Skip to content

The CCPA does not explicitly reference the requirement to train employees, but it does require that:

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed [concerning the CCPA’s requirements] . . . and how to direct consumers to exercise their rights under those sections.”1

The California Attorney General repeated the above requirement to “inform” certain employees in the regulations that were promulgated pursuant to the CCPA,2 and further specified that if a business processes information about more than 10 million Californians in a calendar year it should “[e]stablish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.3 The CPRA does not modify, or expand, the requirement to “inform” or “train” employees.

The language utilized by the CCPA and the regulations implementing the CCPA introduces some ambiguity as to whether training should be directed at only those individuals that are responsible for handling consumer inquires about (1) the business’s privacy practices or (2) the business’s compliance with this title, or whether training should be directed at those individuals that (1) handle consumer inquiries about the business’s privacy practice or (2) handle any of the business’s compliance activities in connection with the title.  The former interpretation would lead companies to focus training on those employees that interact with consumers (e.g., customer service); the latter interpretation might require companies to train a broader group of employees (e.g., IT, human resources, operations, marketing, etc.).

The California Attorney General was asked to clarify the scope of employees that must be trained under the statute and the regulation.  The Attorney General responded by confirming that the first interpretation above is correct and that “[t]he regulation does not state that the business has to train all employees but all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA.”4  He further explained that the purpose of the regulation is to “ensure that the individuals responsible for handling consumer inquiries . . . can appropriately respond to inquiries.”5

Even if not strictly required, training employees who are not directly responsible for responding to consumer inquiries can be a useful tool.  Because the CCPA introduces new rights for consumers, applies to an broad definition of personal information, and imposes various restrictions and obligations on businesses, educating and training employees can provide the necessary foundation to help businesses avoid inadvertently violating the CCPA and the regulations.


1 Cal. Civ. Code 1798.130(a)(6); 135(a)(3) (emphasis added).

2 CCPA Reg. 999.317(a).

3 CCPA Reg. 999.317(g)(3).

4 FSOR Appendix A at 215 (Response 634)

5 FSOR Appendix A at 215 (Response 636).  See also FSOR Appendix A at 233 (Response 681).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).

Photo of Karin E. Ross Karin E. Ross

Karin E. Ross focuses her practice on data privacy, cybersecurity, and technology transactions. Karin has counseled a diverse array of companies from startups to Fortune 500 companies in both local and global markets. She works closely with clients on data privacy and security…

Karin E. Ross focuses her practice on data privacy, cybersecurity, and technology transactions. Karin has counseled a diverse array of companies from startups to Fortune 500 companies in both local and global markets. She works closely with clients on data privacy and security compliance programs and advises on existing and emerging privacy and data protection legislation, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Her experience spans a range of industries including consumer goods, medical technology, financial services, e-commerce, and restaurants.