CPRA Training Requirements – Section (999.317) Compliance

The California Consumer Privacy Acts (CCPA) 2020 lays down principles around consumer privacy rights and business responsibilities. However, the California Privacy Rights Act (CPRA), which will be effective from January 1, 2023. It will expand and amend those principles to give consumers added rights over their data and make businesses more accountable for data protection.

In fact, businesses’ accountability to CPRA also includes privacy training that must be provided to employees managing or processing consumers' or employees’ personal information.

As a CPRA-covered business, it is essential for organizations to understand the CPRA training requirements and how to comply.

CPRA Training Overview: Section 1798.130(a)(6)

The CPRA provides dozens of sections discussing consumers’ privacy rights, privacy notices, transparency, or personal information security breaches, to name a few. However, it doesn’t provide a separate section dedicated to the privacy training requirement, which makes it easy to be missed.

Instead, the privacy training requirement is laid down as a subsection of Section 1798.130. While the primary section mainly discusses Notice, Disclosure, Correction, and Deletion Requirements, the sub-section, Section 1798.130 (a)(6), obligates businesses to inform personnel of the various CPRA requirements, including educating consumers on how to exercise their rights.

The sub-section doesn’t provide any additional guidelines on how often the training needs to be given or the minimum eligibility requirements for the trainees. However, the CPRA draft regulations at § 7100 provide more details, i.e.,

• All individuals responsible for handling consumer inquiries about the business’s information practices or the business’s compliance with the CPRA shall be trained:
  • in understanding all the requirements of the CPRA as per the text of the law and the associated regulations, and
  • how to direct consumers to exercise their rights under the CPRA and these regulations.
• A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year shall establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CPRA or the business’s compliance with the CPRA are informed of all the requirements in these regulations and the CPRA.

The California Code of Regulations Section 999.317(g)(3) further obligates covered businesses to ensure that they document the CPRA training policy as proof of compliance.

7 Important Sections CPRA Trainings Must Cover

Employees aren’t necessarily required to cover every section of the CPRA during their training. In fact, the CPRA has clearly outlined which sections need to be covered in the CPRA training for compliance.

Take a Look at the Section by Section Overview of the CPRA

Section 1798.100. General Duties of Businesses that Collect Personal Information

The section outlines the primary responsibilities of covered businesses and third parties that collect or process consumers’ personal information (PI) and sensitive personal information (SPI).

To summarize, businesses must notify consumers at or before the point of collection about the categories of PI or SPI collected, the purpose of collection, and the retention period.

Businesses are strictly restricted from collecting additional categories of PI and SPI without consumers' consent. Similarly, collected data shouldn’t be retained any “longer than is reasonably necessary for that disclosed purpose.”

The section further requires businesses to implement and ensure strict security measures that are appropriate to the nature of data collected on consumers.

Section 1798.105. Consumers’ Right to Delete Personal Information

The CPRA empowers consumers to exercise their right to request a business to delete their personal information. Businesses must verify that the request is received from a legit consumer and then proceed with the deletion of data.

Moreover, it is the responsibility of the business to notify further all the relevant third parties, contractors, or service providers about a consumer’s deletion request and to delete the data from their records. However, a business may keep a confidential record of the deletion request as proof of compliance.

The section further elaborates on a number of exceptions where businesses may not be required to entertain a deletion request, such as if the data is to be kept for legal purposes, scientific research, or to complete a transaction.

Section 1798.106. Consumers’ Right to Correct Inaccurate Personal Information

The CPRA Section 1798.106 enables consumers to request businesses to correct any incorrect personal information via ​​”commercially reasonable efforts.”

Section 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information

The right provided under Section 1798.110 requires businesses to entertain a verifiable request of a consumer regarding the personal information collected on them. A consumer may inquire about the categories of personal information collected, shared, or sold, the categories of sources from where the data is collected, the purpose for the collection, sharing, or selling of data, as well as the categories of third parties with whom the data is disclosed.

Section 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom

The section provides details on the consumers’ right to inquire a business about the categories of data shared or sold to any third party, the identity of those third parties, and the purpose for which it is sold or shared.

Section 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights

Section 1798.125 provides a detailed set of obligations regarding a business’s retaliation following a consumer’s or employee’s exercise of their right to opt out. A covered business must not discriminate against a consumer regarding prices or the quality of services provided, following their right to opt out.

Similarly, businesses are also restricted from discriminating against consumers if they prefer to opt out of selling or sharing their personal information. However, a business may offer consumer incentives in exchange for the collection, sharing, or selling of their personal information, providing that the incentive policy isn’t unjust or unethical.

Section 1798.130. Notice, Disclosure, Correction, and Deletion Requirements

Apart from the training obligation, section 1798.130 discusses obligations regarding privacy notices, informing consumers about their privacy rights covered under the CPRA and how they can exercise their rights.

To summarize, a business may provide consumers with two or more alternative methods to exercise their right to access, delete, or correct personal information, such as via a toll-free telephone number or email address. Businesses must not charge consumers for requesting their personal information and entertain consumers’ rights requests within 45 days of receiving a verifiable request.

Businesses must provide privacy notices on their website, which are subject to be updated every 12 months. The notice must include details of the categories of data collected, the categories of sources from where the data is collected, and third parties with which the data is shared or sold, to name a few.

Who Needs to Attend the CPRA Privacy Training

The CPRA Section 1798.130(a)(6) has provided two categories of individuals that are eligible for CPRA privacy training.

• “all individuals responsible for handling consumer inquiries about the business’ privacy practices.”

To comply with the CPRA, a business must ensure that all the customer-facing employees, who constantly receive calls or inquiries from customers regarding the business’s privacy practices, should have a clear and complete understanding of the required CPRA sections which provide consumer’s the right to file requests for the enforcement of their CPRA rights. This category of individuals may include customer support representatives or sales representatives.

• “all individuals responsible for business’ compliance with” the CPRA

Additionally, employees that are exclusively responsible for creating, implementing, and executing a privacy framework for compliance with the CPRA are required to take this training. This category of individuals includes managers and executives of data privacy teams, information security professionals, and legal teams consisting of lawyers and attorneys.

Take CPRA Assessment Test Now

Our assessment test includes a series of questions that will help you understand where you are currently at with your business practices and how compliant you are with the California Privacy Rights Act (CPRA).

Take the CPRA assessment test now to determine what business practices you need to improve to ensure complete compliance.