California has the strictest privacy laws in the United States. And it's also a huge, tech-savvy market. You must not do anything that compromises your operations in this important state.
Several California laws that require website operators to create a Privacy Policy. These laws have very specific requirements about what a Privacy Policy must contain. To avoid legal trouble with the California Attorney General, you must ensure your Privacy Policy complies with all relevant California laws.
In this article, we're going to walk you through how to create a California Privacy Policy and examine the California laws and regulations around privacy.
We've also put together a Sample California Privacy Policy Template that you can use to help write your own.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. California Privacy Policy Laws
- 2. California Consumer Privacy Act (CCPA)
- 2.1. Does the CCPA Apply to Me?
- 2.2. What is Personal Information Under the CCPA?
- 2.3. What Must a CCPA Privacy Policy Contain?
- 3. California Online Privacy Protection Act (CalOPPA)
- 3.1. Does CalOPPA Apply to Me?
- 3.2. What is Personal Information Under CalOPPA?
- 3.3. What Must a CalOPPA Privacy Policy Contain?
- 4. California "Shine the Light" Law
- 4.1. Does the "Shine the Light" Law Apply to Me?
- 4.2. What is Personal Information Under the "Shine the Light" Law?
- 4.3. What Must a "Shine the Light" Law Privacy Policy Contain?
- 5. California "Online Eraser" Law
- 5.1. Does the Online Eraser Law Apply to My Business?
- 5.2. What Must a California "Online Eraser" Law Privacy Policy Contain?
- 6. Other Privacy Laws You May Need to Obey
- 7. Conspicuously Posting Your Privacy Policy
- 7.1. How Do I Display My Privacy Policy On My Website?
- 7.2. How Do I Display My Privacy Policy On My App?
- 8. FAQs regarding Privacy Policies for California
- 9. Summary of a California Privacy Policy
- 10. Download Sample California Privacy Policy Template
- 10.1. Sample California Privacy Policy Template (HTML Text Download)
- 10.2. Sample California Privacy Policy Template (PDF Download)
- 10.3. Sample California Privacy Policy Template (Word DOCX Download)
- 10.4. Sample California Privacy Policy Template (Google Docs)
- 10.5. More Privacy Policy Templates
California Privacy Policy Laws
In this article, we'll be taking you through four important California-specific laws that you may have to comply with if you have users in California (no matter where you're based).
The laws are:
- California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- California "Shine the Light" Law
- California "Online Eraser" Law
We're not going into too much detail about any of these laws in this article. We're going to focus on:
- The main purpose of the laws
- Whether the laws apply to you
- What is "personal information" under the laws
- Any specific requirements for your Privacy Policy
If you want to know more about any of these laws, we have articles about all of them. Just click the relevant link above.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is the most extensive California privacy law but applies to a narrow range of companies. It grants California residents new consumer rights and focuses on allowing them to opt out of the sale of their personal information.
Does the CCPA Apply to Me?
The CPPA mostly covers big businesses and "data brokers" - businesses that trade in personal information.
If your business operates for profit in California, and it fulfills at least one of these following characteristics, the CPPA might apply to you:
- You raise gross annual revenues of at least $25 million
-
You (alone or in combination) buy, sell, receive (for commercial purposes), and/or share (for commercial purposes) personal information from at least 50,000:
- Consumers
- Households
- Devices
- You earn at least half of your gross annual revenues by selling personal information
What is Personal Information Under the CCPA?
The CCPA provides 11 specific categories of personal information. These categories are important because you'll need to make specific reference to them in your Privacy Policy. The categories are as follows:
- Identifiers
- Personal information as defined in the California Customer Records Statute
- Characteristics of protected classifications under California or federal law
- Commercial information
- Biometric information
- Internet or other electronic network activity information
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Inferences drawn from personal information to create a profile about a consumer
What Must a CCPA Privacy Policy Contain?
A CPPA Privacy Policy must contain information about the consumer rights granted by the CCPA, and information about how your business treats consumers' personal information.
For more information about the CCPA's consumer rights, and about terms such as "selling personal information," your "Do Not Sell My Personal Information" page, and "disclosing personal information for business purposes," see our article CCPA Privacy Policy Checklist.
Here's what you need for your CCPA Privacy Policy:
-
A list of the CCPA consumer rights:
-
The right to access
- How consumers can exercise their right to access
-
The right to deletion
- How consumers can exercise their right to access
- The right to non-discrimination
-
If you sell personal information: the right to opt-out
- A link to your "Do Not Sell My Personal Information" page
-
-
Disclosure of business practices over the past 12 month period:
- Which categories of personal information you've collected in the past 12 months
-
Which categories of personal information you've sold in the past 12 months, or:
- A disclosure that you haven't sold any personal information in the past 12-months
-
Which categories of personal information you've disclosed for business purposes in the past 12 months, or:
- A disclosure that you haven't disclosed any personal information for business purposes in the past 12-months
Your Privacy Policy must be updated every 12 months. Even if you don't need to make any other changes to your Privacy Policy, we recommend you change the "effective date" each year.
California Online Privacy Protection Act (CalOPPA)
First, we're going to look at California's original, most widely applicable, and simplest privacy law, the California Online Privacy Protection Act (CalOPPA).
CalOPPA first passed in 2003 and got an update in 2013. It was the first US law requiring people to create and display a Privacy Policy on their website, identifying the personal information they collect about visitors to their website or users of their app.
Does CalOPPA Apply to Me?
CalOPPA applies to any "commercial website owner [who] collects and maintains personally identifiable information from a consumer residing in California."
This means that CalOPPA applies to virtually any company operating website or app.
What is Personal Information Under CalOPPA?
CalOPPA uses the term "personally identifiable information." Most other privacy laws use the term "personal information" or "personal data." We're going to stick with the term "personal information" throughout this article.
Compared to many other privacy laws, such as the EU General Data Protection Regulation (GDPR) and the California Online Privacy Protection Act (CCPA), CalOPPA gives quite a narrow definition of personal information.
CalOPPA gives the following examples of personal information:
- A first and last name
- A home or other physical address, including street name and name of a city or town
- An email address
- A telephone number
- A social security number
- Any other identifier that allows the contacting of a specific individual
- Information concerning a user that the website or online service collects online from the user and maintains in a personally identifiable form together with one of the identifiers above
What Must a CalOPPA Privacy Policy Contain?
A CalOPPA Privacy Policy must contain the following information:
- The categories of personal information you collect via your website or app.
- The categories of third parties with whom you may share that personal information.
- If you have any system that allows your users to review or request changes to their personal information, a description of that system.
- Information about how you'll inform users of when you make changes to your Privacy Policy.
- The effective date of your Privacy Policy.
- Information about how you respond to browser "Do Not Track" signals.
- A disclosure regarding whether other parties may collect the user's personal information across other websites once they've used your website or app (i.e. whether your website or app allows behavioral tracking).
Here's an excerpt from Primaris' Privacy Policy that covers many of these requirements (others are covered elsewhere in Primaris' Privacy Policy):
California "Shine the Light" Law
California's "Shine the Light" law gives California residents the right, once per year, to request certain information about what kind of personal information your company has collected about them and then shared with third parties for direct marketing purposes.
Does the "Shine the Light" Law Apply to Me?
You must comply with California's "Shine the Light" law if all of the following three things apply.
Your business:
- Has 20 or more employees
- Has users who are California residents
- Has shared personal information from any of your users with a third party for direct marketing purposes within the past 12 months
There are exemptions to the law. You can read more about these on our full article about the "Shine the Light" law, linked above.
What is Personal Information Under the "Shine the Light" Law?
The "Shine the Light" law lists 27 categories of personal information. If you share these categories of personal information with third parties for direct marketing purposes, you must disclose this to your users on request.
- Name and address
- Email address
- Age or date of birth
- Names of children
- Email or other addresses of children
- Number of children
- Age or gender of children
- Height
- Weight
- Race
- Religion
- Occupation
- Telephone number
- Education
- Political party affiliation
- Medical condition
- Drugs, therapies, or medical products or equipment used
- Kind of product the customer purchased, leased or rented
- Real property purchased, leased, or rented
- Kind of service provided
- Social Security number
- Bank account number
- Credit card number
- Debit card number
- Bank or investment account, debit card or credit card balance
- Payment history
- Information about the customer's creditworthiness, assets, income, or liabilities
What Must a "Shine the Light" Law Privacy Policy Contain?
The first page of your Privacy Policy must describe your users' rights under the law and provide a mailing address and email address via which they can exercise those rights.
Here's how Newscorp does this:
The "Shine the Light" law also requires that you display a link to your Privacy Policy on your website's home page. The link must contain the phrase "Your Privacy Rights" or "Your California Privacy Rights."
Here's how the Walt Disney company does this:
Make this link accessible with your other legal agreements such as your Terms and Conditions agreement and general Privacy Policy.
California "Online Eraser" Law
The California "Online Eraser" law allows California minors (under 18 years of age) to remove content or personal information from your website or app if your website or app is aimed at minors. It also prohibits certain types of advertising to minors.
Does the Online Eraser Law Apply to My Business?
The "Online Eraser" law could apply to you if:
- You operate a website or app
-
You direct your website or app to specifically to California residents under 18 (minors), or:
- You have "actual knowledge" that a minor is using your website or app (you don't need to keep records or actively check)
- You use the minors' personal information for ad personalization
The "Online Eraser" law imposes some rules on your company even if it uses a third-party advertiser.
Under the "Online Eraser" law, you must inform your advertising partners of their obligations under the law.
What Must a California "Online Eraser" Law Privacy Policy Contain?
Your Privacy Policy must explain how minors can remove (or request removal of) their personal information from your website or app.
Here's an example from the American Licorice Company:
The American Licorice Company offers three ways for minors to erase their personal information from its site:
- Log in using their username and password
- Send the company an email
- Send the company a letter
Other Privacy Laws You May Need to Obey
There are many other privacy laws you may need to obey that are not specific to California. These include:
- The EU General Data Protection Regulation (GDPR)
- The Children's Online Privacy Protection Act (COPPA)
- The Health Insurance Portability and Accountability Act (HIPAA)
Throughout this article, we've talked you through some California-specific laws. You can integrate the required information into your general Privacy Policy. Or, you can create a California-specific Privacy Policy, as Pearson has done:
As long as you provide the required content and have appropriate linking to your California privacy information, you can take either approach.
Conspicuously Posting Your Privacy Policy
A major aspect of California privacy law is "conspicuously posting" your Privacy Policy on your website and/or app.
Note that the California "Shine the Light" law has some specific requirements that go above and beyond the information presented below.
There are two main reasons why you need a Privacy Policy:
✓ Privacy Policies are legally required. A Privacy Policy is required by global privacy laws if you collect or use personal information.
✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.
Generate an up-to-date 2024 Privacy Policy for your business website and mobile app with our Privacy Policy Generator.
One of our many testimonials:
"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."
Stephanie P. generated a Privacy Policy
How Do I Display My Privacy Policy On My Website?
To "conspicuously post" your Privacy Policy on your website, you could place a link using larger type than the other text on the page. You could also use a contrasting color or use arrows to draw attention to it.
You don't have to call your Privacy Policy a "Privacy Policy." Some companies use "Privacy Statement" or "Privacy Notice." Just make sure that the purpose of the document is obvious and make sure you use the word "privacy."
Post a conspicuous link like this on every page of your website where you collect personal information, such as where you have mailing list signups, registration forms, payment pages, etc.
Here's an example of the link to Amazon's Privacy Policy on its homepage, in the footer:
Amazon also presents its Privacy Policy when asking users to give their personal information at signup:
Take every opportunity to present your users with your Privacy Policy at points when it would be relevant (such as when you're requesting personal information from the user).
How Do I Display My Privacy Policy On My App?
To conspicuously post your Privacy Policy on your mobile app, first of all, you need to link to it in the Apple App Store and/or Google Play Store. For further information, see our articles: Privacy Policy for iOS Apps and Privacy Policy for Android Apps.
You can link to your Privacy Policy in the "Settings" or "About" menus of your app.
Here's how the Amazon Fire TV app presents its Privacy Policy within an in-app menu:
You should also link to your Privacy Policy whenever you collect personal information within the app itself, e.g., at account creation screens, payment screens, etc.
Here's an example of how Monzo provides its Privacy Policy during installation:
The most important principle is to ensure that your users have easy access to your Privacy Policy within your app itself and not just on your website.
FAQs regarding Privacy Policies for California
Here is a list of frequently asked questions that you may find useful.
The laws in California that require a Privacy Policy are:
- The California Online Privacy Protection Act (CalOPPA)
- The "Shine the Light" law
- The California Consumer Privacy Act (CCPA)
- The "Online Eraser" law
Yes, if you do business with people located in California.
When it comes to privacy laws, the laws work to protect people in a region. Because of this, when it comes to compliance, it matters more where your customers are located rather than where your business is located.
Each of the California privacy laws require different content for your California-compliant Privacy Policy. Here's a breakdown by law:
CalOPPA:
- The effective date of your Privacy Policy
- How you'll notify users of updates to your Privacy Policy
- The categories of personal information you collect
- The categories of third parties that you may (or do) share personal information with
- A disclosure about whether third parties may collect the users' personal information across other websites once they've used your website or app
- A description of any system you use that allows your users to review or request changes to their personal information
- How you respond to "Do Not Track" signals
"Shine the Light" law:
- A disclosure of what rights users have under this law
- Instructions on how users can exercise these rights
CCPA:
- A list of the CCPA consumer rights and how users can exercise these rights
- What categories of personal information you've collected in the last 12 months
- What categories of personal information you've sold in the last 12 months
- What categories of personal information you've disclosed for business purposes in the last 12 months
"Online Eraser" law:
- A method for minors to remove or request removal of their personal information from your website or app
Update your existing Privacy Policy to include the following California-specific requirements.
You can add the information to your general Privacy Policy, create a separate California Privacy Policy, or make a section of your Privacy Policy be for "California Users:"
- The effective date of your Privacy Policy
- How you'll notify users of updates to your Privacy Policy
- The categories of personal information you collect
- The categories of third parties that you may (or do) share personal information with
- A disclosure about whether third parties may collect the users' personal information across other websites once they've used your website or app
- A description of any system you use that allows your users to review or request changes to their personal information
- How you respond to "Do Not Track" signals
- A disclosure of what rights users have under this law
- Instructions on how users can exercise these rights
- A list of theCCPA consumer rights and how users can exercise these rights
- What categories of personal information you've collected in the last 12 months
- What categories of personal information you've sold in the last 12 months
- What categories of personal information you've disclosed for business purposes in the last 12 months
- A method for minors to remove or request removal of their personal information from your website or app
Make sure to display your Privacy Policy link conspicuously, such as in your website footer and in your mobile app "About" or "Legal" menu.
California privacy laws require that you provide a "conspicuous" link to your California-compliant Privacy Policy. Put this link in your website footer along with other important legal agreements like your Terms and Conditions agreement.
You should also add a link to your California-compliant Privacy Policy at areas of your website where you request to collect personal information.
For example:
- Email newsletter sign-up forms
- Contact forms
- Account sign-up forms
- Ecommerce checkout pages
For mobile apps, the same concept applies. Add a link to your California-compliant Privacy Policy in a menu within your app, such as an "About" or "Legal" menu. Also add the link to other areas of your app where you request personal information, such as when a user creates an account or provides a telephone number for app notifications.
Make your California-compliant Privacy Policy enforceable by having your users click an unticked checkbox next to a statement that says something similar to "I have read and agree to the terms of the Privacy Policy."
You can also have users click a button that says something like "I Agree" next to a statement like the above if you don't want to use a checkbox.
Summary of a California Privacy Policy
Here's some of the information you'll need to include in your Privacy Policy to ensure you comply with the major California-specific privacy laws:
CalOPPA | California "Shine the Light" law | The CCPA | California "Online Eraser" law |
The categories of personal information you collect via your website or app. | Your users' rights under the law. | A list of the CCPA consumer rights and information about how consumers can access those rights. | A method by which minors can remove (or request removal of) their personal information from your website or app. |
The categories of third parties with whom you may share that personal information. | A method by which your users can exercise their rights under the law. | Disclosure of which categories of personal information you've collected in the past 12 months. | |
If you have any system that allows your users to review or request changes to their personal information, a description of that system. | Disclosure of which categories of personal information you've sold in the past 12 months (or a declaration that you haven't done so). | ||
Information about how you'll inform users of when you make changes to your Privacy Policy. | A disclosure of which categories of personal information you've disclosed for business purposes in the past 12 months (or a declaration that you haven't done so). | ||
The effective date of your Privacy Policy. | |||
Information about how you respond to browser "Do Not Track" signals. | |||
A disclosure regarding whether other parties may collect the user's personal information across other websites once they've used your website or app. |
Remember to conspicuously post a link to your Privacy Policy on your website and/or app such as on your home page, within in-app menus and wherever you collect personal information.
Download Sample California Privacy Policy Template
Generate a Privacy Policy in just a few minutes
Our Sample California Privacy Policy is available for download, for free. The template includes these sections:
- Definitions
- Collecting and Using Personal Information
- Usage Data
- Use of Personal Information
- Transfer of Personal Information
- Disclosure of Personal Information
- Security of Personal Information
- CCPA Privacy Policy
- Your California Privacy Rights (California's Shine the Light law)
- California Privacy Rights for Minor Users (California Business and Professions Code Section 22581)
- CCPA Privacy Policy
- Links to Other Websites
- Changes to Privacy Policy
- Contact Information
Sample California Privacy Policy Template (HTML Text Download)
You can download the Sample California Privacy Policy Template as HTML code below. Copy it from the box field below (right-click > Select All and then Copy-paste) and then paste it on your website pages & app screens.
Sample California Privacy Policy Template (PDF Download)
Download the Sample California Privacy Policy Template as a PDF file
Sample California Privacy Policy Template (Word DOCX Download)
Download the Sample California Privacy Policy Template as a Word DOCX file
Sample California Privacy Policy Template (Google Docs)
Download the Sample California Privacy Policy Template as a Google Docs document
More Privacy Policy Templates
More specific Privacy Templates are available on our blog.
Sample Privacy Policy Template | A Privacy Policy Template for all sorts of websites, apps and businesses. |
Sample Mobile App Privacy Policy Template | A Privacy Policy Template for mobile apps on Apple App Store or Google Play Store. |
Sample GDPR Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with GDPR. |
Sample CCPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with CCPA. |
Sample California Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA). |
Sample Virginia VCDPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Virginia's VCDPA. |
Sample PIPEDA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Canada's PIPEDA. |
Sample Ecommerce Privacy Policy Template | A Privacy Policy Template for ecommerce businesses. |
Small Business Privacy Policy Template | A Privacy Policy Template for small businesses. |
Privacy Policy for Google Analytics (Sample) | A Privacy Policy Template for businesses that use Google Analytics. |
Sample CalOPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CalOPPA. |
Sample SaaS Privacy Policy Template | A Privacy Policy Template for SaaS businesses. |
Sample COPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's COPPA. |
Sample CPRA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CPRA. |
Blog Privacy Policy Sample | A Privacy Policy Template for blogs. |
Sample Email Marketing Privacy Policy Template | A Privacy Policy Template for businesses that use email marketing. |
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.