Securiti announces a $75M Series C Funding RoundView
Published on October 24, 2022 AUTHOR - Privacy Research Team
The California Consumer Privacy Acts (CCPA) 2020 lays down principles around consumer privacy rights and business responsibilities. However, the California Privacy Rights Act (CPRA), which will be effective from January 1, 2023. It will expand and amend those principles to give consumers added rights over their data and make businesses more accountable for data protection.
In fact, businesses’ accountability to CPRA also includes privacy training that must be provided to employees managing or processing consumers' or employees’ personal information.
As a CPRA-covered business, it is essential for organizations to understand the CPRA training requirements and how to comply.
The CPRA provides dozens of sections discussing consumers’ privacy rights, privacy notices, transparency, or personal information security breaches, to name a few. However, it doesn’t provide a separate section dedicated to the privacy training requirement, which makes it easy to be missed.
Instead, the privacy training requirement is laid down as a subsection of Section 1798.130. While the primary section mainly discusses Notice, Disclosure, Correction, and Deletion Requirements, the sub-section, Section 1798.130 (a)(6), obligates businesses to inform personnel of the various CPRA requirements, including educating consumers on how to exercise their rights.
The sub-section doesn’t provide any additional guidelines on how often the training needs to be given or the minimum eligibility requirements for the trainees. However, the CPRA draft regulations at § 7100 provide more details, i.e.,
The California Code of Regulations Section 999.317(g)(3) further obligates covered businesses to ensure that they document the CPRA training policy as proof of compliance.
Employees aren’t necessarily required to cover every section of the CPRA during their training. In fact, the CPRA has clearly outlined which sections need to be covered in the CPRA training for compliance.
The section outlines the primary responsibilities of covered businesses and third parties that collect or process consumers’ personal information (PI) and sensitive personal information (SPI).
To summarize, businesses must notify consumers at or before the point of collection about the categories of PI or SPI collected, the purpose of collection, and the retention period.
Businesses are strictly restricted from collecting additional categories of PI and SPI without consumers' consent. Similarly, collected data shouldn’t be retained any “longer than is reasonably necessary for that disclosed purpose.”
The section further requires businesses to implement and ensure strict security measures that are appropriate to the nature of data collected on consumers.
The CPRA empowers consumers to exercise their right to request a business to delete their personal information. Businesses must verify that the request is received from a legit consumer and then proceed with the deletion of data.
Moreover, it is the responsibility of the business to notify further all the relevant third parties, contractors, or service providers about a consumer’s deletion request and to delete the data from their records. However, a business may keep a confidential record of the deletion request as proof of compliance.
The section further elaborates on a number of exceptions where businesses may not be required to entertain a deletion request, such as if the data is to be kept for legal purposes, scientific research, or to complete a transaction.
The CPRA Section 1798.106 enables consumers to request businesses to correct any incorrect personal information via ”commercially reasonable efforts.”
The right provided under Section 1798.110 requires businesses to entertain a verifiable request of a consumer regarding the personal information collected on them. A consumer may inquire about the categories of personal information collected, shared, or sold, the categories of sources from where the data is collected, the purpose for the collection, sharing, or selling of data, as well as the categories of third parties with whom the data is disclosed.
The section provides details on the consumers’ right to inquire a business about the categories of data shared or sold to any third party, the identity of those third parties, and the purpose for which it is sold or shared.
Section 1798.125 provides a detailed set of obligations regarding a business’s retaliation following a consumer’s or employee’s exercise of their right to opt out. A covered business must not discriminate against a consumer regarding prices or the quality of services provided, following their right to opt out.
Similarly, businesses are also restricted from discriminating against consumers if they prefer to opt out of selling or sharing their personal information. However, a business may offer consumer incentives in exchange for the collection, sharing, or selling of their personal information, providing that the incentive policy isn’t unjust or unethical.
Apart from the training obligation, section 1798.130 discusses obligations regarding privacy notices, informing consumers about their privacy rights covered under the CPRA and how they can exercise their rights.
To summarize, a business may provide consumers with two or more alternative methods to exercise their right to access, delete, or correct personal information, such as via a toll-free telephone number or email address. Businesses must not charge consumers for requesting their personal information and entertain consumers’ rights requests within 45 days of receiving a verifiable request.
Businesses must provide privacy notices on their website, which are subject to be updated every 12 months. The notice must include details of the categories of data collected, the categories of sources from where the data is collected, and third parties with which the data is shared or sold, to name a few.
The CPRA Section 1798.130(a)(6) has provided two categories of individuals that are eligible for CPRA privacy training.
To comply with the CPRA, a business must ensure that all the customer-facing employees, who constantly receive calls or inquiries from customers regarding the business’s privacy practices, should have a clear and complete understanding of the required CPRA sections which provide consumer’s the right to file requests for the enforcement of their CPRA rights. This category of individuals may include customer support representatives or sales representatives.
Additionally, employees that are exclusively responsible for creating, implementing, and executing a privacy framework for compliance with the CPRA are required to take this training. This category of individuals includes managers and executives of data privacy teams, information security professionals, and legal teams consisting of lawyers and attorneys.
Our assessment test includes a series of questions that will help you understand where you are currently at with your business practices and how compliant you are with the California Privacy Rights Act (CPRA).
Take the CPRA assessment test now to determine what business practices you need to improve to ensure complete compliance.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
3031 Tisch Way Suite 110 Plaza West, San Jose,