People in training showing how training can help business meet CCPA compliance

Education Before Implementation: The CCPA Requirement That Should Be First on Your List, Not Last

CCPA enforcement began on July 1, 2020 and many businesses are still ramping up their compliance efforts.  These efforts include meeting the CCPA’s requirement to provide privacy training to all employees who either handle consumer inquiries or who are responsible for CCPA compliance. To maximize the value of CCPA compliance efforts, businesses should address the training requirement at the outset of the compliance process.

Too often, as companies begin to tackle their obligations under a new privacy law, the natural inclination is to turn immediate (and sometimes exclusive) attention to amending their privacy policies.  This focus on external disclosures is not surprising, as privacy regulations are principally about providing transparency to consumers, and the privacy policy is the primary mechanism by which companies accomplish these goals.  Additionally, an updated privacy policy is sometimes the only piece of tangible work product a company can point to when trying to justify the time and expense of reviewing its data practices.

However, as many privacy professionals have learned in the post-GDPR world—and much to the chagrin of budget-conscious business managers—businesses must expend considerable effort before they can put pen to paper on a new privacy policy.  The biggest “to-do” is data mapping (i.e., documenting the what, where, who, why, and how of the data collection, use and sharing in the business).  Data-mapping involves answering, among other questions, the following:

  • What personal information do we have?
  • How did we collect it?
  • Where do we store it?
  • With whom do we share it?
  • How do we use it?
  • Do we need to collect it?
  • Can we provide consumers with choices regarding its use?

To answer these questions accurately with a view towards updating disclosures, businesses need to engage employees at multiple levels of the organization.  Although most employees will have no experience with interpreting privacy regulations, many will have the critical knowledge necessary to map the personal information that flows through every aspect of the business accurately (e.g., website visitor data, customer data, HR, payment card information).  Although data-mapping can be a herculean exercise—especially for large, complex organizations—doing so efficiently and cost-consciously is critical in our data-driven economy.

While the importance of data-mapping message has propagated, what many businesses have yet to embrace is that to map data efficiently, businesses should begin with effective privacy training. Although the CCPA requires that businesses adopt some form of formal privacy training, training often appears as the very last item on compliance “to-do” lists. Training is generally thought of as a perfunctory check-the-box item and not a useful or worthwhile investment.  This relegation is unwise. Organizations should, instead, make training the first compliance requirement they address because it can make addressing data mapping and all other CCPA requirements (including updating a privacy policy) easier and more efficient. And training can also help a business become more privacy forward in an environment marked by both increased consumer awareness of data privacy and regulatory complexity.

Training as a Compliance Tool

Training business managers and other employees makes addressing all of the other CCPA requirements easier and more efficient.  The core requirement under the CCPA, and privacy laws like it, is accurate disclosure of the types of personal information collected by a business, the use of that information, and the types of third parties with whom a business shares or sells that information.  As businesses address these disclosures, the language in the CCPA, as any new law or regulation would tend to do, demands the interpretation of ambiguities such as: what qualifies as “personal information” and what does it mean to “sell” it? As many privacy professionals understand, the meanings of these terms under the CCPA do not align with their plain meaning.  Unless a business trains their employees before asking them to participate in a data mapping exercise, these employees are likely to confuse concepts and definitions, provide incomplete categorizations and descriptions, and may need to update their data maps later to supplement or correct their initial feedback.  Without training to understand what qualifies as personal information under the law, addressing disclosures and updating privacy policies can become more costly, inefficient and less accurate.

Addressing disclosures and updating a privacy policy are not the only instances where training can be useful.  Another CCPA pain point is the Do Not Sell requirement. The Do Not Sell rule requires businesses that “sell” personal information to provide consumers with a mechanism to opt-out of such sales. This requirement has led some businesses across industries to change their business practices to avoid making “sales” as defined under the CCPA.  Others—even in cases where required by the CCPA—‚have opted not to include the Do Not Sell button on their websites or mobile apps, and in certain industries, such as digital advertising, businesses have questioned whether the requirement spells the end for some of their core products and services.  Needless to say, determining if a business “sells” personal information under the CCPA (and implementing Do Not Sell compliance for consumer requests if it is selling) should not be taken lightly, and certainly should not be taken with an incomplete or inaccurate understanding of how a business shares personal information. As with disclosures, without proper training before being asked to participate in a data mapping exercise, most employees are likely to provide incorrect or incomplete information to their in-house or external lawyers.  This kind of garbage-in, garbage-out mapping may result in longer, more costly compliance reviews and, even worse, an incorrect or incomplete analysis.

Training as a Strategic Tool

Training early in the compliance process can also help make a business —and more critically, its workforce—more privacy forward overall.  While the GDPR and CCPA have dominated privacy headlines, there are no fewer than 24 states in the US seeking to pass CCPA-like comprehensive state privacy laws. And non-EU foreign privacy regimes will likely come into focus for many businesses as the dust continues to settle on the GDPR. Privacy compliance is here to stay, and many data privacy management principles and practices that business managers and employees are encountering with the CCPA will be relevant under other state and foreign privacy laws.  Training enables business managers and employees to develop foundational knowledge that will make the learning curve less steep when tackling future laws, and makes a business more proactive and less reactive in its approach to privacy.

What Makes an Effective Privacy Training Program?

An effective privacy training program balances relevant, engaging  and practical content that (1) meets the minimum compliance requirements, (2) educates its audiences with a view towards addressing privacy compliance holistically, and (3) reinforces a privacy forward business culture; in each case without consuming too many resources (e.g., cost or time) or creating administrative burdens (e.g., scheduling issues).  At one end of the training spectrum are customized privacy training programs that can be tailored at the industry, company, and even department levels.  Privacy professionals at law firms are best suited to deliver these programs to increase the benefit these programs can bring to an overall privacy compliance exercise.  For businesses with fewer resources, there are also excellent free training resources such as www.ccpafreetraining.com that can provide a solid foundation for helping businesses comply with the CCPA’s training requirement.

Training is unfortunately too often an afterthought. But when properly implemented, it can make any business’s journey through CCPA compliance much more efficient and prepare the business to manage the rapidly changing and complex privacy regulatory landscape. Training should not be the last compliance item a business tackles.  It often should be the first.