The CCPA does not explicitly reference the requirement to train employees, but it does require that:
All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed [concerning the CCPA’s requirements] . . . and how to direct consumers to exercise their rights under those sections.”1
The California Attorney General repeated the above requirement to “inform” certain employees in the regulations that were promulgated pursuant to the CCPA,2 and further specified that if a business processes information about more than 10 million Californians in a calendar year it should “[e]stablish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.3 The CPRA does not modify, or expand, the requirement to “inform” or “train” employees.
The language utilized by the CCPA and the regulations implementing the CCPA introduces some ambiguity as to whether training should be directed at only those individuals that are responsible for handling consumer inquires about (1) the business’s privacy practices or (2) the business’s compliance with this title, or whether training should be directed at those individuals that (1) handle consumer inquiries about the business’s privacy practice or (2) handle any of the business’s compliance activities in connection with the title. The former interpretation would lead companies to focus training on those employees that interact with consumers (e.g., customer service); the latter interpretation might require companies to train a broader group of employees (e.g., IT, human resources, operations, marketing, etc.).
The California Attorney General was asked to clarify the scope of employees that must be trained under the statute and the regulation. The Attorney General responded by confirming that the first interpretation above is correct and that “[t]he regulation does not state that the business has to train all employees but all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA.”4 He further explained that the purpose of the regulation is to “ensure that the individuals responsible for handling consumer inquiries . . . can appropriately respond to inquiries.”5
Even if not strictly required, training employees who are not directly responsible for responding to consumer inquiries can be a useful tool. Because the CCPA introduces new rights for consumers, applies to an broad definition of personal information, and imposes various restrictions and obligations on businesses, educating and training employees can provide the necessary foundation to help businesses avoid inadvertently violating the CCPA and the regulations.
1 Cal. Civ. Code 1798.130(a)(6); 135(a)(3) (emphasis added).
2 CCPA Reg. 999.317(a).
3 CCPA Reg. 999.317(g)(3).
4 FSOR Appendix A at 215 (Response 634)
5 FSOR Appendix A at 215 (Response 636). See also FSOR Appendix A at 233 (Response 681).