CCPA Compliance Reminder: Annual Update Requirement for Online Privacy Policies
Tuesday, July 1, 2025
Print Mail Download info_icon_img/>i

For businesses subject to the California Consumer Privacy Act (CCPA), a compliance step often overlooked is the requirement to annually update the businesses online privacy policy. Under Cal. Civ. Code § 1798.130(a)(5), CCPA-covered businesses must among other things update their online privacy policies at least once every 12 months. Note that CCPA regulations establish content requirements for online privacy policies, one of which is that the policy must include “the date the privacy policy was last updated.” See 11 CCR § 7011(e)(4).

As businesses continue to grow, evolve, adopt new technologies, or otherwise make online and offline changes in their business, practices, and/or operations, CCPA required privacy policies may no longer accurately or completely reflect the collection and processing of personal information. Consider, for example, the adoption of emerging technologies, such as so-called “artificial intelligence” tools. These tools may be collecting, inferring, or processing personal information in ways that were not contemplated when preparing the organization’s last privacy policy update.

The business also may have service providers that collect and process personal information on behalf of the business in ways that are different than they did when they began providing services to the business.

Simply put: If your business (or its service providers) has adopted any new technologies or otherwise changed how it collects or processes personal information, your privacy policy may need an update.

Practical Action Items for Businesses

Here are some steps businesses can take to comply with the annual privacy policy review and update requirement under the CCPA:

  • Inventory Personal Information
    Reassess what categories of personal information your organization collects, processes, sells, and shares. Consider whether new categories—such as biometric, geolocation, or video —have been added.
  • Review Data Use Practices
    Confirm whether your uses of personal information have changed since the last policy update. This includes whether you are profiling, targeting, or automating decisions based on the data.
  • Assess adoption of new technologies, such as AI and New Tech Tools
    Has your business adopted any new technologies or systems, such as AI applications? Examples may include:
    • AI notetakers, transcription, or summarization tools for use in meetings (e.g., Otter, Fireflies)
    • AI used for chatbots, personalized recommendations, or hiring assessments
  • Evaluate Third Parties and Service Providers
    Are you sharing or selling information to new third parties? Has your use of service providers changed, or have service providers changed their practices around the collection or processing of personal information?
  • Review Your Consumer Rights Mechanisms
    Are the methods for consumers to submit access, deletion, correction, or opt-out requests clearly stated and functioning properly?

These are only a few of the potential recent developments that may drive changes in an existing privacy policy. There may be additional considerations for businesses in certain industries and departments within those businesses that should be considered as well. Here are a few examples:

Retail Businesses

  • Loyalty programs collecting purchase history and predictive analytics data.
  • More advanced in-store cameras and mobile apps collecting biometric or geolocation information.
  • AI-driven customer service bots that gather interaction data.

Law Firms

  • Use of AI notetakers or transcription tools during client calls.
  • Remote collaboration tools that collect device or location data.
  • Marketing platforms that profile client interests based on website use.

HR Departments (Across All Industries)

  • AI tools used for resume screening and candidate profiling.
  • Digital onboarding platforms collecting sensitive identity data.
  • Employee productivity and monitoring software that tracks usage, productivity, or location.

The online privacy policy is not just a static compliance document—it’s a dynamic reflection of your organization’s data privacy practices. As technologies evolve and regulations expand, taking time once a year to reassess and update your privacy disclosures is not only a legal obligation in California but a strategic risk management step. And, while we have focused on the CCPA in this article, inaccurate or incomplete online privacy policies can elevate compliance and litigation risks under other laws, including the Federal Trade Commission Act and state protections against deceptive and unfair business practices.

Jackson Lewis P.C. © 2025

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF RECEIVERSHIP SALE: ENTEGRA CAPITAL LLC AND EC MASTER TRUST
Published: 23 July, 2025
PUBLIC NOTICE OF ASSET SALE: SERFACE CARE, INC. D/B/A MYRO
Published: 21 July, 2025
PUBLIC NOTICE OF UCC SALE: Harrisburg Hotel LLC
Published: 21 July, 2025
PUBLIC NOTICE OF UCC SALE: GLP 2206 LLC
Published: 18 July, 2025
PUBLIC NOTICE OF UCC SALE: Broad St Ventures Urban Renewal, LLC
Published: 10 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chenango Flats LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Integrated Endoscopy, Inc.
Published: 1 July, 2025
PUBLIC NOTICE OF ASSIGNMENT: Common Cents Distributors, LLC
Published: 26 June, 2025
PUBLIC NOTICE OF UCC SALE: Hudson 1702, LLC
Published: 24 June, 2025
PUBLIC NOTICE OF INTELLECTUAL PROPERTY SALE: American Energy Storage Innovations Inc.
Published: 24 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chesterfield Faring, LTD
Published: 24 June, 2025
PUBLIC NOTICE OF ASSIGNEE SALE: Quadrata, Inc.
Published: 23 June, 2025
Discover more public notices

Current Legal Analysis

More from Jackson Lewis P.C.

Refresher on California’s CROWN Act
by: Angela S. Rho , Veena Bhatia
OSHA Proposes Dozens of Deregulatory Rules: How They’ll Impact Multiple Industries
by: Sierra Vierra , Janell M. Stanton
What MSHA’s 18 Proposed Rules Signal About the Future of Mine Safety
by: Sierra Vierra , Janell M. Stanton
Top Five Labor Law Developments for June 2025
by: Laura A. Pierson-Scheinberg , Richard F. Vitarelli
OSHA’s 2025 Amputations NEP: Key Changes Manufacturers Should Know
by: Sierra Vierra , Janell M. Stanton
Federal Judge Blocks Implementation of EO on Birthright Citizenship in Class Action Case
by: John E. Exner IV
Remote Work Challenges After New York Tax Appeals Tribunal Upholds Income Tax “Convenience Rule”
by: Raymond P. Turner
State Department Resumes Student, Exchange Visitor Visa Processing with Focus on Online Presence
by: Michelle Choe
DHS Announces End of TPS Designations for Nicaragua and Honduras
by: Marion Boyer
We Get Privacy for Work: The Privacy Pitfalls of a Remote Workforce [Video]
by: Damon W. Silver , Joseph J. Lazzarotti
Puerto Rico Supreme Court Reaffirms Importance of Just Cause for Employee Terminations
by: Carlos J. Saavedra-Gutiérrez , Juan Felipe Santos
Employers Won’t Face Double Damages from DOL Wage and Hour Division’s Administrative Proceedings
by: Justin R. Barnes , Jeffrey W. Brecher
Puerto Rico New Act 29-2025: Essential Employer Obligations for Breastfeeding/Pumping Activities
by: Ana B. Rosado-Frontanés , Tatiana Leal-González
Hiring Former Government Employees: Legal Risks + Other Considerations for Contractors
by: Jeremy S. Schneider
NCAA Considers Major Policy Shift on Gambling Restrictions
by: Bernard G. Dennis III , Vincent M. Silvanio

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters