Since 2004, the California Online Privacy Protection Act (CalOPPA) has required commercial websites to “conspicuously post” an online privacy policy, labelled “privacy.”  The CalOPPA applies to commercial websites or online service with users residing in California – which in practice means nearly every commercial website operated in the United States. 

The privacy policy (more accurately, a statement of privacy practices) must address certain specified topics, among the most important of which is what “personally identifiable information” is collected by the website and with whom it is shared.  The description must accurately describe the website’s data practices.  An inaccurate privacy policy runs a risk of being deemed a misleading or deceptive trade practice under federal or state consumer protection laws. 

Privacy policies must be reviewed from time to time to ensure their continued accuracy.  Like many aspects of life, a policy that accurately described a company’s practices a few years ago may no longer do so because business practices change. 

Consider when the privacy policy was last updated (this should be readily discernable; by law the posted policy must state its effective date).  Think about how the site has changed since that date.  Have features have been added or subtracted?  Is the site now collecting any types of data that it was not collecting at the time the current policy was drafted?  Has the business made any changes in how it uses, shares, or saves the personal information that it collects?  Does the company share customers’ personal information – as defined by CalOPPA or other laws — with third parties?  Has anything changed about how the website uses advertising networks and analytics companies?  How does the current privacy policy address the use of “share” buttons and similar plug-ins that inherently share personal information, at least under some definitions. 

Moving off of the traditional website, does the company now offer a mobile application?  Is it active on Twitter or Facebook?  Policies that may have described a website’s operations several years ago may have little relationship to a company’s mobile app or social media presence.