CCPA Compliance Reminder: Annual Update Requirement for Online Privacy Policies
Tuesday, July 1, 2025
Print Mail Download info_icon_img/>i

For businesses subject to the California Consumer Privacy Act (CCPA), a compliance step often overlooked is the requirement to annually update the businesses online privacy policy. Under Cal. Civ. Code § 1798.130(a)(5), CCPA-covered businesses must among other things update their online privacy policies at least once every 12 months. Note that CCPA regulations establish content requirements for online privacy policies, one of which is that the policy must include “the date the privacy policy was last updated.” See 11 CCR § 7011(e)(4).

As businesses continue to grow, evolve, adopt new technologies, or otherwise make online and offline changes in their business, practices, and/or operations, CCPA required privacy policies may no longer accurately or completely reflect the collection and processing of personal information. Consider, for example, the adoption of emerging technologies, such as so-called “artificial intelligence” tools. These tools may be collecting, inferring, or processing personal information in ways that were not contemplated when preparing the organization’s last privacy policy update.

The business also may have service providers that collect and process personal information on behalf of the business in ways that are different than they did when they began providing services to the business.

Simply put: If your business (or its service providers) has adopted any new technologies or otherwise changed how it collects or processes personal information, your privacy policy may need an update.

Practical Action Items for Businesses

Here are some steps businesses can take to comply with the annual privacy policy review and update requirement under the CCPA:

  • Inventory Personal Information
    Reassess what categories of personal information your organization collects, processes, sells, and shares. Consider whether new categories—such as biometric, geolocation, or video —have been added.
  • Review Data Use Practices
    Confirm whether your uses of personal information have changed since the last policy update. This includes whether you are profiling, targeting, or automating decisions based on the data.
  • Assess adoption of new technologies, such as AI and New Tech Tools
    Has your business adopted any new technologies or systems, such as AI applications? Examples may include:
    • AI notetakers, transcription, or summarization tools for use in meetings (e.g., Otter, Fireflies)
    • AI used for chatbots, personalized recommendations, or hiring assessments
  • Evaluate Third Parties and Service Providers
    Are you sharing or selling information to new third parties? Has your use of service providers changed, or have service providers changed their practices around the collection or processing of personal information?
  • Review Your Consumer Rights Mechanisms
    Are the methods for consumers to submit access, deletion, correction, or opt-out requests clearly stated and functioning properly?

These are only a few of the potential recent developments that may drive changes in an existing privacy policy. There may be additional considerations for businesses in certain industries and departments within those businesses that should be considered as well. Here are a few examples:

Retail Businesses

  • Loyalty programs collecting purchase history and predictive analytics data.
  • More advanced in-store cameras and mobile apps collecting biometric or geolocation information.
  • AI-driven customer service bots that gather interaction data.

Law Firms

  • Use of AI notetakers or transcription tools during client calls.
  • Remote collaboration tools that collect device or location data.
  • Marketing platforms that profile client interests based on website use.

HR Departments (Across All Industries)

  • AI tools used for resume screening and candidate profiling.
  • Digital onboarding platforms collecting sensitive identity data.
  • Employee productivity and monitoring software that tracks usage, productivity, or location.

The online privacy policy is not just a static compliance document—it’s a dynamic reflection of your organization’s data privacy practices. As technologies evolve and regulations expand, taking time once a year to reassess and update your privacy disclosures is not only a legal obligation in California but a strategic risk management step. And, while we have focused on the CCPA in this article, inaccurate or incomplete online privacy policies can elevate compliance and litigation risks under other laws, including the Federal Trade Commission Act and state protections against deceptive and unfair business practices.

Jackson Lewis P.C. © 2025

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF UCC SALE: Broad St Ventures Urban Renewal, LLC
Published: 10 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: CCP Mezzanine Nashville I, LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chenango Flats LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Integrated Endoscopy, Inc.
Published: 1 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: 600 and 777 Partners LLC’s
Published: 30 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Matrix Financial Technologies, Inc.
Published: 30 June, 2025
PUBLIC NOTICE OF AUCTION OF ASSETS: Fireside Surf, LLC
Published: 30 June, 2025
PUBLIC NOTICE OF ASSIGNMENT: Common Cents Distributors, LLC
Published: 26 June, 2025
PUBLIC NOTICE OF UCC SALE: Hudson 1702, LLC
Published: 24 June, 2025
PUBLIC NOTICE OF INTELLECTUAL PROPERTY SALE: American Energy Storage Innovations Inc.
Published: 24 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chesterfield Faring, LTD
Published: 24 June, 2025
PUBLIC NOTICE OF ASSIGNEE SALE: Quadrata, Inc.
Published: 23 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: HM LAND ACQUISITION, LLC AND M&H INVESTMENT GROUP, LLC
Published: 16 June, 2025
Discover more public notices

Current Legal Analysis

More from Jackson Lewis P.C.

Puerto Rico Supreme Court Reaffirms Importance of Just Cause for Employee Terminations
by: Carlos J. Saavedra-Gutiérrez , Juan Felipe Santos
Employers Won’t Face Double Damages from DOL Wage and Hour Division’s Administrative Proceedings
by: Justin R. Barnes , Jeffrey W. Brecher
Puerto Rico New Act 29-2025: Essential Employer Obligations for Breastfeeding/Pumping Activities
by: Ana B. Rosado-Frontanés , Tatiana Leal-González
Hiring Former Government Employees: Legal Risks + Other Considerations for Contractors
by: Jeremy S. Schneider
NCAA Considers Major Policy Shift on Gambling Restrictions
by: Bernard G. Dennis III , Vincent M. Silvanio
HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
by: Joseph J. Lazzarotti , Rachel A. Jacob
We Get AI for Work™: An Exclusive Interview with Bryon Bass, CEO at the Disability Management Employer Coalition (DMEC) [Podcast]
by: Joseph J. Lazzarotti
U.S. District Judge Blocks DHS Attempt to Terminate Haiti TPS Early
by: Marion Boyer
California Civil Rights Department Publishes Survivors of Violence’s Right to Leave & Accommodation Notice and FAQ
by: Kurtis R. Urien
AI Moratorium Removed from Federal Budget Bill
by: Michelle L. Duncan , Eric J. Felsberg
OFCCP To Close All Prior Section 503 and VEVRAA Compliance Reviews Following Secretary of Labor Order Reviving Enforcement Activities
by: Laura A. Mitchell , Nicole Trotta
City of Los Angeles Hotel Workers’ Minimum Wage Increase Put on Hold
by: Susan E. Groff
When Minor Variations in Prompts Lead to Problematic Outputs
by: Joseph J. Lazzarotti
Florida District Court Declines to Expand ERISA Disclosure Requirements
by: Steven Sheesley , Robert W. Rachal

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters