If an organization must comply with CCPA, then that organization must conduct CCPA training.
What organizations need to comply with the California Consumer Privacy Act (CCPA)? Organizations need to comply with CCPA if the organization stores or uses PII of California citizens. Similar to how GDPR applies to personally identifiable information (PII) of EU citizens, CCPA applies to PII of Californians. CCPA applies to organizations whether they have offices in California or not.
Also similar to GDPR, technology companies are the most impacted by CCPA because they cross borders seamlessly via the Internet and technology business models and products often leverage PII.
If you work for a company that stores or processes California citizen data, you should receive some form of CCPA training so that you can understand the impact of CCPA on your job function and organization.
CCPA does explicitly define training requirements, though those requirements are vague.
Section 1798.130 and 1798.135 of CCPA essentially say the same thing about training - Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.
Individuals that are consumer-facing should receive CCPA training. Given the growing importance of privacy to consumers, most employees should, at the very least, understand enough about CCPA to be able to direct inquiries to the right place and to understand the parties responsible for data privacy within their organization.
CCPA training should be conducted at onboarding for new employees when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.
Most organizations do not offer effective compliance training to their workforces. Current approaches to compliance training are outdated, generic, infrequent, and do not practically apply to the day-to-day work of employees, especially employees at technology companies. Employees represent the largest threat to corporate systems data and are the most common cause of security incidents and data breaches. It has never been more important to get compliance training right.
Additionally, in order to effectively implement security by design and to ensure all employees are educated about data subject requests, every member of the workforce should be trained in compliance, privacy, and security as well as relevant CCPA rules.
At Day Zero, our team has designed and managed CCPA training programs. In order to be successful with training, CCPA training needs to be built into the culture of the organization. In our experience, the following elements are essential aspects of effective CCPA training.
Day Zero offers CCPA training that ensures all of the above. In addition, we provide metrics to continually gauge and improve compliance training. Our customers lean on us to build a culture of privacy across their entire workforce. We are 100% focused on making sure your employees are properly trained and you have the proof you need to comply with CCPA.
Below are some links to learn more about CCPA training.