CCPA enforcement began on July 1, 2020 and many businesses are still ramping up their compliance efforts. These efforts include meeting the CCPA’s requirement to provide privacy training to all employees who either handle consumer inquiries or who are responsible for CCPA compliance. To maximize the value of CCPA compliance efforts, businesses should address the training requirement at the outset of the compliance process.
What personal information do we have?
How did we collect it?
Where do we store it?
With whom do we share it?
How do we use it?
Do we need to collect it?
Can we provide consumers with choices regarding its use?
To answer these questions accurately with a view towards updating disclosures, businesses need to engage employees at multiple levels of the organization. Although most employees will have no experience with interpreting privacy regulations, many will have the critical knowledge necessary to map the personal information that flows through every aspect of the business accurately (e.g., website visitor data, customer data, HR, payment card information). Although data-mapping can be a herculean exercise—especially for large, complex organizations—doing so efficiently and cost-consciously is critical in our data-driven economy.
Training as a Compliance Tool
Training business managers and other employees makes addressing all of the other CCPA requirements easier and more efficient. The core requirement under the CCPA, and privacy laws like it, is accurate disclosure of the types of personal information collected by a business, the use of that information, and the types of third parties with whom a business shares or sells that information. As businesses address these disclosures, the language in the CCPA, as any new law or regulation would tend to do, demands the interpretation of ambiguities such as: what qualifies as “personal information” and what does it mean to “sell” it? As many privacy professionals understand, the meanings of these terms under the CCPA do not align with their plain meaning. Unless a business trains their employees before asking them to participate in a data mapping exercise, these employees are likely to confuse concepts and definitions, provide incomplete categorizations and descriptions, and may need to update their data maps later to supplement or correct their initial feedback. Without training to understand what qualifies as personal information under the law, addressing disclosures and updating privacy policies can become more costly, inefficient and less accurate.
Training as a Strategic Tool
Training early in the compliance process can also help make a business —and more critically, its workforce—more privacy forward overall. While the GDPR and CCPA have dominated privacy headlines, there are no fewer than 24 states in the US seeking to pass CCPA-like comprehensive state privacy laws. And non-EU foreign privacy regimes will likely come into focus for many businesses as the dust continues to settle on the GDPR. Privacy compliance is here to stay, and many data privacy management principles and practices that business managers and employees are encountering with the CCPA will be relevant under other state and foreign privacy laws. Training enables business managers and employees to develop foundational knowledge that will make the learning curve less steep when tackling future laws, and makes a business more proactive and less reactive in its approach to privacy.
What Makes an Effective Privacy Training Program?
An effective privacy training program balances relevant, engaging and practical content that (1) meets the minimum compliance requirements, (2) educates its audiences with a view towards addressing privacy compliance holistically, and (3) reinforces a privacy forward business culture; in each case without consuming too many resources (e.g., cost or time) or creating administrative burdens (e.g., scheduling issues). At one end of the training spectrum are customized privacy training programs that can be tailored at the industry, company, and even department levels. Privacy professionals at law firms are best suited to deliver these programs to increase the benefit these programs can bring to an overall privacy compliance exercise. For businesses with fewer resources, there are also excellent free training resources such as www.ccpafreetraining.com that can provide a solid foundation for helping businesses comply with the CCPA’s training requirement.
Training is unfortunately too often an afterthought. But when properly implemented, it can make any business’s journey through CCPA compliance much more efficient and prepare the business to manage the rapidly changing and complex privacy regulatory landscape. Training should not be the last compliance item a business tackles. It often should be the first.