Sample CCPA (CPRA) Privacy Policy Template

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 06 March 2023.

Sample CCPA (CPRA) Privacy Policy Template

The California Consumer Privacy Act (CCPA) requires organizations to tell people what personal information they store, to adequately secure the data, and to give people the right to opt out from the organization selling their data. The way to do this is with a Privacy Policy.

It was updated in January 2023 by the CPRA, which created even more requirements.

This article will explain what the CCPA (CPRA) requires for your Privacy Policy, and how you can comply.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Who and What the CCPA (CPRA) Affects

Who and What the CCPA Affects

The CCPA/CPRA's legislative text refers to a "business" but gives this term a specific meaning. The law applies to any for-profit organization that does business in California and meets at least one of the following three criteria:

  • Its annual gross revenue is more than $25 million.
  • It makes at least half of its annual revenue from selling or sharing personal information about consumers.
  • It deals with personal information covering at least 100,000 people or households in California during a year. (This can include buying, receiving, selling or sharing the data.)

If a parent company falls under the scope of the CCPA (CPRA), any other business it controls (such as a subsidiary) that shares "common branding" will also be under the scope of the CCPA (CPRA). This applies even if the controlled business doesn't meet any of the criteria.

The CCPA (CPRA) deals with how companies handle "personal information."

It defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The act gives the following examples but notes this isn't an exhaustive list:

  • Names, postal addresses, email addresses or numbers (such as social security or passport)
  • Commercial information such as details of purchases
  • Biometric data
  • Internet records such as browsing or search history
  • Geolocation data
  • Employment and education information

Two key points to remember are:

  • The definition is designed to be very broad (it even mentions "olfactory" information, meaning smells) so it is safest to err on the side of caution when deciding if something counts as personal data.
  • The definition covers inferences rather than just purely objective fact. For example, you might create a list of "impulsive buyers" by cross-referencing the products, prices and timings of previous purchases. The fact that somebody was on this list could count as personal data.

CCPA (CPRA) Principles

CCPA Principles

A huge aim of the CCPA (CPRA) is to ensure rights for Californian consumers including the following:

  • To know what personal data you hold about them
  • To access the personal data without charge
  • To know whether you sell or share their personal data (and if so, who gets it)
  • To demand that you don't sell their personal data
  • To demand that you delete their personal data
  • To exercise these rights without it affecting the services and prices you offer
  • To limit the use of sensitive personal information

You should keep these in mind when considering and interpreting the specific measures the CCPA (CPRA) requires.

Note that the rules for selling personal data under the CCPA (CPRA) depend on the person's age:

  • You can sell data about people 16 or older unless they demand you don't
  • You can't sell data about people you know to be aged between 13 and 16 unless they actively give you permission to do so
  • You can't sell data about people you know to be aged under 13 unless their parent or guardian has actively given permission.

CCPA (CPRA) Requirements For Privacy Policies

CCPA Requirements For Privacy Policies

The CCPA (CPRA) specifically states that you must include the following pieces of information in your Privacy Policy. If you don't already have a Privacy Policy, you must publish this information on your website and update it at least once every 12 months.

Consumer Rights

You must detail the consumer's rights under the CCPA (CPRA). This section must also list at least one way in which the consumer can submit a request to exercise these rights, for example by asking to see their personal data or asking whether you sell the data.

Collection of Personal Information

You must list all the types of personal information that you have collected (across all consumers) in the previous 12 months. Specifically you must list the category or categories of data from the following list that most closely match the information you have collected:

  1. Any identifiers. These can include things such as names, mailing addresses, email addresses, passport numbers, IP addresses, etc.
  2. Categories of information described in subsection (e) of Section 1798.80 of the CCPA
  3. Any characteristics of classifications that are protected under California or federal law
  4. Any commercial information obtained, purchased or considered, such as records of personal property, records of products or services purchased or other purchasing or use histories or tendencies
  5. Biometric information
  6. Activity information relating to internet or other electronic networks such as browsing or searching history, or interaction with a website, ad or app
  7. Geolocation information
  8. Audio, visual, thermal, electronic, olfactory or other similar information
  9. Information related to employment or other professional standings
  10. Information related to education
  11. Any inferences drawn using any of the above information in order to profile a consumer and reflect the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

If you haven't collected any personal information, you must say so.

This example from Hotel Cerro's Privacy Policy goes beyond the minimum requirements by giving some detailed examples rather than just listing the categories:

Hotel Cerro Privacy Policy: Information we collect clause excerpt

These examples help a reader really understand what some of the terms mean, such as "Identifier." The column at the far right that says whether or not the information is collected helps meet the requirement that you disclose if you don't collect personal information.

Instead of leaving out a certain type of information if you don't collect it (such as protected classification characteristics under California or federal law seen in part C. of the above screenshot), you can include it and note that you do not collect it.

Selling Personal Information

Selling Personal Information

You must list all the types of personal information about consumers that you have sold in the past 12 months, or state if you haven't sold any consumers' personal information.

Here's how Hotel Cerro does this:

Hotel Cerro Privacy Policy: Personal information sales clause

Since it doesn't sell any personal information, this clause doesn't need to disclose specific categories.

Disclosed Personal Information

You must list all the types of personal information about consumers that you've disclosed in the past 12 months, or state if you haven't done so. This doesn't cover selling information, but does cover any other disclosure done for "a business purpose." Again, you need to do this by listing the relevant categories.

Do Not Sell Page

Do Not Sell Page

You must detail the person's right to demand you do not sell their personal data. You must also link to a dedicated page on your site for exercising this right. Note that you can include the relevant information in your Privacy Policy, but you must still have this dedicated page as well.

The dedicated page must be headed "Do Not Sell My Personal Information." It must tell the person how to exercise this right and do so in a way that is "reasonably accessible." You must let the person exercise this right without having to create an account.

Elite Sports NY has a "Do Not Sell My Personal Information" page that provides some useful details about user rights including the right to opt out of having data sold:

Elite Sports NY: Do Not Sell My Personal Information page - California rights clause

Once somebody exercises this right, you aren't allowed to ask them to change their mind and give you permission to sell their data for at least 12 months.

As well as linking to this dedicated page from your Privacy Policy, you must have a "clear and conspicuous" link to it from your homepage.

The only exception is if you create a separate homepage for California consumers that includes the link, and then take "reasonable steps" to make sure California consumers are directed to this homepage. The law doesn't detail the technical measures you should use to do this.

Updates to Your Privacy Policy

If a third party takes control of a business (for example in a buyout or merger), it must stick to any privacy promises made by the selling business. If the buying business changes anything, for example by collecting new types of personal information or selling them, it must give users prior notice. A business can't retroactively change its Privacy Policy to cover these changes.

Note that in some cases you may be required to provide a toll-free telephone number for your users to contact you.

Penalties for Violating the CCPA (CPRA)

  • If you intentionally breach the CCPA you can be fined up to $7,500 for each violation. This fine is under the CCPA itself.
  • If you unintentionally breach the CCPA, you can be fined up to $2,500 for each violation. This fine is under California's Business and Professions Code.
  • If you suffer a data breach involving unencrypted or unredacted personal information, consumers can take private legal action. You may have to pay damages of up to $750 for each affected consumer (or cover actual losses if greater), plus a court could impose further penalties.

Comparisons with the GDPR

Comparisons with the GDPR

A business covered by the CCPA (CPRA) may also be covered by the General Data Protection Regulation (GDPR), a set of European Union rules. While these laws cover similar principles, they have the following key differences:

Scope

The CCPA (CPRA) applies to organizations doing business in California.

The GDPR applies to businesses who meet any of these three criteria:

  • The business operates in an EU country
  • The personal data is processed in an EU country
  • The business offers goods or services to people who are in an EU country

This means it's much more likely a California business will be affected by the GDPR than a European business will be affected by the CCPA.

Definitions

The CCPA (CPRA) defines personal information as relating to individuals and households.

The GDPR only covers personal information about a specific individual.

Penalties

The CCPA (CPRA) has a fixed rate for violation penalties that doesn't take into account the company's size.

The GDPR instead has a maximum penalty of four percent of the company's worldwide revenues in the previous year.

Comparisons with CalOPPA

Comparisons with CalOPPA

A business affected by the CCPA may also be affected by the California Online Privacy Protection Act (CalOPPA). While the two share some principles, they have the following key differences.

Types of Businesses Covered

The CCPA (CPRA) covers organizations doing business in California.

CalOPPA covers operators of commercial websites and online services (including mobile apps) that collect data about individual consumers in California.

Unlike the CCPA, CalOPPA's applicability doesn't depend on your revenues or how much data you handle.

Privacy Policy Requirements

The CCPA/CPRA's Privacy Policy requirements are described above.

CalOPPA covers several similar points, but also requires some specific technical information.

This includes:

  • Detailing whether a website follows "Do Not Track" signals from browsers
  • Detailing how any third-party software and tools on the website could mean personal data is shared with a third party

Enforcement and Penalties

As detailed previously, the CCPA (CPRA) has separate penalties and enforcement depending on whether or not a breach is intentional. It also allows for private claims by consumers against businesses.

CalOPPA has a single penalty rate of up to $2,500 per violation. It's enforced solely by the Attorney General and doesn't allow for private claims.

Conclusion

Let's recap what you need to know about the CCPA (CPRA):

  • The CCPA (CPRA) affects organizations doing business in California that meet any of three annual criteria:
    • Revenues of more than $25 million
    • Half of annual revenue coming from selling or sharing consumer personal information
    • Handling personal data of at least 100,000 individuals or households
  • It covers personal information, which is defined very broadly.
  • It gives consumers the right to know about and access the personal data you store and whether you sell it. It also gives them the right to demand you delete the data and to demand you stop selling it.
  • Your Privacy Policy must detail the consumer's rights and list the types of data you have collected, sold and disclosed in the past month.
  • Your website must have a "Do Not Sell My Personal Information" page that lets consumers opt out easily. Both your Privacy Policy and homepage must link to this page.
  • The CCPA (CPRA) has a fixed range of penalties for violations while maximum GDPR penalties depend on the company's revenues.