CCPA Compliance Reminder: Annual Update Requirement for Online Privacy Policies
Tuesday, July 1, 2025
Print Mail Download info_icon_img/>i

For businesses subject to the California Consumer Privacy Act (CCPA), a compliance step often overlooked is the requirement to annually update the businesses online privacy policy. Under Cal. Civ. Code § 1798.130(a)(5), CCPA-covered businesses must among other things update their online privacy policies at least once every 12 months. Note that CCPA regulations establish content requirements for online privacy policies, one of which is that the policy must include “the date the privacy policy was last updated.” See 11 CCR § 7011(e)(4).

As businesses continue to grow, evolve, adopt new technologies, or otherwise make online and offline changes in their business, practices, and/or operations, CCPA required privacy policies may no longer accurately or completely reflect the collection and processing of personal information. Consider, for example, the adoption of emerging technologies, such as so-called “artificial intelligence” tools. These tools may be collecting, inferring, or processing personal information in ways that were not contemplated when preparing the organization’s last privacy policy update.

The business also may have service providers that collect and process personal information on behalf of the business in ways that are different than they did when they began providing services to the business.

Simply put: If your business (or its service providers) has adopted any new technologies or otherwise changed how it collects or processes personal information, your privacy policy may need an update.

Practical Action Items for Businesses

Here are some steps businesses can take to comply with the annual privacy policy review and update requirement under the CCPA:

  • Inventory Personal Information
    Reassess what categories of personal information your organization collects, processes, sells, and shares. Consider whether new categories—such as biometric, geolocation, or video —have been added.
  • Review Data Use Practices
    Confirm whether your uses of personal information have changed since the last policy update. This includes whether you are profiling, targeting, or automating decisions based on the data.
  • Assess adoption of new technologies, such as AI and New Tech Tools
    Has your business adopted any new technologies or systems, such as AI applications? Examples may include:
    • AI notetakers, transcription, or summarization tools for use in meetings (e.g., Otter, Fireflies)
    • AI used for chatbots, personalized recommendations, or hiring assessments
  • Evaluate Third Parties and Service Providers
    Are you sharing or selling information to new third parties? Has your use of service providers changed, or have service providers changed their practices around the collection or processing of personal information?
  • Review Your Consumer Rights Mechanisms
    Are the methods for consumers to submit access, deletion, correction, or opt-out requests clearly stated and functioning properly?

These are only a few of the potential recent developments that may drive changes in an existing privacy policy. There may be additional considerations for businesses in certain industries and departments within those businesses that should be considered as well. Here are a few examples:

Retail Businesses

  • Loyalty programs collecting purchase history and predictive analytics data.
  • More advanced in-store cameras and mobile apps collecting biometric or geolocation information.
  • AI-driven customer service bots that gather interaction data.

Law Firms

  • Use of AI notetakers or transcription tools during client calls.
  • Remote collaboration tools that collect device or location data.
  • Marketing platforms that profile client interests based on website use.

HR Departments (Across All Industries)

  • AI tools used for resume screening and candidate profiling.
  • Digital onboarding platforms collecting sensitive identity data.
  • Employee productivity and monitoring software that tracks usage, productivity, or location.

The online privacy policy is not just a static compliance document—it’s a dynamic reflection of your organization’s data privacy practices. As technologies evolve and regulations expand, taking time once a year to reassess and update your privacy disclosures is not only a legal obligation in California but a strategic risk management step. And, while we have focused on the CCPA in this article, inaccurate or incomplete online privacy policies can elevate compliance and litigation risks under other laws, including the Federal Trade Commission Act and state protections against deceptive and unfair business practices.

Jackson Lewis P.C. © 2025

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF UCC ARTICLE 9 SALE: 600 and 777 Partners LLC’s
Published: 30 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Matrix Financial Technologies, Inc.
Published: 30 June, 2025
PUBLIC NOTICE OF AUCTION OF ASSETS: Fireside Surf, LLC
Published: 30 June, 2025
PUBLIC NOTICE OF ASSIGNMENT: Common Cents Distributors, LLC
Published: 26 June, 2025
PUBLIC NOTICE OF UCC SALE: Hudson 1702, LLC
Published: 24 June, 2025
PUBLIC NOTICE OF INTELLECTUAL PROPERTY SALE: American Energy Storage Innovations Inc.
Published: 24 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chesterfield Faring, LTD
Published: 24 June, 2025
PUBLIC NOTICE OF ASSIGNEE SALE: Quadrata, Inc.
Published: 23 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Villa Graves Properites
Published: 23 June, 2025
PUBLIC NOTICE OF UCC SALE: Equity interests in Life Spine, Inc.
Published: 17 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: HM LAND ACQUISITION, LLC AND M&H INVESTMENT GROUP, LLC
Published: 16 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Meyer Burger (Americas) LTD
Published: 16 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: CCP Mezzanine Nashville I, LLC
Published: 28 May, 2025
Discover more public notices

Current Legal Analysis

More from Jackson Lewis P.C.

When Minor Variations in Prompts Lead to Problematic Outputs
by: Joseph J. Lazzarotti
Florida District Court Declines to Expand ERISA Disclosure Requirements
by: Steven Sheesley , Robert W. Rachal
How a Texas Federal District Court Changed the HIPAA Reproductive Health Privacy Rule, But SCOTUS Decision May Say Not So Fast
by: Joseph J. Lazzarotti , Melissa Ostrower
What Are the Immigration Impacts in Budget Reconciliation Bill H.R. 1?
by: Lauren Frances Bowen
OFCCP Proposes Changes to Veterans and Disability Regulations
by: Laura A. Mitchell
Minnesota’s Paid Leave Law Is Final: Here’s How Employers Can Prepare Now
by: Gina K. Janeiro , Janell M. Stanton
We Get Privacy for Work: Assessing the Risks of AI Tools [Video]
by: Joseph J. Lazzarotti , Damon W. Silver
The Potential For One Long Moratorium on AI Regulation
by: Michelle L. Duncan
SCOTUS’s CASA Decision Ends Nationwide Injunctions, Creating Uncertainty Around Enforcement of Executive and Agency Actions
by: Stephanie L. Adler-Paindiris , Eric R. Magnus
Cal/OSHA’s Significant Revisions to Proposed Workplace Violence Regulation Would Create More Obligations for More Employers
by: Michael R. Watts , Sierra Vierra
A New Era Begins: NCAA Amateurism Is Out as Direct Athlete Compensation + College Sports Commission Enter the Arena
by: Bernard G. Dennis III , Jason S. Kaner
Pennsylvania Moves Closer to $15 Minimum Wage as Bill Advances to Senate
by: Stephanie Peet , Daniel F. Thornton
Timing Is Everything: SCOTUS Shuts Down Retiree’s ADA Post-Employment Benefits Claim
by: Katharine C. Weber , Luke P. Breslin

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters