Personnel handling requests trained on CCPA/CPRA requirements

Why it matters

CCPA § 1798.130(a)(6) requires that all individuals responsible for handling consumer privacy inquiries are informed of CCPA requirements and trained on how to direct consumers to exercise their rights. Without a designated privacy contact and a documented fulfillment process, consumer requests that arrive via the privacy form have no guaranteed path to a response — the 45-day statutory deadline starts running the moment a request is received, regardless of whether anyone is monitoring the inbox. In a two-person startup, "training" can be a one-page runbook; regulators accept that. What they do not accept is an unmonitored inbox or no documented process at all.

Remediation

Create a PRIVACY_OPERATIONS.md file that designates a privacy contact, documents the response timeline, and provides step-by-step fulfillment instructions for each request type. Route privacy request emails to a monitored inbox.

# PRIVACY_OPERATIONS.md

## CCPA Consumer Request Handling

**Designated Privacy Contact:** [Name / Role]
**Request Inbox:** privacy@example.com (monitored daily)

### Response Timeline (CCPA § 1798.130)
- Acknowledge within 10 business days
- Fulfill within 45 calendar days (extendable to 90 with consumer notice)
- Opt-out requests: effective immediately; third-party notification within 15 business days

### Right to Know — Fulfillment Steps
1. Verify identity via email confirmation link
2. Query: SELECT * FROM users WHERE email = $email; pull all associated records
3. Compile report covering CCPA PI categories
4. Email report to verified consumer address within 45 days

### Right to Delete — Fulfillment Steps
1. Verify identity
2. Apply CCPA exceptions (active transaction, fraud prevention, legal hold)
3. Permanently delete from primary DB; notify service providers of deletion
4. Send deletion confirmation to consumer

For teams larger than one person, add a quarterly calendar reminder to review the runbook for CCPA regulatory updates.

Detection

ID: ccpa-readiness.data-handling.employee-training
Severity: info
What to look for: CCPA requires that all individuals responsible for handling consumer inquiries about privacy practices are informed of CCPA requirements and how to respond to consumer requests. Look for training documentation, internal procedures, or runbooks that describe how to handle consumer rights requests. Check whether there is an internal contact or team designated to receive and process consumer privacy requests. Look for documentation in the repo (PRIVACY_OPERATIONS.md, internal runbooks), README references to a privacy contact, or links to an internal privacy wiki. Also check whether the privacy rights request form routes to a monitored inbox or ticket system (not an abandoned email address). Count all instances found and enumerate each.
Pass criteria: Internal documentation exists describing how consumer privacy requests are handled, who is responsible, and the response timeline (45 days). The designated contact or inbox for privacy requests is actively monitored. At least 1 implementation must be confirmed.
Fail criteria: No internal documentation for handling consumer requests. Privacy request form routes to an unmonitored inbox. No designated person or team responsible for CCPA compliance.
Skip (N/A) when: Solo developer or very early-stage project with no staff — document with a note that all requests are handled directly by the founder/developer.
Detail on fail: Example: "No internal CCPA operations documentation found. Privacy request form routes to privacy@example.com but no evidence of monitoring or response process.".

Remediation: Create a minimal privacy operations runbook:

# PRIVACY_OPERATIONS.md

## CCPA Consumer Request Handling

**Designated Privacy Contact:** [Name / Role]
**Request Inbox:** privacy@example.com (monitored daily)
**Escalation:** [Engineering Lead] for technical fulfillment

### Response Timeline
- Acknowledge within 10 business days
- Fulfill within 45 calendar days (extendable to 90 with notice)
- Opt-out requests: effective immediately (automated); third-party notification within 15 business days

### Right to Know Request — Fulfillment Steps
1. Verify identity via email confirmation link
2. Query database: SELECT * FROM users WHERE email = $email; pull all associated records
3. Compile into a human-readable report covering CCPA categories
4. Email report to verified consumer email within 45 days

### Right to Delete Request — Fulfillment Steps
1. Verify identity via email confirmation link
2. Apply deletion exceptions (active transaction, fraud prevention, legal hold)
3. Delete from primary database; notify third-party service providers of deletion
4. Send deletion confirmation to consumer

### Quarterly Training Reminder
Review CCPA updates and this runbook at the start of each quarter.

External references

ccpa · §1798.130(a)(6) — Training requirement — personnel handling consumer inquiries must be informed of CCPA requirements

nist:rev5 · AT-2 — Literacy training and awareness — privacy and security awareness requirements

iso-27001:2022 · A.6.3 — Information security awareness, education and training

Why it matters

Remediation

# PRIVACY_OPERATIONS.md

## CCPA Consumer Request Handling

**Designated Privacy Contact:** [Name / Role]
**Request Inbox:** privacy@example.com (monitored daily)

### Response Timeline (CCPA § 1798.130)
- Acknowledge within 10 business days
- Fulfill within 45 calendar days (extendable to 90 with consumer notice)
- Opt-out requests: effective immediately; third-party notification within 15 business days

### Right to Know — Fulfillment Steps
1. Verify identity via email confirmation link
2. Query: SELECT * FROM users WHERE email = $email; pull all associated records
3. Compile report covering CCPA PI categories
4. Email report to verified consumer address within 45 days

### Right to Delete — Fulfillment Steps
1. Verify identity
2. Apply CCPA exceptions (active transaction, fraud prevention, legal hold)
3. Permanently delete from primary DB; notify service providers of deletion
4. Send deletion confirmation to consumer

For teams larger than one person, add a quarterly calendar reminder to review the runbook for CCPA regulatory updates.

Detection

ID: ccpa-readiness.data-handling.employee-training
Severity: info
What to look for: CCPA requires that all individuals responsible for handling consumer inquiries about privacy practices are informed of CCPA requirements and how to respond to consumer requests. Look for training documentation, internal procedures, or runbooks that describe how to handle consumer rights requests. Check whether there is an internal contact or team designated to receive and process consumer privacy requests. Look for documentation in the repo (PRIVACY_OPERATIONS.md, internal runbooks), README references to a privacy contact, or links to an internal privacy wiki. Also check whether the privacy rights request form routes to a monitored inbox or ticket system (not an abandoned email address). Count all instances found and enumerate each.
Pass criteria: Internal documentation exists describing how consumer privacy requests are handled, who is responsible, and the response timeline (45 days). The designated contact or inbox for privacy requests is actively monitored. At least 1 implementation must be confirmed.
Fail criteria: No internal documentation for handling consumer requests. Privacy request form routes to an unmonitored inbox. No designated person or team responsible for CCPA compliance.
Skip (N/A) when: Solo developer or very early-stage project with no staff — document with a note that all requests are handled directly by the founder/developer.
Detail on fail: Example: "No internal CCPA operations documentation found. Privacy request form routes to privacy@example.com but no evidence of monitoring or response process.".

Remediation: Create a minimal privacy operations runbook:

# PRIVACY_OPERATIONS.md

## CCPA Consumer Request Handling

**Designated Privacy Contact:** [Name / Role]
**Request Inbox:** privacy@example.com (monitored daily)
**Escalation:** [Engineering Lead] for technical fulfillment

### Response Timeline
- Acknowledge within 10 business days
- Fulfill within 45 calendar days (extendable to 90 with notice)
- Opt-out requests: effective immediately (automated); third-party notification within 15 business days

### Right to Know Request — Fulfillment Steps
1. Verify identity via email confirmation link
2. Query database: SELECT * FROM users WHERE email = $email; pull all associated records
3. Compile into a human-readable report covering CCPA categories
4. Email report to verified consumer email within 45 days

### Right to Delete Request — Fulfillment Steps
1. Verify identity via email confirmation link
2. Apply deletion exceptions (active transaction, fraud prevention, legal hold)
3. Delete from primary database; notify third-party service providers of deletion
4. Send deletion confirmation to consumer

### Quarterly Training Reminder
Review CCPA updates and this runbook at the start of each quarter.

External references

ccpa · §1798.130(a)(6) — Training requirement — personnel handling consumer inquiries must be informed of CCPA requirements

nist:rev5 · AT-2 — Literacy training and awareness — privacy and security awareness requirements

iso-27001:2022 · A.6.3 — Information security awareness, education and training

Personnel handling requests trained on CCPA/CPRA requirements

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Personnel handling requests trained on CCPA/CPRA requirements

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History