Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is one of the potent encryption paradigms in protecting data confidentiality in the cloud data sharing scenario. However, the access policy of the traditional CP-ABE is in plaintext form that reveals significant sensitive information of data owners and data visitors. To mitigate this problem, two approaches have been proposed in the literature. One is partially hidden, where the attributes in the access policy are divided into two parts: the plaintext attribute names and the hidden attribute values. The other approach fully hides the attributes in the access policy which, unfortunately, hinders efficient and correct decryption as well as dynamic policy-updating. In this article, we design a security-enhanced Attribute Cuckoo Filter (se-ACF) to hide the access policy and propose a new CP-ABE system, called Privacy-Preserving Policy Updating ABE (3PU-ABE), which effectively integrates policy hiding and policy updating. We conduct rigorous security analysis and performance evaluation of 3PU-ABE. The results indicate that 3PU-ABE completely hides the access policy without affecting the decryption, and entails better policy-updating efficiency than similar works.