Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

CPRA Training Requirements – Section (999.317) Compliance

Download: CPRA Decision-Making Guide
Published October 24, 2022
Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

The California Consumer Privacy Acts (CCPA) 2020 lays down principles around consumer privacy rights and business responsibilities. However, the California Privacy Rights Act (CPRA), which will be effective from January 1, 2023. It will expand and amend those principles to give consumers added rights over their data and make businesses more accountable for data protection.

In fact, businesses’ accountability to CPRA also includes privacy training that must be provided to employees managing or processing consumers' or employees’ personal information.

As a CPRA-covered business, it is essential for organizations to understand the CPRA training requirements and how to comply.

CPRA Training Overview: Section 1798.130(a)(6)

The CPRA provides dozens of sections discussing consumers’ privacy rights, privacy notices, transparency, or personal information security breaches, to name a few. However, it doesn’t provide a separate section dedicated to the privacy training requirement, which makes it easy to be missed.

Instead, the privacy training requirement is laid down as a subsection of Section 1798.130. While the primary section mainly discusses Notice, Disclosure, Correction, and Deletion Requirements, the sub-section, Section 1798.130 (a)(6), obligates businesses to inform personnel of the various CPRA requirements, including educating consumers on how to exercise their rights.

The sub-section doesn’t provide any additional guidelines on how often the training needs to be given or the minimum eligibility requirements for the trainees. However, the CPRA draft regulations at § 7100 provide more details, i.e.,

  • All individuals responsible for handling consumer inquiries about the business’s information practices or the business’s compliance with the CPRA shall be trained:
    • in understanding all the requirements of the CPRA as per the text of the law and the associated regulations, and
    • how to direct consumers to exercise their rights under the CPRA and these regulations.
  • A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year shall establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CPRA or the business’s compliance with the CPRA are informed of all the requirements in these regulations and the CPRA.

The California Code of Regulations Section 999.317(g)(3) further obligates covered businesses to ensure that they document the CPRA training policy as proof of compliance.

7 Important Sections CPRA Trainings Must Cover

Employees aren’t necessarily required to cover every section of the CPRA during their training. In fact, the CPRA has clearly outlined which sections need to be covered in the CPRA training for compliance.

Take a Look at the Section by Section Overview of the CPRA

Section 1798.100. General Duties of Businesses that Collect Personal Information

The section outlines the primary responsibilities of covered businesses and third parties that collect or process consumers’ personal information (PI) and sensitive personal information (SPI).

To summarize, businesses must notify consumers at or before the point of collection about the categories of PI or SPI collected, the purpose of collection, and the retention period.

Businesses are strictly restricted from collecting additional categories of PI and SPI without consumers' consent. Similarly, collected data shouldn’t be retained any “longer than is reasonably necessary for that disclosed purpose.”

The section further requires businesses to implement and ensure strict security measures that are appropriate to the nature of data collected on consumers.

Section 1798.105. Consumers’ Right to Delete Personal Information

The CPRA empowers consumers to exercise their right to request a business to delete their personal information. Businesses must verify that the request is received from a legit consumer and then proceed with the deletion of data.

Moreover, it is the responsibility of the business to notify further all the relevant third parties, contractors, or service providers about a consumer’s deletion request and to delete the data from their records. However, a business may keep a confidential record of the deletion request as proof of compliance.

The section further elaborates on a number of exceptions where businesses may not be required to entertain a deletion request, such as if the data is to be kept for legal purposes, scientific research, or to complete a transaction.

Section 1798.106. Consumers’ Right to Correct Inaccurate Personal Information

The CPRA Section 1798.106 enables consumers to request businesses to correct any incorrect personal information via ​​”commercially reasonable efforts.”

Section 1798.110. Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information

The right provided under Section 1798.110 requires businesses to entertain a verifiable request of a consumer regarding the personal information collected on them. A consumer may inquire about the categories of personal information collected, shared, or sold, the categories of sources from where the data is collected, the purpose for the collection, sharing, or selling of data, as well as the categories of third parties with whom the data is disclosed.

Section 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom

The section provides details on the consumers’ right to inquire a business about the categories of data shared or sold to any third party, the identity of those third parties, and the purpose for which it is sold or shared.

Section 1798.125. Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights

Section 1798.125 provides a detailed set of obligations regarding a business’s retaliation following a consumer’s or employee’s exercise of their right to opt out. A covered business must not discriminate against a consumer regarding prices or the quality of services provided, following their right to opt out.

Similarly, businesses are also restricted from discriminating against consumers if they prefer to opt out of selling or sharing their personal information. However, a business may offer consumer incentives in exchange for the collection, sharing, or selling of their personal information, providing that the incentive policy isn’t unjust or unethical.

Section 1798.130. Notice, Disclosure, Correction, and Deletion Requirements

Apart from the training obligation, section 1798.130 discusses obligations regarding privacy notices, informing consumers about their privacy rights covered under the CPRA and how they can exercise their rights.

To summarize, a business may provide consumers with two or more alternative methods to exercise their right to access, delete, or correct personal information, such as via a toll-free telephone number or email address. Businesses must not charge consumers for requesting their personal information and entertain consumers’ rights requests within 45 days of receiving a verifiable request.

Businesses must provide privacy notices on their website, which are subject to be updated every 12 months. The notice must include details of the categories of data collected, the categories of sources from where the data is collected, and third parties with which the data is shared or sold, to name a few.

Who Needs to Attend the CPRA Privacy Training

The CPRA Section 1798.130(a)(6) has provided two categories of individuals that are eligible for CPRA privacy training.

  • all individuals responsible for handling consumer inquiries about the business’ privacy practices.”

To comply with the CPRA, a business must ensure that all the customer-facing employees, who constantly receive calls or inquiries from customers regarding the business’s privacy practices, should have a clear and complete understanding of the required CPRA sections which provide consumer’s the right to file requests for the enforcement of their CPRA rights. This category of individuals may include customer support representatives or sales representatives.

  • all individuals responsible for business’ compliance with” the CPRA

Additionally, employees that are exclusively responsible for creating, implementing, and executing a privacy framework for compliance with the CPRA are required to take this training. This category of individuals includes managers and executives of data privacy teams, information security professionals, and legal teams consisting of lawyers and attorneys.

Take CPRA Assessment Test Now

Our assessment test includes a series of questions that will help you understand where you are currently at with your business practices and how compliant you are with the California Privacy Rights Act (CPRA).

Take the CPRA assessment test now to determine what business practices you need to improve to ensure complete compliance.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures View More
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures
The U.S. M&A landscape is back in full swing. May witnessed a significant rebound in deal activity, especially for transactions exceeding $100 million, signaling...
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS) View More
What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS)
Learn more about Quebec's AHSSS, including its obligations on healthcare providers, researchers, and technology providers, with Securiti's latest blog.
View More
What is Automated Decision-Making Under CPRA Proposed ADMT Regulations
Learn more about automated decision-making (ADM) under California's CPRA, its regulatory approach to the technology, and how to ensure compliance.
View More
Is Your Business Ready for the EU AI Act August 2025 Deadline?
Download the whitepaper to learn where your business is ready for the EU AI Act. Discover who is impacted, prepare for compliance, and learn...
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
View More
Enabling Safe Use of Data with Amazon Q
Learn how robust DSPM can help secure Amazon Q data access, automate sensitive data tagging, eliminate ROT data, and maximize AI productivity safely.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New