When thinking about privacy notice obligations, companies often -incorrectly- leap to the wording in their privacy policies. The new comprehensive state privacy laws are a reminder that notice obligations are a bit broader than mere privacy policies. To the extent that these laws apply to your organization (see our prior applicability post) there are some notice-related obligations to keep in mind.
For many companies, the biggest “change” is that these laws contain obligations to provide individuals with notice (a privacy policy) not just online -as existed under prior state online privacy laws (California, Delaware and Nevada)- but at any point that personal information is being collected. In other words, in offline or by phone. Some, like California, contain details about how to provide offline notice. Previously, other than state laws requiring privacy notices, there were only sector or activity-specific laws that contained the requirement. Companies nevertheless had them because of FTC guidance and expectation. Companies also had them to mitigate and minimize risk that consumers might expect information was treated in a certain way. The privacy policy was a tool to explain the company’s actual practices.
In terms of content, for entities that already comply with GDPR or CCPA, the requirements are not significantly different. Thus if your organization has already updated its privacy policy to address CPRA requirements, little additional content will be needed to address the newer state laws. At a high level, content required is as follows (refer to our effective date post for timelines, which may impact when an organization decides to amend its policy to address these laws):
CA | CO | CT | FL | IA | IN | MT | TN | TX | UT | VA | ||
Categories of personal information and purposes of processing | x | x | x | x | x | x | x | x | x | x | x | |
If sensitive information will be processed | x | x | x | x | ||||||||
If information will be shared and categories of those third parties | x | x | x | x | x | x | x | x | x | x | x | |
Consumers’ rights, and how to exercise them | x | x | x | x | x | x | x | x | x | x | x | |
How to appeal a decision | x | x | x | x | x | x | x | x | x | x | ||
How to opt out of certain processing | x | x | ||||||||||
Date policy was last updated (CalOPPA also requires effective date) | x | x | ||||||||||
Contact information for questions or concerns | x | x | x | x |
This list is not exhaustive, and many states have specific -and fairly complex- requirements about what these notices look like and content to include in the categories listed above.
Putting it into Practice: As we move past Colorado and Connecticut’s effective dates, presumably organizations have already reviewed and updated their privacy policies. However as more and more states put “comprehensive” privacy laws in place there will be a need to continue to review those statements. Internal procedures for regular review of privacy policies can be a helpful mechanism to ensure the document not only keeps up with the regulatory requirements, but also remains factually accurate.