5-Step CPRA Employee Training Guide for Records Managers
We’ve been talking about the California Privacy Rights Act (CPRA)—also known as Prop 24—all year to help you prepare for it going into effect on January 1, 2023. If you’ve been following the details and working on preparations, you are likely in good shape.
With all the requirements and details to know, one element is easy to overlook: CPRA employee training.
Your business is obligated to provide training to everyone responsible for CCPA and CPRA compliance and those handling consumer inquiries. If you are just starting to prepare, don’t worry. We’ve got the information you need.
First, a quick recap on the basics of CPRA
What is CPRA?
The CPRA builds on the California Consumer Privacy Act (CCPA) requirements, which have been in effect since 2020. When CPRA goes into effect, businesses are legally obligated to respond to consumers who send your company a Data Subject Access Request (DSAR) asking you to explain:
- What information the company has about them.
- Why the company collected your information.
- How the company is using your information.
- How to correct inaccuracies.
- How the company limits the use of your information or discloses it.
Answers to common CPRA questions—a refresher
In Get Ready for the California Privacy Rights Act (CPRA) we cover answers to common CPRA questions, including:
- Do i have to comply with CPRA?
- What consumer data does CPRA protect?
- How does CPRA expand consumers’ privacy rights?
- How does CPRA affect what I can do with consumer data?
- What do I need to do to comply with CPRA?
Now, let’s talk about CPRA employee training
We’ve compiled a 5-step guide to help you prepare and execute for effective compliance with CPRA employee training.
Understand the requirements of CPRA employee training the requirements of CPRA employee training
All employees managing compliance with CCPA or handling consumer inquiries about privacy practices must be informed of all applicable CCPA and CPRA requirements and know how to direct consumers to exercise their rights.
According to National Law Review, you need to not only inform, but also document and comply with a formal training policy if the company buys, receives, sells, or shares for commercial purposes the personal information of 10 million or more consumers in a calendar year.
Make a list of who to train
Ensure any employee involved in implementing, overseeing, or managing compliance receives training. These employees could be executives and managers, as well as human resources, marketing, and information technology employees.
If an employee is receiving and responding to DSAR requests from consumers or interfaces with consumers regularly (think sales), they should receive training on the requirements of CCPA and CPRA.
Map out what the training will cover
Employees need to walk away from training with an understanding of their role in the company’s compliance with CCPA and CPRA, including that employees and job applicants are now included under the law and will have the same rights.
The training should include all CCPA and CPRA requirements, including (but not limited to) the following:
- Notices: You must provide information on privacy practices to employees, job applicants, and contractors before data collection happens.
- Employee Rights: Employees, job applicants, and contractors will have the following rights for the collection, and use of their personal information:
- Access to personal information your business has that was generated on or after January 1, 2022;
- Correct inaccurate personal information;
- Delete certain personal information collected from them;
- Restrict the use of their sensitive personal information to specific business purposes or limited disclosures; and
- Opt out of the sale of personal information to third parties
- Data Governance: You will need internal data governance measures, such as creating a records retention schedule, only using personal information for the reasons disclosed, and keeping personal information as long as necessary for records retention practices.
If you receive a request to exercise one of these rights, you are required to honor the request within 45 days (with a one-time, 45-day extension available) unless an exception applies.
Identify CPRA employee trainers
There is no minimum qualification criterion for who can provide CPRA employee training. However, we recommend someone with experience provide the training and include internal human resource team members.
Some organizations will consider consulting with a third-party for training, while others may have internal experts like in-house counsel or records managers.
Set a CPRA employee training schedule
The law does not currently specify how often to provide training or how long the training should be. The depth of the training will depend on the level of knowledge needed for each specific role.
For example, employees who are responding to requests should receive full training, while consumer-facing or other employees receive an overview of the new policy. We recommend hosting an annual training for employees but ensure new hire employees who are eligible also be trained during the onboarding process.
January is right around the corner. Use this guide to get started now and be compliance ready for CPRA in 2023.
SourcesEmployers Get Ready | National Law Review
Expanded Privacy Compliance Begins in 2023 | SHRM
California Consumer Privacy Act FAQs | National Law Review