Companies subject to the California Consumer Privacy Act (CCPA) are required to update their online privacy policies “at least once every 12 months,” as detailed in the statute. For many companies that updated their CCPA policies in advance of the law’s enforcement deadline last year (July 1, 2020), that 12-month mark may be approaching.
Looking ahead, privacy obligations are evolving for businesses that operate in California, Virginia and Colorado. In November 2020, voters approved the California Privacy Rights Act of 2020 (CPRA), which significantly amends the CCPA. Even though that law will not become generally operative until January 1, 2023, work to implement the CPRA is already underway, with the new privacy agency established by the law—the California Privacy Protection Agency (CPPA)—holding its inaugural public Board meeting on Monday, June 14. Additionally, other states are enacting their own comprehensive privacy legislation. In March 2021, Virginia enacted an omnibus privacy law—the Consumer Data Protection Act (CDPA); and this month, the Colorado legislature passed an omnibus privacy bill—the Colorado Privacy Act—that is currently awaiting the Governor’s approval. Those laws will become effective in January and July 2023, respectively, so companies will need to consider these new and nuanced frameworks as they continue to develop their privacy compliance programs.