For many companies, the biggest “change” is that these laws contain obligations to provide individuals with notice (a privacy policy) not just online -as existed under prior state online privacy laws (California, Delaware and Nevada)- but at any point that personal information is being collected. In other words, in offline or by phone. Some, like California, contain details about how to provide offline notice. Previously, other than state laws requiring privacy notices, there were only sector or activity-specific laws that contained the requirement. Companies nevertheless had them because of FTC guidance and expectation. Companies also had them to mitigate and minimize risk that consumers might expect information was treated in a certain way. The privacy policy was a tool to explain the company’s actual practices.

In terms of content, for entities that already comply with GDPR or CCPA, the requirements are not significantly different. Thus if your organization has already updated its privacy policy to address CPRA requirements, little additional content will be needed to address the newer state laws. At a high level, content required is as follows (refer to our effective date post for timelines, which may impact when an organization decides to amend its policy to address these laws):

This list is not exhaustive, and many states have specific -and fairly complex- requirements about what these notices look like and content to include in the categories listed above.

*Kathryn Smith is a fellow in the firm’s Chicago office.

Putting it into Practice: As we move past Colorado and Connecticut’s effective dates, presumably organizations have already reviewed and updated their privacy policies. However as more and more states put “comprehensive” privacy laws in place there will be a need to continue to review those statements. Internal procedures for regular review of privacy policies can be a helpful mechanism to ensure the document not only keeps up with the regulatory requirements, but also remains factually accurate.