The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020. On January 1st, 2023, it was amended and expanded by the California Privacy Rights Act (CPRA).
Updating your Privacy Policy is a major part of CCPA (CPRA) compliance.
We're going to check off all the sections and components your Privacy Policy needs under the CCPA (CPRA). We'll take a look at each of the different sections in detail with examples, and a complete checklist is included at the end of the article.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. CCPA (CPRA) Frequently Asked Questions
- 1.1. What Counts as "Personal Information" Under the CCPA (CPRA)?
- 1.2. What Counts as "Selling Personal Information?"
- 1.3. What Counts as "Disclosing Personal Information for Business Purposes?"
- 2. CCPA (CPRA) Consumer Rights
- 2.1. The Right to Access
- 2.1.1. Information About the Right to Access
- 2.1.2. Instructions on How to Exercise the Right to Access
- 2.2. The Right to Deletion
- 2.2.1. Information about the Right to Deletion
- 2.2.2. Instructions on How to Exercise the Right to Deletion
- 2.3. The Right to Non-Discrimination
- 2.4. The Right to Opt Out
- 2.4.1. Link to Your "Do Not Sell My Personal Information" Page
- 3. Your Personal Information Practices
- 3.1. Personal Information You've Collected
- 3.2. Personal Information You've Sold
- 3.3. Personal Information You've Disclosed for Business Purposes
- 4. CCPA (CPRA) Privacy Policy Checklist
CCPA (CPRA) Frequently Asked Questions
The CCPA (CPRA) requires businesses to provide a lot of information about how they treat California consumers' personal information. That can raise a lot of questions, such as the following.
Does the CCPA (CPRA) Apply to Your Business?
The CCPA (CPRA) will affect many businesses across the world. However, its scope is narrower than many other privacy laws.
The law applies to large businesses and those which trade primarily in personal information.
The CCPA (CPRA) defines a "business" as any company operating for profit in California, that fulfills at least one of the following characteristics:
- It raises gross revenues of at least $25 million per year,
- It buys, sells, receives (for commercial purposes), and/or shares (for commercial purposes) personal information from at least 100,000 consumers, households, and/or individual devices, or
- It earns at least half of its gross revenue per year via the sharing or selling of personal information
There's another important requirement. A business "that determines the purposes and means of the processing of personal information." This is the definition of a "data controller" from the GDPR.
It's likely that your business fits this definition, for example, if you're collecting personal information directly from your customers.
If your company only operates on behalf of other businesses, it may be a "service provider" (known as a "data processor" under the GDPR).
For more information about this distinction, read our article on data controllers and data processors under the GDPR.
What Counts as "Personal Information" Under the CCPA (CPRA)?
The CCPA (CPRA) defines "personal information" as:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This covers a vast range of different types of information. The CCPA (CPRA) lists categories of personal information:
- Identifiers, e.g., name, username, IP address, email address, etc.
- California Customer Records Statute categories of personal information (available here)
- Characteristics of protected classifications under California or federal law
- Commercial information, including records of personal property, purchases, etc.
- Biometric information.
- Internet or other electronic network activity information, e.g., browsing history, search history, etc.
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information.
- Education information, as defined in the Family Educational Rights and Privacy Act (available here)
- Inferences drawn from personal information to create a profile about a consumer
The CPRA expanded this to include what's known as "sensitive personal information."
What Counts as "Selling Personal Information?"
The CCPA (CPRA) defines "selling personal information" as:
"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
The CCPA (CPRA) does not consider the following things to be acts of "selling" personal information:
- Disclosing the consumer's personal information to a third party at the consumer's request, or enabling the consumer to actively interact with a third party. In either case, the third party must not sell the personal information.
- Informing third parties that the consumer has exercised their right to opt out.
- Disclosing personal information for a business purpose, as long as the recipient business doesn't sell the personal information.
- Transferring personal information that is an asset as part of a merger, acquisition, or another similar process.
What Counts as "Disclosing Personal Information for Business Purposes?"
Not many businesses "sell" personal information, but most benefit from the sharing of personal information. This can be a subtle distinction, and the CCPA (CPRA) requires transparency here.
The CCPA (CPRA) gives categories of activities that count as "business purposes." If you share consumers' personal information with a third party so that they can perform these sorts of activities for you, you must disclose this in your Privacy Policy.
- Auditing, including:
- Counting ad impressions to unique visitors
- Verifying positioning and quality of ad impressions
- Compliance with laws/standards
- Security, including:
- Detecting security incidents
- Protecting against malicious or illegal activity
- Prosecuting the people responsible for such activities
- Debugging to identify and repair errors
- Short-term, transient use, as long as the personal information is not (for example):
- Disclosed to a further third party
- Used for profiling or ad customization outside of the current transaction
- Performing services on behalf of your business, including:
- Account maintenance
- Customer service
- Processing orders
- Customer verification
- Payments
- Financing
- Advertising
- Analytics services
- Undertaking internal research for technological development and demonstration
- Undertaking the following activities, in respect of a service or device that is owned, manufactured, manufactured for, or controlled by the business
- Verifying or maintaining its quality or safety
- Improving, upgrading, or enhancing it
Note that these examples are not exhaustive.
CCPA (CPRA) Consumer Rights
The first part of your CCPA (CPRA) Privacy Policy is dedicated to explaining the CCPA (CPRA) consumer rights.
Your Privacy Policy must inform consumers about at least three consumer rights, namely:
- The right to access
- The right to deletion
- The right to non-discrimination
If you sell personal information, your Privacy Policy must also inform consumers about the right to opt-out of this.
The Right to Access
The right to access lets consumers access general information about the personal information you collect, sell, or share for business purposes. The right to access also lets consumers access copies of the specific pieces of their personal information that you have collected.
The right of access is sometimes called "the right to disclosure," or "the right to access and data portability."
Information About the Right to Access
Your Privacy Policy must explain what information is available under the right to access, which is the following 5 types of information, in respect of the preceding 12-month period:
- The categories of personal information you have collected about them
- The categories of sources from which you have obtained their personal information
- Your business or commercial purposes for collecting personal information
- The categories of any third parties with whom you have shared their personal information
- The specific pieces of personal information you have collected
Note that you don't actually have to list this specific information in your Privacy Policy. You have to make consumers aware that they can request it under the right to access.
However, you may wish to list the information required under points 1-4 (above) in your Privacy Policy. Here's how SurveyMonkey does this, neatly providing the information required under points 1, 2, and 4:
If you sell personal information or disclose personal information for a business purpose, you have additional obligations under the right to access. You must also explain to consumers that they can request access to the following information, in respect of the preceding 12-month period:
- The categories of personal information you have collected about them
- The categories of any of their personal information that you have sold
- The categories of any third parties to whom you have sold their personal information
- The categories of their personal information that you sold to each of the third parties
- The categories of any of their personal information that you have disclosed for business purposes
You should also inform consumers that, in each case, your company must provide this information:
- On receipt of a Verifiable Consumer Request
- Without charge
- On up to 2 occasions every 12 months
- In a portable, readily-usable format (e.g., JSON, XML, or CSV)
- Within 45 days. If reasonably necessary, you can extend this period by an additional 45 days if you notify the consumer
Here's how FICO explains the right to access to consumers:
Instructions on How to Exercise the Right to Access
You must set up a process by which consumers can submit a Verifiable Consumer Request to access their personal information. This must include, at a minimum, a toll-free phone number and a webpage.
The California Attorney General is due to release guidance as to what constitutes a Verifiable Consumer Request. Until then, businesses are using their best judgment to find a balance between safeguarding individual privacy and facilitating consumers' requests.
Here's an example from NVA:
NVA leaves itself some discretion about what it considers "verifiable," which is reasonable until the Attorney General provides some clear advice for businesses.
The Right to Deletion
The right to deletion enables consumers to request that you delete their personal information under certain conditions.
The right to deletion is sometimes known as "the right to be forgotten."
Information about the Right to Deletion
Your Privacy Policy must make consumers aware of their right to request that you delete their personal information. You should also inform consumers that, in each case, your company must delete their personal information:
- On receipt of a Verifiable Consumer Request
- Without charge
- On up to 2 occasions every 12 months
- Within 45 days. If reasonably necessary, you can extend this period by an additional 45 days if you notify the consumer.
However, there are many exceptions to the right deletion, which you should also detail in your Privacy Policy.
You may be able to refuse to delete a consumer's personal information if you need it for one or more of the following purposes:
- Contract:
- To complete the transaction for which you collected the consumer's personal information
- To provide a product or service that the consumer has requested, or that they would reasonably expect in the context of their relationship with your business
- To carry out a contract with the consumer
- Security:
- To detect security incidents
- To protect against malicious, deceptive, fraudulent, or illegal activity
- To prosecute people responsible for such activities
- Debugging in order to detect and repair errors that affect intended functionality
- Free speech:
- To exercise free speech
- To ensure that another consumer can exercise free speech
- To exercise other legal rights
- To comply with California's Electronic Communications Privacy Act (CalECPA (available here)
- Research: To engage in public or peer-reviewed scientific, historical, or statistical research, that:
- Is in the public interest,
- Would be seriously impaired or impossible to carry out without retaining the personal information, and
- Has been consented to by the consumer
- Internal purposes: To use it for a purpose that is:
- Internal to your company, and
- In-line with the reasonable expectations of the consumer, in the context of their relationship with your business
- To comply with a legal obligation
- Other purposes: To use it for any other purpose that is:
- Lawful,
- Internal to your company, and
- Compatible with the context in which the consumer provided the information
The list above represents every exception in the CCPA. It's very detailed and quite repetitive. Therefore, many companies include a simplified version of this list in their Privacy Policies.
Here's an example from UGG:
It's important to use language that your customers will understand. But be sure to remain accurate in your representation of the law. UGG gets this balance about right.
Instructions on How to Exercise the Right to Deletion
The rules around facilitating the right to deletion are the same as for the right to access. Most businesses allow consumers to access both rights by the same means.
Here's a typical example, from Cubitts:
The Right to Non-Discrimination
The right to non-discrimination means that you cannot discriminate against a consumer who exercises their CCPA (CPRA) rights. The CCPA (CPRA) gives a non-exhaustive list of ways in which you may not discriminate against a consumer:
- Denying them goods or services
- Charging them different prices, e,g., through denying discounts or imposing penalties
- Provide them with a different level or quality of goods or services
- Suggest that you might do any of the discriminatory things listed above
Your Privacy Policy must explain the right to non-discrimination to consumers.
Here's an example from Cypress:
The right to non-discrimination is a "passive" right, and so consumers cannot exercise it. You don't need to explain this in your Privacy Policy.
The Right to Opt Out
The right to opt out gives California consumers the right to order your company not to sell their personal information. This is only applicable if you sell consumers' personal information.
The right to opt out is sometimes known as "the right to say 'no.'"
Link to Your "Do Not Sell My Personal Information" Page
If you sell consumers' personal information, you must set up a webpage entitled "Do Not Sell My Personal Information" via which consumers can exercise their right to opt out.
You must provide a link to your "Do Not Sell My Personal Information" page in your Privacy Policy, along with a brief explanation of the right to opt out.
Here's an example from UDX Leads:
This page should have instructions for how a user can opt out of the selling of their personal information either via contact information, or with a webform if you have the resources to implement one.
Your Personal Information Practices
The second half of your CCPA (CPRA) Privacy Policy must contain at least one of the CCPA/CPRA's three lists:
- A list of the categories of personal information your business has collected over the preceding 12-month period
- A list of the categories of personal information you've sold over the preceding 12-month period
- A list of the categories of personal information you've disclosed for business purposes over the preceding 12-months period
If one or more of these lists doesn't apply to your business, you need to disclose this.
Personal Information You've Collected
Your Privacy Policy must disclose the categories of personal information your business has collected in the past 12 months. This list should correspond with the CCPA/CPRA's 11 categories of personal information.
Here's how Skyworks does this:
Other businesses, such as YotPo, use a table to display which categories of personal information they have collected:
Personal Information You've Sold
Your Privacy Policy must list all the categories of personal data your business has sold in the past 12 months. If you haven't sold any personal information over this period then your Privacy Policy must disclose this.
Here's an example from NextRoll's Privacy Policy:
NextRoll accompanies its disclosure with a reminder about the right to opt out, with a link to the relevant section of its Privacy Policy. This is a good practice.
Personal Information You've Disclosed for Business Purposes
Your Privacy Policy must list all the categories of personal information your business has disclosed for business purposes in the past 12 months. If you haven't disclosed any personal information for business purposes over this period then your Privacy Policy must disclose this.
Here's how Horne LLP does this:
And now, here's the checklist to help you hit all the points we just covered.
CCPA (CPRA) Privacy Policy Checklist
Here's a checklist of everything your Privacy Policy needs to be CCPA/CPRA-compliant. We've split it up into two broad sections to make it clear what you need to include.
- Information about the CCPA/CPRA's consumer rights:
- The right to access, and how consumers can exercise this right
- The right to deletion, and how consumers can exercise this right
- The right to non-discrimination
- If you sell personal information: the right to opt-out, and a link to your "Do Not Sell My Personal Information" page
- Information about your personal information practices over the past 12 months:
- A list of the categories of personal information your business has collected over the preceding 12-month period
- A list of the categories of personal information you've sold over the preceding 12-month period; or, if you haven't sold any personal information in the preceding 12-month period, disclosure of this
- A list of the categories of any personal information you've disclosed for business purposes over the preceding 12-months period; or, if you haven't disclosed any personal information for business purposes in the preceding 12-month period, disclosure of this
You must update your Privacy Policy every 12 months. Amend your Privacy Policy's "effective date" each year, even if you don't need to make any other changes.
You must post a conspicuous link to your Privacy Policy on the homepage of your company's website.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.