Think Your Privacy Policy is Future Proof? Think Again

Newmeyer Dillion
Contact

An ounce of prevention is worth a pound of cure.  While businesses had undoubtedly pushed to comply with the California Consumer Privacy Act ("CCPA") back in 2020, there are annual requirements companies must follow.  Specifically, every business should remember that under both the CCPA and California Privacy Rights Act ("CPRA"), it is required that Privacy Policies must be updated once every twelve months.  Further, the CPRA includes changes which will require all Privacy Policies to be modified.  So what changes are currently required for companies that haven’t updated their Privacy Policies recently?  Even more importantly, how can a business attempt to "Future Proof" their Privacy Policy moving forward?

Required Updates

The CCPA (as amended by the CPRA) requires that businesses disclose and update their Privacy Policy or policies once every twelve months.  These policies and updates need to include a description of customer rights under specific provisions of the CCPA and CPRA, namely: (1) the general duties of businesses, (2) the right to deletion, (3) the right to correction, (4) the right to know what is being collected, (5) the right to know what is sold and shared and to whom, and (6) the right to protection against retaliation for exercising opt-out or other rights under the CCPA and CPRA.

As part of this, there is a requirement for two separate lists of personal information collected and shared broken down by category, including how that information is collected, how it's used, who it's shared with, and why.  Further, certain statements are required to be made whether or not information was sold in the preceding 12 months.

Changes from the CPRA

The CPRA amends the CCPA's Privacy Policy requirements by (a) adding in language regarding the consumers' rights to correction, which is a new addition from the CCPA, and (b) adding the concept of "sensitive personal information," which includes information such as social security numbers, drivers licenses, state IDs, account login information, precise geolocation, racial or ethnic origin, the contents of mail, email, and text, or genetic data. As both of these are new requirements under the CPRA, they require changes to all privacy policies which need to be CPRA compliant by  January 1, 2023.  Further, the Privacy Policy must separate the categories of sensitive personal information from potentially overlapping categories of personal information.

What now?

While the CPRA is not yet in effect and will not be until January 1, 2023, enforcement will begin on July 1, 2023 for violations occurring on or after that date. While this is a minor issue, it's also one that is easily and quickly remedied.  Moving forward, businesses should establish a strategy and time period every year for annually updating Privacy Policies, including (a) evaluating whether or not the methods of collection have changed; (b) verifying that the reasons for collection as being unchanged; (c) verifying the entities the business shares information with; and (d) specifying why that information is shared.  Further, it would make sense for businesses to work closely with attorneys to determine what must be included in these annual re-evaluations..  To that extent, the ounce of prevention to address this isn't a one-time solution, but rather forming a strategy and time frame to handle these items, similar to other corporate formalities.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Newmeyer Dillion | Attorney Advertising

Written by:

Newmeyer Dillion
Contact
more
less

Newmeyer Dillion on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.