We work with many US-based businesses that ask us to update their privacy policies to make sure they comply with current data protection laws that apply to them. These businesses are usually referring to their website privacy policies, which are technically privacy notices. This seemingly simple request is a loaded question. Preparing or updating a privacy notice is not a singular task; instead, it is a multi-layered and dynamic process.
As a best practice, your business should calendar as part of its year-end processes reviewing and updating its privacy notice to take into account any changes in applicable law, regulations, FTC complaints and recommendations, states Attorney General complaints or suits, etc., and your business’s internal operations.
Data protection laws in the US are constantly evolving. In 2024 alone, 7 states passed their own data protection laws, which add onto CCPA/CPRA (California Consumer Protection Act/California Privacy Rights Act). Each US data protection law is unique, with some falling into a category of similar laws and some falling into their own unique categories. As of the writing of this article, there are 19 or 20 states that have passed data protection laws (depending on whether one counts Florida’s Digital Bill of Rights Act as a data protection law). These approximately 20 data protection laws are either already in effect or going into the effect in 2025 and thereafter.
Some businesses believe that, because they may not have offices in the states with data protection laws, they do not have to worry about those laws. But, if those businesses have a nationally (or internationally) available website, they may nonetheless meet the definition of a business that is subject to the current US data protection laws (not to mention GDPR – the General Data Protection Regulation – and other international laws), depending on the reach and functionality of the business and its website(s).
Moreover, US regulators and regulations are constantly updating existing data protection laws and interpretations of them. One of the reasons for the constant flux is that businesses continue to implement new technologies and AI processes, and the laws in these areas respond accordingly – usually a step (or many steps) behind the technology. Additionally, new information comes to light in the news or social media about how companies are using individuals’ personal information, and this often leads to new regulations or expanded interpretations of existing law.
Take, for example, Texas’s Attorney General suing General Motors for alleged false, deceptive, and misleading business practices related to GM’s alleged unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies without their knowledge or consent. Not all US data protection laws required such affirmative consent, but as public awareness has increased of the dangers of tracking and targeting individuals through the most intimate and personal details of their lives (e.g., their real-time locations), this is now an issue of public concern. It is a topic of discussion in the news and society. It is something that should trigger businesses to re-visit their privacy notices to make sure they are still compliant.
Therefore, just because your business’s privacy notice may have complied with applicable law in 2022 – and assuming no new laws went into effect that affected your business – your privacy notice still may need to be updated based on newer regulatory guidance. Moreover, CCPA/CPRA requires reviewing and updating (as appropriate) businesses’ privacy notices on at least an annual basis, if business operations change, if there is an acquisition or divestiture, or any other change that concerns the collection and processing of personal information.
Add to this the fact that privacy notices need to function as they represent they will. For example, a “Do Not Sell or Share My Personal Information” link, or an “Opt-Out of Targeted Advertising” link must actually operate, and there must be people or automated processes in place to timely honor these requests. These links should also be on the business’s website. Further, if your business’s website uses cookies – and most of them do – your business’s website needs to have a cookie banner that offers visitors clear and easy choices about what cookies they may want to accept and what cookies they want to decline.
[View source.]