Among the many requirements placed on businesses by the California Consumer Privacy Act (CCPA), businesses must also keep in mind the continuing obligations that the law imposes. To remain in compliance with the CCPA, a business is required to update its privacy policy “at least once every 12 months.” Specifically, the applicable section of the CCPA requires that a business update:
- A description of a consumer’s rights and a method for submitting requests;
- A list of the categories of personal information collected about consumers in the previous 12 months;
- A list of the categories of personal information about consumers that a business has sold in the previous 12 months, or if not applicable, a statement that it has not sold personal information in the previous 12 months; and
- A list of categories of personal information about consumers that a business has disclosed for a business purpose in the previous 12 months, or if not applicable, a statement that it has not disclosed personal information for a business purpose in the previous 12 months.
In addition, regulations promulgated by the California Attorney General’s Office may require further updates to a business’ privacy policy and reassessments every 12 months in particular use cases.
With the number of changes that occur in a year regarding new data practices, products, or third-party relationships, businesses must stay on top of this need to continually update their privacy policies. Although the initial CCPA compliance process requires a close review of how businesses process information, businesses will fall out of compliance if they fail to note these annual update requirements. Even though there might not ultimately be any updates, at a minimum, a business must review its data processing practices to avoid running afoul of the CCPA.
And, assessing and updating privacy policies is not a requirement limited to CCPA compliance. In order to maintain compliance with other laws, businesses must continue to ensure that the disclosures in their privacy policies remain correct and complete.
If you have questions about the CCPA or any other data protection questions, please contact Faith Kasparian, Ann O’Rourke, or Ryan Perry.