- A description of a consumer’s rights and a method for submitting requests;
- A list of the categories of personal information collected about consumers in the previous 12 months;
- A list of the categories of personal information about consumers that a business has sold in the previous 12 months, or if not applicable, a statement that it has not sold personal information in the previous 12 months; and
- A list of categories of personal information about consumers that a business has disclosed for a business purpose in the previous 12 months, or if not applicable, a statement that it has not disclosed personal information for a business purpose in the previous 12 months.
With the number of changes that occur in a year regarding new data practices, products, or third-party relationships, businesses must stay on top of this need to continually update their privacy policies. Although the initial CCPA compliance process requires a close review of how businesses process information, businesses will fall out of compliance if they fail to note these annual update requirements. Even though there might not ultimately be any updates, at a minimum, a business must review its data processing practices to avoid running afoul of the CCPA.
And, assessing and updating privacy policies is not a requirement limited to CCPA compliance. In order to maintain compliance with other laws, businesses must continue to ensure that the disclosures in their privacy policies remain correct and complete.