding the data companies collect about them and how that data is utilized — and it requires companies to adequately train employees who may receive consumer inquiries about this law.

More specifically California Code of Regulations Title 11, Section 999.317 states that all individuals “responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all of the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.

As such, all businesses covered by the CCPA/CPRA must identify any employee who may receive an inquiry from a consumer regarding the business’s privacy practices and train those employees. And covered businesses include those that meet at least one of these requirements:

  • Making more than $25 million annually.
  • Collecting personal information of 50,000 or more California residents under CCPA in effect today, or 100,000 or more California residents when CPRA goes into effect on January 1, 2023; or
  • Deriving 50 percent or more of their revenue from the sale/sharing of California residents’ personal information.

“The idea of collecting personal information from California residents turns out to be a very low threshold,” said Dominique Shelton Leipzig, Partner and Global Co-Chair Ad Tech Privacy & Data Management at Los Angeles-based Perkins Coie LLP. “When you think about it, you just need a website that collects personal information of just 137 California residents per day to get to the 50,000 person threshold today.”

This number is extremely easy to hit because, as soon as a person visits a business website, that site is collecting cookies, which cybersecurity and anti-virus provider Kaspersky defines as text files with small pieces of data (like a username and password) used to identify a person’s computer as they use a computer network.  

“That means a business with just 137 California residents hitting their website per day is covered by the CCPA, and although this will go up to 274 under CPRA,” Shelton Leipzig added. ” that’s almost every business with a website.”

To comply with the law, training must include:

  • Consumer rights under the CCPA/CPRA;
  • How consumers can exercise those rights; and
  • The business’s responsibility in responding to those inquiries/rights.

CCPA/CPRA provisions will be enforced by the newly created California Privacy Protection Agency. Businesses covered by the CCPA/CPRA should make sure they’re complying with the consumer rights provided by these laws and that their employees who may receive an inquiry are properly trained by the compliance deadline of January 1, 2023.

In fact, because training responsibilities already exist under the current CCPA that’s in effect right now, Shelton Leipzig recommends that companies that haven’t yet undergone that training to complete CCPA/CPRA training this year.

“I would suggest to go ahead and include sort of a combo of CCPA training and training that looks ahead to what goes into effect January 1, 2023, which is the California Privacy Rights Act that just amends the existing law,” she said, “so you can get it all done in one fell swoop.”

Ultimately, if companies don’t meet the January 1, 2023, deadline, the California Privacy Protection Agency can impose penalties of up to $7,500 per violation if children are involved or up to $2,500 per violation if children are not involved.

“And then, there’s a private right of action for anybody,” Shelton Leipzig added. “Consumers can bring an action if there has been a negligent data breach.”

To help employers fulfill this training obligation, CalChamber is offering a CCPA/CPRA virtual seminar at 10 a.m. PST on February 24, 2022, titled “The California Privacy Rights Act: Implementing a Compliance Program in a Rapidly Evolving Data Privacy Landscape.”

During this 60-minute seminar, the data privacy team at Perkins Coie will briefly discuss the CCPA, delve into the new obligations and rights created by the CPRA, and then guide attendees on not only how to implement a compliance program before the CPRA becomes operative in 2023, but also offer steps businesses should take to comply with the CPRA and evolving data privacy regulations. 

Attendees will receive the presentation slide deck, sample data inventory and instructions, a CPRA v. CCPA checklist, and a CPRA Vendor Contract checklist.

“We’ll cover all of the things the training requires, which is: What does the law provide? What rights do consumers have? How much time do you have to respond to those rights and what you can do to get a coherent, actionable program in place, even if you don’t have a big, huge legal department or a budget to staff all this?” said Shelton Leipzig, adding that businesses will also learn how to set up a six phase approach to complying with the CPRA that also will work with the existing CCPA.

“We want to make it turnkey,” she said, “so that every company can be a data leader and actually comply with this law.”

Jessica Mulholland, Managing Editor, CalChamber

CalChamber members and nonmembers can enroll in “The California Privacy Rights Act: Implementing a Compliance Program in a Rapidly Evolving Data Privacy Landscape” virtual seminar at the CalChamber Store for $124.99 (or $99.99 if you’re a Preferred or Executive CalChamber Member).

Leave a Reply

Your email address will not be published. Required fields are marked *