The California Consumer Protection Act (CCPA), effective January 1, 2020, requires covered businesses to inform any employees who handle inquiries from (California) consumers about the company’s obligations under CCPA in order to ensure that they properly respond to such inquiries and requests. While this requirement is narrow in scope, it should provide ample incentive for employers to properly train their staff on privacy and security obligations. However, in addition to CCPA’s specific mandate, there are many other compelling reasons for educating and training any employees who access or otherwise process personal information in this new era of global data privacy and security regulation.
Accountability. Many employees across various departments within an organization handle consumer personal information, but few systematically understand the legal obligations that their employers must meet when it comes to processing and securing personal information. Training employees not only enables employers to set a high standard and educate employees on the importance of complying with applicable data privacy and security obligations, but also, if properly documented, ensures that accountability requirements are met, particularly in the event of an audit by a regulator. As an example, one of the core principles of the EU’s GDPR is accountability, which (among other things) means documenting the processes put in place by an organization in order to comply with the regulation. There is little doubt that as regulators here in the United States and abroad step up their audits and investigations of companies with substantial data processing activities, the ability to demonstrate employee training goes a long way.
Security. With security breaches occurring every day, data security should be at the top of any organization’s list. Employees who understand privacy and security requirements – who understand the need for multi-layer security, for instance, or who can quickly identify system vulnerabilities or data sets for which security is lacking – are far more effective at assessing and mitigating risks than those who don’t give it a second thought. In fact, certain security breaches are the only incidents under CCPA for which private lawsuits are currently permissible. This private right of action under CCPA carries statutory damages – meaning that the amount awarded is stipulated within the statute rather than being calculated based on the degree of actual harm to the plaintiff – ranging from $100-750 per individual per incident. In practice, one incident affecting just 20,000 individuals could cost a company $2 million at the very least. This private right of action is triggered by an unauthorized access or disclosure of a consumer’s non-encrypted personal information stemming from a covered business’ failure to implement and maintain reasonable security procedures and practices, which could include the failure to educate and train employees handling the personal information.
Efficiency. As companies across all industries are increasingly fueled by data, while increasingly subject to data privacy and security requirements, training any teams that handle personal data – whether marketing, HR, dev ops – will simply result in (a) more efficiency and security within the business operations, (b) better customer experience, (c) mitigation of risks, and (d) preparedness in the event of a regulatory audit or security incident. In fact, when a major data breach occurs – and chances are, it will – having a team of employees with a clear understanding of the organization’s data processing activities, as well as any obligations to which it may be subject, can make an enormous difference when it comes to implementing quick remediation measures, properly reporting the incident and controlling potential damages.
With respect to CCPA’s specific training requirements, it does not list the measures that must be taken to ensure that an employee is “informed of all requirements” contained in the applicable sections. Among other things, CCPA requires covered employees to have an understanding of how to direct consumers to exercise their rights, meaning that training on the rights of access, deletion, portability and the opt-out of the sale of personal information would be a starting point. With respect to specific training materials and processes, presumably, a combination of written training materials, internal policies and in-person training on a recurring basis would satisfy the requirements. More clarity is expected when the California Attorney General issues regulations.
What should employers do now?
Until the California Attorney General issues regulations, organizations that are subject to CCPA (or who otherwise process personal information) should take a step back and consider the benefits of educating their staff on how to conduct data processing in a secure and compliant manner.
If you have any questions about your employee data privacy practices and policies, or any other issue relating to privacy law, please contact one of our privacy attorneys: