The regulations implementing the CCPA discuss the education of employees regarding CCPA related responsibilities in two sections:
|Section 999.317(a)||Section 999.317(g)(3)|
All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all of the
requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.
|A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year shall . . . [e]stablish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.|
Some businesses expressed confusion to the California Attorney General as to whether, when read together, the above requirements only require a business to train employees if the business processes personal information about more than 10 million consumers. The Attorney General clarified that ‘[a]ll businesses have the responsibility of ensuring that all individuals responsible for handling consumer inquiries about the CCPA” are “informed” of the requirements in the CCPA, but that only businesses that process high volumes of personal information are required to document a formal training policy.1
1 FSOR Appendix A at 234 (Response 682).