What does CCPA require in a Privacy Policy?

CCPA requires disclosure of: categories of personal information collected, purposes of collection, whether you sell/share data, consumer rights (access, delete, opt-out, correct), how to exercise rights, no discrimination for exercising rights, and retention periods. You must disclose if you sell or share data for advertising.

What Does CCPA Require in a US Privacy Policy?

When CCPA Applies to Your Business

CCPA applies to you if you meet ANY of these criteria:

You do business in California and collect personal information from California residents
Your annual gross revenue exceeds $25 million (from any source, not just California)
You buy, sell, or share data of 100,000 or more California residents or households
You derive 50% or more of your annual revenue from selling or sharing consumers' personal information

CCPA applies even if your business is located outside California. If you collect data from California residents, you must comply.

What CCPA Requires in Your Privacy Policy

Your Privacy Policy must disclose, in plain language:

1. Categories of personal information collected

Identifiers (name, email, address, phone, IP address)
Commercial information (purchase history, transaction data)
Biometric information (fingerprints, voice, facial recognition)
Internet activity (browsing history, interaction with ads, cookies)
Geolocation data
Sensory information (audio/video recordings)
Professional information (employment history, credentials)
Education information
Inferred information (profiles reflecting preferences, characteristics)

2. Purpose of collection

Explain why you collect each category. Examples:

Processing transactions
Providing customer service
Marketing and advertising
Analytics and improving services
Security and fraud detection
Legal compliance

3. Whether you sell or share consumer personal information

Clearly state: "We [do/do not] sell or share personal information as defined by CCPA." If you do, list what categories you sell and to whom.

4. Consumer rights

California residents have these rights under CCPA:

Right to know: Access what personal information you collect about them
Right to delete: Request deletion of their personal information
Right to opt-out: Opt out of the sale or sharing of their personal information
Right to correct: Request correction of inaccurate personal information
Right to limit use: Limit how their sensitive personal information is used

Your Privacy Policy must explain how to exercise these rights and your timeframe for responding (typically 45 days, extendable to 90 days).

5. No discrimination for exercising rights

State that you won't discriminate against consumers who exercise their CCPA rights. You can't deny service, charge different prices, or provide different quality of service.

How to Structure Your CCPA Privacy Policy

Section 1: Personal Information We Collect

List categories and explain collection methods (forms, cookies, third-party sources, etc.).

Section 2: Use of Personal Information

Explain business and commercial purposes for each category.

Section 3: Sale or Sharing of Personal Information

"We [do/do not] sell or share personal information. If we do, this section discloses: what categories, to whom, and how users can opt out."

Section 4: Consumer Rights and How to Exercise Them

Include a prominent link or button for users to submit requests (access, deletion, opt-out). Provide email, phone, or web form.

Section 5: Retention of Personal Information

Explain how long you keep different types of data.

Section 6: Third-Party Service Providers and Partners

List companies you share data with (analytics, payment processors, marketing platforms).

Important CCPA Compliance Details

"Sell" vs. "Share": CCPA defines "sell" as exchanging personal information for monetary consideration. "Share" (added by the CPRA in 2020) includes sharing for cross-context behavioral advertising. If you use Meta Pixel or Google Ads, you may be "sharing" data even if you're not being paid directly.

"Sensitive personal information": CCPA protects certain sensitive categories (SSN, financial account info, exact geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric data for identification, health data, sex life data). You must limit use of this data to necessary business purposes.

Child data: For children under 13, you must obtain parental consent before collecting personal information. For teenagers 13-16, you may offer opt-in, but parental consent is recommended.

CPRA Updates (Effective 2023)

The California Privacy Rights Act (CPRA) amended CCPA with stronger requirements:

Added "right to correct" inaccurate information
Added "right to limit use" of sensitive personal information
Added "right to delete" copies sold to third parties
Introduced "sharing" for behavioral advertising
Stricter rules on automated decision-making

If your Privacy Policy was written before 2023, update it to include CPRA rights.

Do not use "sale" language lightly: If your Privacy Policy says "we sell data" when you don't actually sell it, you've admitted to selling data, which triggers legal obligations. Be precise. If you share data with third parties for advertising, use "share" language or explain the specific arrangement.

Generate your Privacy Policy in 2 minutes

CCPA and COPPA compliant. Answer a few questions, get a free policy ready to use.

Generate now →