For businesses subject to the California Consumer Privacy Act (CCPA), a compliance step often overlooked is the requirement to annually update the businesses online privacy policy. Under Cal. Civ. Code § 1798.130(a)(5), CCPA-covered businesses must among other things update their online privacy policies at least once every 12 months. Note that CCPA regulations establish content requirements for online privacy policies, one of which is that the policy must include “the date the privacy policy was last updated.” See 11 CCR § 7011(e)(4).
As businesses continue to grow, evolve, adopt new technologies, or otherwise make online and offline changes in their business, practices, and/or operations, CCPA required privacy policies may no longer accurately or completely reflect the collection and processing of personal information. Consider, for example, the adoption of emerging technologies, such as so-called “artificial intelligence” tools. These tools may be collecting, inferring, or processing personal information in ways that were not contemplated when preparing the organization’s last privacy policy update.
The business also may have service providers that collect and process personal information on behalf of the business in ways that are different than they did when they began providing services to the business.
Simply put: If your business (or its service providers) has adopted any new technologies or otherwise changed how it collects or processes personal information, your privacy policy may need an update.
Practical Action Items for Businesses
Here are some steps businesses can take to comply with the annual privacy policy review and update requirement under the CCPA:
- Inventory Personal Information
Reassess what categories of personal information your organization collects, processes, sells, and shares. Consider whether new categories—such as biometric, geolocation, or video —have been added. - Review Data Use Practices
Confirm whether your uses of personal information have changed since the last policy update. This includes whether you are profiling, targeting, or automating decisions based on the data. - Assess adoption of new technologies, such as AI and New Tech Tools
Has your business adopted any new technologies or systems, such as AI applications? Examples may include:- AI notetakers, transcription, or summarization tools for use in meetings (e.g., Otter, Fireflies)
- AI used for chatbots, personalized recommendations, or hiring assessments
- Evaluate Third Parties and Service Providers
Are you sharing or selling information to new third parties? Has your use of service providers changed, or have service providers changed their practices around the collection or processing of personal information? - Review Your Consumer Rights Mechanisms
Are the methods for consumers to submit access, deletion, correction, or opt-out requests clearly stated and functioning properly?
These are only a few of the potential recent developments that may drive changes in an existing privacy policy. There may be additional considerations for businesses in certain industries and departments within those businesses that should be considered as well. Here are a few examples:
Retail Businesses
- Loyalty programs collecting purchase history and predictive analytics data.
- More advanced in-store cameras and mobile apps collecting biometric or geolocation information.
- AI-driven customer service bots that gather interaction data.
Law Firms
- Use of AI notetakers or transcription tools during client calls.
- Remote collaboration tools that collect device or location data.
- Marketing platforms that profile client interests based on website use.
HR Departments (Across All Industries)
- AI tools used for resume screening and candidate profiling.
- Digital onboarding platforms collecting sensitive identity data.
- Employee productivity and monitoring software that tracks usage, productivity, or location.
The online privacy policy is not just a static compliance document—it’s a dynamic reflection of your organization’s data privacy practices. As technologies evolve and regulations expand, taking time once a year to reassess and update your privacy disclosures is not only a legal obligation in California but a strategic risk management step. And, while we have focused on the CCPA in this article, inaccurate or incomplete online privacy policies can elevate compliance and litigation risks under other laws, including the Federal Trade Commission Act and state protections against deceptive and unfair business practices.