What is the CCPA?
In July 2018, California passed a law called the California Consumer Privacy Act, or CCPA. The CCPA regulates how companies handle personal information that belongs to California consumers, but it is not restricted to California companies. The CCPA grants California consumers new rights to access and delete their data while placing restrictions on entities that collect, store, and sell Californians’ personal information.
The CCPA goes into effect on January 1, 2020, and many U.S. businesses that were not susceptible to Europe’s General Data Protection Regulation (GDPR) will have to comply with the CCPA. The International Association of Privacy Professionals (IAPP) estimates that over 500,000 businesses in the United States, including over 100,000 businesses in California alone, will need to comply with the new law.
With the deadline fast approaching, it is important that companies understand what the CCPA requires in terms of them and their employees. We will briefly outline (1) who needs to comply with the CCPA and (2) what the law requires for employee training. Please keep in mind that the following is not legal advice. It is only legal information. There are specific carve outs in the CCPA that will apply to certain organizations and certain types of consumer personal information. For specific advice on how to comply with the CCPA, please consult an attorney.
Does the CCPA Apply to My Company?
It can be difficult to determine whether the CCPA applies to your business. The law is complex, and there are various factors that determine whether your company must comply. Fortunately, the privacy experts at the law firm Wilson Sonsini Goodrich & Rosati distilled those factors into three easy questions that cover most companies.
First, does your company handle personal information from California residents? Keep in mind: the definition of personal information is very broad. Personal information includes any data that has to do with a specific person, including names, addresses, height, weight, preferences, device IDs, etc.
If the answer is no, your business likely does not need to comply with the CCPA. The new law only applies to companies that do business in California, or otherwise handle personal information from California residents. (However, there are some exceptions, so please read on.)
If you answered yes, you also need to answer the next question.
Second, do any of the following apply to your company: (1) you make over $25 million in revenue per year, (2) you handle personal data for 50,000 people, devices, or households from California per year, or (3) you make at least half of your revenue from selling the information of California residents? If none of these three apply, your company likely does not need to comply with the CCPA. If any of the three applies to you, then you need to answer the next question.
Third, is your company for-profit? If the answer is no, then your organization likely does not need to comply with the CCPA. The CCPA only applies to for-profit businesses; there is, however, an important exception if your non-profit handles information on behalf of a for-profit entity. In that scenario, your organization would need to comply with the new law.
If you answered yes to all three questions, then your business likely needs to comply with the CCPA—and you have a lot of work ahead of you.
Keep in mind that there are a few additional rules, so it’s important to speak with a lawyer to know for certain. One of the main exceptions is based on relationships between companies Even if your business on its own does not need to comply, if you have a parent company that controls your organization and shares branding with you, and that company has to comply, your business will also have to comply. (There are additional ways the shared branding rule can apply. Click here for more information.)
The following section outlines the main obligations under the law.
To see an automated version of these questions that generates results for you, please click here.
Who Needs Training?
Once you have concluded that your business needs to comply with the CCPA, you can divide the steps you need to take into four main parts: (1) disclosures, (2) consumer requests, (3) opt outs, and (4) training. There are other smaller obligations under the law that apply in specific circumstances, but these four sections cover the majority of the new law.
We are going to focus here on employee training. Under the CCPA 1798.130(a)(6), regulated businesses have an obligation to provide CCPA training to (1) those employees who handle consumer inquiries regarding company privacy practices as well as (2) anyone responsible for the business’s CCPA compliance.
An organization’s first step will be determining who needs to be trained in order to correctly fulfill consumer requests governed by the CCPA. Generally speaking, any employee that may have to handle inquiries not just about the CCPA but about the company’s privacy practices need this training.
For many organizations, this means training customer service representatives who handle calls to their toll free lines as well as those who handle responding to digital requests that come in via email or another online process. Because the CCPA is only relevant for California consumers, employees who only deal with consumers in other states would not need to be trained. Some businesses may plan to funnel all requests directly to specific employees and only train that group on the CCPA while training employees outside that group not to answer privacy or CCPA-related questions.
There may be other individuals within your organization who will not be answering actual consumer inquiries but who need to be trained. Any individual responsible for your organization’s CCPA compliance will need training.
Marketing, for example, cannot start an ad campaign with a new outside vendor without putting the correct CCPA contract rules in place for sharing personal data, so Marketing will need to inform IT and the Legal or Compliance Officer in charge of the company’s policies of the new method of data collection. The IT team is likely to be tasked with the actual deletion of data pursuant to CCPA consumer inquiries or creating reports when consumers’ request access to their personal information. Activities from marketing, to sales, to customer service, implicate the collection, use, and storage of data at your organization. Determining which individuals will need to be educated is an important part of establishing a robust compliance program.
What Training Does the CCPA Require?
The CCPA makes business responsible for training their employees on key sections of the CCPA and on how to direct consumers to exercise their rights under those sections. Specifically, employees need to be informed regarding: (1) the consumer’s right to ask the business to disclose what is being collected and for what purpose (Section 1798.110) ; (2) the consumer’s right to ask what personal information is being sold or shared (Section 1798.115); (3) the injunction against businesses discriminating against consumers who exercise their privacy rights under the CCPA (Section 1798.125); (4) the business’s policy disclosure responsibilities and the rules regulating how it responds to consumer requests (Section 1798.130).
One of the easiest ways to ensure employees can correctly direct consumers is to put into place your CCPA-mandate privacy notice for your website and create an internal compliance policy that is disseminated to all relevant employees.