The annual review and update (if necessary) of privacy notices just got an upgrade to a “must do.”
This provision, found in California Consumer Privacy Act from the beginning, requires companies to assess their data collection processes annually and update their privacy notice, as needed.
It was not discussed or enforced much until last week, when the California Privacy Protection Agency initiated legal proceedings against a company. At issue, among other things, was the fact that their privacy notice was last updated in 2021, which the CPPA stated was well over the legal standard of 12 months.
To do:
- Make sure that you calendar an annual “privacy notice review” date, and make sure that it allows for enough time to discuss, get approvals and get it uploaded to your website. (If you need to translate into other languages in which you are doing business, which is also a requirement in California, allow time for that too.)
- For multinationals: Communicate the need to do the legal (and now, enforced) requirement to do an annual review of your privacy notice to your parent company if they are involved (or control) the amendment of privacy disclosures. This may help facilitate the process.
- Log any “nice to have” changes in the notice so they can be added during the review.
- Assess whether any of the changes are “material” so you can determine if consent is needed.
[View source.]
