Think Your Privacy Policy is Future Proof? Think Again

Jan 20, 2022 Published Article

An ounce of prevention is worth a pound of cure.  While businesses had undoubtedly pushed to comply with the California Consumer Privacy Act ("CCPA") back in 2020, there are annual requirements companies must follow.  Specifically, every business should remember that under both the CCPA and California Privacy Rights Act ("CPRA"), it is required that a Privacy Policies must be updated once every twelve months.  Further, the CPRA includes changes which will require all Privacy Policies to be modified.  So what changes are currently required for companies that haven’t updated their Privacy Policies recently?  Even more importantly, how can a business attempt to "Future Proof" their Privacy Policy moving forward?

Required Updates

The CCPA (as amended by the CPRA) requires that businesses disclose and update their Privacy Policy or policies once every twelve months.  These policies and updates need to include a description of customer rights under specific provisions of the CCPA and CPRA, namely: (1) the general duties of businesses, (2) the right to deletion, (3) the right to correction, (4) the right to know what is being collected, (5) the right to know what is sold and shared and to whom, and (6) the right to protection against retaliation for exercising opt-out or other rights under the CCPA and CPRA.

As part of this, there is a requirement for two separate lists of personal information collected and shared broken down by category, including how that information is collected, how it's used, who it's shared with, and why.  Further, certain statements are required to be made whether or not information was sold in the preceding 12 months.

Changes from the CPRA

The CPRA amends the CCPA's Privacy Policy requirements by (a) adding in language regarding the consumers' rights to correction, which is a new addition from the CCPA, and (b) adding the concept of "sensitive personal information," which includes information such as social security numbers, drivers licenses, state IDs, account login information, precise geolocation, racial or ethnic origin, the contents of mail, email, and text, or genetic data. As both of these are new requirements under the CPRA, they require changes to all privacy policies which need to be CPRA compliant by  January 1, 2023.  Further, the Privacy Policy must separate the categories of sensitive personal information from potentially overlapping categories of personal information.

What now?

While the CPRA is not yet in effect and will not be until January 1, 2023, enforcement will begin on July 1, 2023 for violations occurring on or after that date. While this is a minor issue, it's also one that is easily and quickly remedied.  Moving forward, businesses should establish a strategy and time period every year for annually updating Privacy Policies, including (a) evaluating whether or not the methods of collection have changed; (b) verifying that the reasons for collection as being unchanged; (c) verifying the entities the business shares information with; and (d) specifying why that information is shared.  Further, it would make sense for businesses to work closely with attorneys to determine what must be included in these annual re-evaluations..  To that extent, the ounce of prevention to address this isn't a one-time solution, but rather forming a strategy and time frame to handle these items, similar to other corporate formalities.


Newmeyer Dillion can provide advice on existing CCPA compliance policies, help revise CCPA compliance policies to conform to the CPRA, help implement new cybersecurity policies to comply with CPRA, and provide updates to CPRA required notices and privacy policies.  California has a history of being at the forefront of policy developments that expand internally and spread to other states, therefore, CPRA may serve as a template for similar laws in other states.