The California Consumer Privacy Act (CCPA) took effect on January 1st, 2020 and affects businesses all over the world. The CPRA expanded it via a number of expandions and amendments.
This law requires businesses to fully disclose how they treat consumers' personal information.
On your road towards CCPA (CPRA) compliance, one important job is to update your Privacy Policy to reflect the CCPA/CPRA's strict new transparency requirements.
In this article, we're going to walk you through how to create a CCPA (CPRA) Privacy Policy and examine how the CCPA/CPRA's Privacy Policy requirements differ from those of other privacy laws.
We've also put together a Sample CCPA (CPRA) Privacy Policy Template that you can use to help write your own.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. CCPA (CPRA) Overview
- 1.1. Who Needs to Create a CCPA (CPRA) Privacy Policy?
- 1.2. Does the CCPA (CPRA) Apply to Businesses Outside of California?
- 1.3. What's the Penalty for Not Having a CCPA (CPRA) Privacy Policy?
- 2. Requirements for a CCPA (CPRA) Privacy Policy
- 2.1. CCPA (CPRA) Consumer Rights
- 2.1.1. Right of Access
- 2.1.2. Right to Deletion
- 2.1.3. Right to Non-Discrimination
- 2.2. Requesting Access and Deletion
- 2.3. Your "Do Not Sell My Information" Page
- 2.4. Categories of Personal Information You Collect
- 2.5. Your Sources of Personal Information
- 2.6. Your Purposes for Collecting Personal Information
- 2.7. Personal Information You've Sold
- 2.8. Personal Information You've Disclosed for Business Purposes
- 3. CCPA (CPRA) Comparison to Other Major Privacy Laws
- 4. FAQs Regarding a CCPA (CPRA) Privacy Policy
- 5. Summary of a CCPA (CPRA) Privacy Policy
- 6. Download Sample CCPA (CPRA) Privacy Policy Template
- 6.1. Sample CCPA (CPRA) Privacy Policy Template (HTML Text Download)
- 6.2. Sample CCPA Privacy Policy Template (PDF Download)
- 6.3. Sample CCPA Privacy Policy Template (Word DOCX Download)
- 6.4. Sample CCPA Privacy Policy Template (Google Docs)
- 6.5. More Privacy Policy Templates
CCPA (CPRA) Overview
The CCPA (CPRA) takes the United States closer to the sort of strict privacy regime that has existed for many years in the EU. It's clearly influenced by the EU's General Data Protection Regulation (GDPR).
But even GDPR-compliant businesses will have a lot of work to do to comply with the CCPA (CPRA).
Who Needs to Create a CCPA (CPRA) Privacy Policy?
The CCPA (CPRA) applies to "businesses." However, the CCPA (CPRA) defines "business" very narrowly.
A business is any for-profit entity doing business in California, that either:
- Has annual gross revenues of at least 25 million USD per year,
- Annually buys, sells, receives, or shares personal information from at least 100,000 consumers, households, or devices, or
- Makes over 50 percent of its gross annual revenue from selling or sharing personal information
A business also "determines the purposes and means of the processing of personal information." If you're familiar with the GDPR, you'll know that this is the definition of a "data controller."
Most companies fit this description. If your business collects personal information directly from its users, it probably fulfills this criteria.
Does the CCPA (CPRA) Apply to Businesses Outside of California?
The CCPA (CPRA) isn't only aimed at businesses based in California. It's aimed at any business that processes the personal information of consumers in California. So, much like another major California privacy law, the California Online Privacy Protection Act (CalOPPA), the CCPA (CPRA) applies to businesses all over the world.
Your business could be based anywhere from Fresno to France. As long as your services are accessible in California, you could be covered by the CCPA (CPRA) and have to adhere to its requirements.
What's the Penalty for Not Having a CCPA (CPRA) Privacy Policy?
Failing to maintain a CCPA/CPRA-compliant Privacy Policy could result in a fine of up to $7,500 per violation.
One of California's other privacy laws, CalOPPA, is enforced under the same rules as the CCPA. Delta Airlines narrowly escaped potential fine of over $37 million under CalOPPA for failing to add a Privacy Policy to its mobile app. This was due to the large number of customers who had downloaded the Delta Airlines app.
It's easy to see how these fines, even if small on their own, can really add up.
Requirements for a CCPA (CPRA) Privacy Policy
Your CCPA (CPRA) Privacy Policy has a number of requirements, from what clauses and information it must include, to how you display it and how often you update it.
We're going to take a detailed look at each of these requirements and some examples of businesses that are already complying by having a CCPA (CPRA) Privacy Policy. There are a couple of important things to note before we do this:
- You must update your Privacy Policy every 12 months
- You must post a "conspicuous" link to your Privacy Policy on your website's front page
Most here's how The Guardian does this:
Here's a run-down of the information you need to provide in your Privacy Policy for CCPA (CPRA) compliance.
CCPA (CPRA) Consumer Rights
The CCPA (CPRA) contains a set of consumer rights. Your Privacy Policy must inform your consumers of their rights.
Consumers have the right to request access to personal information. They can make this request for free, twice per year.
Here are some of the other CCPA (CPRA) rights.
Right of Access
On receiving an access request, you must provide the necessary information in a portable and easily accessible format, normally within 45 days of the request.
When providing information under the right of access, you must include:
- The categories of personal information the business collects about the consumer
- The categories of sources of the consumer's personal information
- The business or commercial purpose for collecting or selling the consumer's personal information
- The categories of any third parties with whom the business shares the consumer's personal information
- The specific pieces of personal information collected about the consumer
If the business sells personal information, the consumer also has a right to request access to the following information:
- The categories of personal information the business collects about the consumer
- The categories of personal information the business has sold about the consumer
- The categories of any third parties to whom the business sold the consumer's personal information
- A list of which categories of personal information the business sold to each third party
- The categories of personal information the business discloses about the consumer for business purposes
Right to Deletion
The consumer has a right to request the deletion of personal information that the business holds on the consumer.
However, this right does not apply where the business needs to retain the personal information in order to do any of the following:
- Provide goods or services to the consumer
- Detect or resolve issues security or functionality-related issues
- Comply with the law
- Conduct research in the public interest
- Safeguard the right to free speech
- Carry out any actions for internal purposes that the consumer might reasonably expect
Right to Non-Discrimination
The consumer has the right not to be discriminated against for having exercised their rights under the CCPA (CPRA). In particular, the business may not:
- Deny the consumer goods or services
- Charge the consumer different prices for goods or services, whether through denying benefits or imposing penalties
- Provide the consumer with a different level or quality of goods or services to the consumer
- Threaten the consumer with any of the above
You need to let consumers know about all of these rights.
Here's how CBD Medic informs consumers about their right of access:
And here's how Runza informs consumers about their right to non-discrimination:
You can have a clause for each right that helps your customers understand what their rights are and how you're going to facilitate them.
Requesting Access and Deletion
It's not enough to simply tell consumers about their rights. You need to set up a system to help consumers exercise their rights. This must often include a toll-free number and web-page.
Your Privacy Policy must tell consumers how to submit a request to exercise their CCPA (CPRA) rights.
Here's how Techbuyer approaches this:
Note how the clause begins with a phone number and email address that customers can use to exercise the rights. Then, further details and important information is included such as what the customer must do, and any limitations for the requests.
The CCPA (CPRA) has notice requirements that you'll need to become familiar with as well, which we address in detail in our article: CCPA (CPRA) Notices. These notices include 4 consumer-specific notices.
Your "Do Not Sell My Information" Page
The CCPA (CPRA) requires any business that sells consumers' personal information to provide a web page where consumers can opt out of having their personal information sold. This is known as a "Do Not Sell My Personal Information" page. The business must link to this page both on the front page of its website and in its Privacy Policy.
Here's how FloraFlex displays the link to its "Do Not Sell My Personal Information" page in its Privacy Policy:
While FloraFlex is obviously keen to demonstrate compliance with the CCPA, it's worth noting that only businesses that do sell personal information are required to comply with this part of the CCPA (CPRA).
Categories of Personal Information You Collect
You must provide a list of the categories of personal information you've collected over the past 12 months.
To comply with this requirement, you need to know what constitutes "personal information" under the CCPA (CPRA). Here's the definition as it appears in the CCPA (CPRA):
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The CCPA (CPRA) lists the following categories of personal information:
- Identifiers (such as name, email address, social security number, IP address, etc.)
- The categories of personal information listed in the California Customer Records Statute (available here)
- Protected legal characteristics
- Commercial information
- Biometric information
- Internet activity
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Employment information
- Education information
- Inferences about personal preferences and attributes drawn from profiling (e.g. via cookies)
- Sensitive personal information
Here's how Vertafore Solutions approaches this:
You don't have to use a chart format, but it's something to consider since it helps keep things organized and makes information easier for your users to sort through.
Your Sources of Personal Information
In addition to telling your users what categories of personal information you collect, you need to disclose your sources of personal information.
You may collect personal information from a variety of sources, depending on the context in which your business operates. You only need to list the categories of sources, i.e. the types of companies or other sources.
Here's an example from Brown-Forman:
Some of the sources listed include publicly-available database data, social network information and from marketing partners.
Your Purposes for Collecting Personal Information
The CCPA (CPRA) requires that you tell consumers why you collect personal information - your purposes for collecting it. What are you actually doing with their personal information?
Here's how Brown-Forman does this in a very well-organized manner. It lists out all the uses of the personal information in a simple way, then links each list item to a more detailed section in the Privacy Policy where users can find out more information if they want to:
This type of clause is very standard across the board for Privacy Policies, so it's highly likely that yours already has this type of clause included, regardless of the way it's formatted.
Personal Information You've Sold
Your Privacy Policy must list all the categories of personal data your business has sold in the past 12 months. If it hasn't sold any personal information over this period then it must disclose this.
Here's an example of how to do this:
Note that the company has not sold any personal information in the past 12 months, so it lists "No" for each of the CCPA's categories of personal information. You can also make a simple blanket declaration that you have not sold any personal information in the past 12 months.
Personal Information You've Disclosed for Business Purposes
Your Privacy Policy must list all the categories of personal information your business has "disclosed for business purposes" over the past 12 months. If you haven't disclosed any personal information for business purposes over this period then you still must disclose this.
The CCPA (CPRA) gives categories of activities that count as "business purposes." If you share consumers' personal information with a third party so that they can perform these sorts of activities for you, you must disclose this in your Privacy Policy.
- Auditing
- Advertising analytics
- Auditing legal and regulatory compliance
- Security
- Detecting security breaches
- Protecting against fraud and malicious activity
- Taking action against wrongdoers (e.g. fraudsters and hackers)
- Debugging
- Identifying and fixing technical errors
- Short-term uses
- Contextual ad customization that does not involve or contribute to profiling
- Performing services
- Account maintenance
- Customer service
- Processing transactions
- Marketing
- Internal research to develop or demonstrate technology
- Testing or improvement of any service or device "owned, manufactured, manufactured for, or controlled by" the business
Note that these examples are not exhaustive.
Here's how marketing company Lumen5 discloses how it shares its users' personal information with service providers:
A CCPA/CPRA-compliant Privacy Policy needs to go further than this by listing the categories of personal information disclosed for each business purpose.
CCPA (CPRA) Comparison to Other Major Privacy Laws
Here's how the CCPA/CPRA's Privacy Policy requirements match up against two other major privacy laws - the GDPR (EU) and CalOPPA (California).
CCPA (CPRA) | GDPR | CalOPPA |
Information about California consumers' CCPA (CPRA) consumer rights. | Information about your EU users' GDPR data subject rights. | N/A |
Instructions on how California consumers can request access to and deletion of their personal information. | Instructions on how your EU users can exercise their rights over their personal information. | Instructions on how California consumers can request access to and deletion of their personal information (if you allow this). |
A link to your "Do Not Sell My Personal Information" page. | Instructions on how your EU users can opt out of direct marketing or withdraw consent to the processing of their personal information. | Instructions on how consumers can opt out of third-party cookies (if you use them). |
A list of the categories of personal information you've collected over the past 12 months. | A list of the categories of personal information you process. | A list of the categories of personal information you collect. |
Your sources of each category of personal information you collect. | The ways in which you process personal information (this would include information about where you collect it from). | N/A |
Your purposes for collecting each category of personal information. | Your purposes for processing each category of personal information. | N/A |
A list of all the categories of personal information you've sold over the past 12 months. | N/A | N/A |
A list of all the categories of personal information you've disclosed for business purposes over the past 12 months. | N/A | N/A |
N/A | Your company's name and contact details. | N/A |
N/A | Names and contact details of key personnel (Data Protection Officer, EU Representative). | N/A |
N/A | A list of the categories of organizations with whom you share personal information. | A list of the categories of organizations with whom you share personal information. |
N/A | Your lawful basis for processing each category of personal information. | N/A |
How long you plan to retain data | The periods for which you store each category of personal information. | N/A |
N/A | Information about any international transfers of personal information outside the EU. | N/A |
N/A | N/A | The date on which the Privacy Policy takes effect. |
N/A | N/A | Information about how you will inform consumers of any changes to the Privacy Policy. |
N/A | N/A | Information about how your website responds to Do Not Track signals from visitors' web browsers. |
N/A | N/A | Information about your use of third-party cookies or other tracking technologies (if you use them). |
For more information about how these laws compare, see:
- How the CCPA (CPRA) is Similar to the GDPR
- How the CCPA is Different from the GDPR
- CCPA (CPRA) vs. CalOPPA
For more information, also see our video on this:
FAQs Regarding a CCPA (CPRA) Privacy Policy
Here is a list of frequently asked questions that you may find useful.
If you are a "business" as defined by the CCPA and do business with people located in California, you must have a CCPA-compliant Privacy Policy.
A "business" under the CCPA will meet one of the following requirements:
- Has an annual gross revenue of at least $25 million
- Annually buys, sells, receives, or shares personal information from at least 50,000 consumers, households, or devices, or
- Makes over 50 percent of its gross annual revenue from selling personal information
It doesn't matter where your business is located. If you have customers in California and meet one of the 3 requirements above, you must have a CCPA-compliant Privacy Policy.
The CCPA requires that your Privacy Policy be updated once every 12 months, be conspicuously linked to your website and that the Policy provides the following information:
- The CCPA consumer rights and how users can exercise them
- The categories of personal information you've collected over the last 12 months
- The categories of personal information you've sold over the last 12 months
- What personal information you've disclosed for business purposes over the last 12 months
- Your sources of personal information
- Your purposes for collecting personal information
To update your existing Privacy Policy for CCPA compliance, make sure you have or add in the following information:
- The CCPA consumer rights and how users can exercise them
- The categories of personal information you've collected over the last 12 months
- The categories of personal information you've sold over the last 12 months
- What personal information you've disclosed for business purposes over the last 12 months
- Your sources of personal information
- Your purposes for collecting personal information
The CCPA requires you to update your Privacy Policy once every 12 months.
The CCPA requires that you provide a "conspicuous" link to your Privacy Policy. Put this link in your website footer along with other important legal agreements like your Terms and Conditions agreement.
You should also add a link to your CCPA Privacy Policy at areas of your website where you request to collect personal information.
For example:
- Email newsletter sign-up forms
- Contact forms
- Account sign-up forms
- Ecommerce checkout pages
For mobile apps, the same concept applies. Add a link to your CCPA Privacy Policy in a menu within your app, such as an "About" or "Legal" menu. Also add the link to other areas of your app where you request personal information, such as when a user creates an account or provides a telephone number for app notifications.
Make your CCPA Privacy Policy enforceable by having your users click an unticked checkbox next to a statement that says something similar to "I have read and agree to the terms of the Privacy Policy."
You can also have users click a button that says something like "I Agree" next to a statement like the above if you don't want to use a checkbox.
Summary of a CCPA (CPRA) Privacy Policy
Your CCPA (CPRA) Privacy Policy must contain:
- Information about the CCPA (CPRA) consumer rights
- Instructions on how California consumers can request access to and deletion of their personal information
- If you sell personal information, a link to your "Do Not Sell My Personal Information" page
- A list of the categories of personal information you've collected over the past 12 months
- Your sources for each category of personal information you collect
- Your purposes for collecting each category of personal information
- A list of all the categories of personal information you've sold over the past 12 months, or a disclosure that you don't sell personal information
- A list of all the categories of personal information you've disclosed for business purposes over the past 12 months or, a disclosure that you don't disclose personal information for business purposes
You must update your Privacy Policy every 12 months according to the CCPA (CPRA). Make sure to reflect this by updating your Privacy Policy's 'effective date' even if you don't make any other changes to the Policy.
There are two main reasons why you need a Privacy Policy:
✓ Privacy Policies are legally required. A Privacy Policy is required by global privacy laws if you collect or use personal information.
✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.
Generate an up-to-date 2024 Privacy Policy for your business website and mobile app with our Privacy Policy Generator.
One of our many testimonials:
"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."
Stephanie P. generated a Privacy Policy
Download Sample CCPA (CPRA) Privacy Policy Template
Generate a Privacy Policy in just a few minutes
Our Sample CCPA (CPRA) App Privacy Policy is available for download, for free. The template includes these sections:
- Definitions
- Collecting and Using Personal Information
- Usage Data
- Use of Personal Information
- Transfer of Personal Information
- Disclosure of Personal Information
- Security of Personal Information
- CCPA Privacy Policy
- Links to Other Websites
- Changes to Privacy Policy
- Contact Information
Sample CCPA (CPRA) Privacy Policy Template (HTML Text Download)
You can download the Sample CCPA (CPRA) Privacy Policy Template as HTML code below. Copy it from the box field below (right-click > Select All and then Copy-paste) and then paste it on your website pages & app screens.
Sample CCPA Privacy Policy Template (PDF Download)
Download the Sample CCPA Privacy Policy Template as a PDF file
Sample CCPA Privacy Policy Template (Word DOCX Download)
Download the Sample CCPA Privacy Policy Template as a Word DOCX file
Sample CCPA Privacy Policy Template (Google Docs)
Download the Sample CCPA Privacy Policy Template as a Google Docs document
More Privacy Policy Templates
More specific Privacy Templates are available on our blog.
Sample Privacy Policy Template | A Privacy Policy Template for all sorts of websites, apps and businesses. |
Sample Mobile App Privacy Policy Template | A Privacy Policy Template for mobile apps on Apple App Store or Google Play Store. |
Sample GDPR Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with GDPR. |
Sample CCPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with CCPA. |
Sample California Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA). |
Sample Virginia VCDPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Virginia's VCDPA. |
Sample PIPEDA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Canada's PIPEDA. |
Sample Ecommerce Privacy Policy Template | A Privacy Policy Template for ecommerce businesses. |
Small Business Privacy Policy Template | A Privacy Policy Template for small businesses. |
Privacy Policy for Google Analytics (Sample) | A Privacy Policy Template for businesses that use Google Analytics. |
Sample CalOPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CalOPPA. |
Sample SaaS Privacy Policy Template | A Privacy Policy Template for SaaS businesses. |
Sample COPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's COPPA. |
Sample CPRA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CPRA. |
Blog Privacy Policy Sample | A Privacy Policy Template for blogs. |
Sample Email Marketing Privacy Policy Template | A Privacy Policy Template for businesses that use email marketing. |
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.