Employees handling the sensitive data of California residents need to know this stuff; the California Consumer Privacy Act says so.
The California Consumer Privacy Act (CCPA) is set to take effect on January 1, 2020.
It’s imperative to be prepared: the law will regulate the use and disclosure of personal information of nearly 40 million consumers, and is expected to affect more than 500,000 companies across the U.S.
With the effective date approaching, you should be considering the following questions about your organization if it handles the personal data of California consumers:
- Do you make more than $25 million annual revenue?
- Do you sell more than 50,000 consumer records per year?
- Or does 50% of your annual revenue come from selling consumer information?
If any of those statements are true for your company, if you meet just one of them, your business must be CCPA-compliant. This means your employees need training—and fast.
The CCPA specifically outlines that companies ensure that all employees responsible for handling personal data must be properly informed of all the new requirements.
We’re proponents of a more comprehensive approach to privacy awareness, one that goes beyond simply complying to specific regulations. That said, here’s a quick overview of five aspects of the CCPA that compliance training needs to cover.
1. Identifying Personal Information
Employees need to understand what qualifies as personal information, since that’s what the CCPA is all about. Under the CCPA, personal information is pretty broadly defined.
Essentially, it refers to any information that can be linked to an identifiable individual. Here are the types of information as the CCPA refers to them with real-world examples:
- Personal identifiers (consumers’ names, addresses, and/or account usernames)
- Protected characteristics (age, race, nation of origin, and/or marital status)
- Commercial information (invoices)
- Biometric data (thumbprint scans)
- Internet/electronic network activity (tracked IP addresses and/or network account numbers)
- Geolocation data (location data collected from a personal fitness app)
- Professional/employment data (salary and/or benefits information)
- Education information (test scores and/or college transcripts)
Your CCPA-compliant training should give employees a sense of the various ways in which a consumer can be identified.
There are also some exclusions, however. Deidentified data, or any information that can’t be linked to a consumer, is not covered under the CCPA, but it does establish a high bar for claiming that data is deidentified.
2. Right of Notification
Once an employee has a good grasp as to what constitutes personal information, it’s crucial that they are trained on what rights the CCPA gives to consumers.
The CCPA emphasizes transparency about data collection and usage. For example, your business is required to have visible, easy-to-read notices on your website, not buried in pages and pages of terms of service.
Businesses also must provide information about what categories of information they’re collecting, the purposes for which the information will be used, and, if your business is selling that information to third parties, you must give consumers the right to opt-out.
3. Right to Request Information and Right to Deletion
Under the CCPA, California residents have the right to request what information you have collected on them. As such, you need to have mechanisms in place to ensure that requests are received and accommodated. The data must be sent in a portable and readily usable format, and it must be done free of charge.
Consumers also have the right to have their personal data deleted. Just like above, the CCPA specifies that businesses must have mechanisms in place to delete personal data and be able to honor any consumer’s request to do so, and there must be a clearly laid out path for consumers to submit these requests.
Once received, companies must respond to requests for information or requests for deletion within 45 days.
4. Right to Opt-Out of Sale
The CCPA gives residents the right to opt-out of having their personal information sold. For businesses that sell consumers’ personal information, the CCPA requires that a link to a “Do Not Sell My Personal Information” page must be included and easily viewable on the website’s homepage.
Records of children who are under the age of 13 cannot be sold without affirmative action from a parent. From ages 13-16, children can provide consent, but businesses cannot sell any of their personal information until they’ve received such consent.
It’s important to note here that the federal Children’s Online Privacy Protection Act (COPPA) still applies. The $170 million fine that Google is required to pay for violating this provision is just one example of how urgently this information needs to be imparted.
5. Consequences for Non-Compliance
The CCPA includes severe consequences for non-compliance.
There are two tiers of fines, depending on whether a violation is unintentional or intentional (that’s $2500 and $7500 respectively) with no ceiling and the ability to stack multiple infractions. Additionally, the potential for civil lawsuits is enormous: in the event of a data breach, the CCPA has outlined the ability for a class action without having to prove actual losses.
Therefore, it’s imperative to put together an incident reporting system and train your employees on how to use it so that employees can recognize and report suspected incidents quickly.
Employees might not need to know details of the fines imposed, but informing them of the real-world consequences for them and your organization is crucial.
CCPA Privacy Training: The Time Is Now
You can’t afford to wait for the new legislation to take effect before you implement employee training. The time to start creating a culture of awareness and a data-privacy mindset to prepare employees for compliance is now.
With January only a few months away, it’s time to start planning.
MediaPRO’s CCPA privacy awareness training teaches employees what constitutes personal information, how the CCPA dictates personal data of California residents should be handled, and the consequences of failing to comply with these requirements.
Beyond mere compliance, the goal of the training is to instill a sense of responsibility for data privacy that your employees can carry beyond the office.