CPRA Training Requirement

CaliforniaCCPAData PrivacyUS Regulatory
Written By Jason Shoup

As we recently reported, the California legislature is currently in the process of implementing the California Privacy Rights Act of 2020 (CPRA), which is posed to take effect in January of 2023 and will issue several amendments to the California Consumer Privacy Act of 2018 (CCPA), which has been in effect since January 1, 2020. Both of these laws require organizations to train employees on security and data privacy.

Under the CCPA, covered businesses are required to train employees responsible for compliance with the CCPA or for responding to consumer inquiries involving privacy concerns. In addition to the mandatory training procedures, businesses that know, or reasonably should know, that they transfer for commercial purposes the personal information of at least 10 million consumers in a year are required to establish, document, and maintain compliance with a training policy governing CCPA compliance.

Among other requirements, under the CCPA, the trainings must cover the following requirements for covered businesses:

  • Complying with a consumer’s right to request a copy of their personal information that has been collected by the business, and that it be corrected and/or deleted. This includes categories of personal information that’s been collected and/or transffered, the business’s purpose for collecting or transferring this information, and which third parties have received that information via transfer in the last 12 months.

  • Limiting use and disclosure of consumer’s sensitive personal information.

  • Informing consumers about their rights under the CCPA or CPRA and instructions for how to exercise them without fear of discrimination by the business.

  • Offering consumers financial incentives in exchange for the covered businesses collection of their personal information—and the limitations and requirements of this practice.

This training requirement from the CCPA is not being amended by the CPRA. As such, a covered business that has been operating in compliance with the previously governing privacy act should be able to achieve compliance under the CPRA.

* * * * * * *

To read our coverage on the National Institute of Standards and Technology (NIST) updates to its cybersecurity guidance for the healthcare industry which “helps health care organizations protect patients’ personal health information, click here.

For ADCG’s Breach Report and more news updates discussing the following news alerts: Ireland Appoints New Privacy Commissioners; Facebook Hit With Health Privacy Lawsuit; Amazon Web Services Enhances Training Program; and TSA Issues Revised Pipeline Security Directives, click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Patrick J. Kennedy, Jr. and Dub Sutherland of Kennedy Sutherland LLP join Jody Westby on our Privacy and Cybersecurity podcast this week to provide a macro level view of the business challenges associated with current privacy laws, a looming cyber threat environment, and a lack of cyber governance by many boards and C-suites. New episodes of the ADCG Podcast are released Thursdays and can be found here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!

Jason Shoup
Previous

News Alerts and Breach Report for Week of August 1, 2022
Next

Updated NIST Guidelines for Healthcare