Iubenda logo
Start generating

Documentation

Table of Contents

CCPA (CPRA) Privacy Policy Template

Are you looking for a professional CCPA privacy policy template? Then you’re in the right place!

Figuring out what a CCPA privacy policy should include can be tricky, but we’ve got your back. In this guide, we explain what a CCPA/CPRA privacy policy should include, and provide you with examples and an easy template.

Do you need a CCPA privacy policy?

You need a CCPA privacy policy if the CCPA/CPRA applies to you.

The CCPA applies to any for-profit entity doing business in California that either:

  • processes (buy, sell, receive, share) personally identifiable information of at least 50k Californians per year,
  • has annual gross revenues of at least $ 25 million, or
  • makes over 50% of its yearly revenue from sharing consumers’ personal information with third parties

Please note that CCPA applies outside California as well. Your business could be based anywhere: as long as your services are accessible in California, you may need to comply with CCPA.

👋 Does the CCPA apply to you?


Find out right now with this 1-minute quiz!

What is required in a CCPA privacy policy?

Under the CCPA (California Consumer Privacy Act), businesses are required to include specific disclosures in their privacy policies in order to inform consumers about their data practices and rights. These disclosures must be complete, up-to-date, and easily accessible throughout the business’s website or app.

The following are the key elements that must be included in a CCPA privacy policy:

  1. Categories of Personal Information: The privacy policy must disclose the categories of personal information that the business has collected, sold, or shared in the past 12 months. This includes information such as names, addresses, email addresses, internet activity, geolocation data, and more.
  2. Categories of Third Parties: Businesses must disclose the categories of third parties with whom they have shared or sold personal information. This includes service providers, advertisers, marketing partners, and other third parties involved in data processing activities.
  3. Categories of Sources: The privacy policy must explain the categories of sources from which the business collects personal information. This includes information collected directly from consumers, information obtained from third-party sources, and information collected automatically through cookies or other tracking technologies.
  4. Business/Commercial Purpose: Businesses must disclose the business or commercial purposes for which they collect, sell, or share personal information. This includes purposes such as providing services to consumers, marketing products or services, conducting analytics, and other legitimate business purposes.
  5. Consumers’ Rights: The privacy policy must inform consumers about their rights under the CCPA, including the right to know about the personal information collected, used, shared, or sold by the business, the right to request deletion of their personal information, the right to opt-out of the sale of their personal information, and other rights provided by the CCPA.
  6. How to Exercise Rights: Businesses must provide clear and conspicuous information about how consumers can exercise their rights under the CCPA. This includes providing instructions on how to submit requests to access or delete personal information, how to opt-out of the sale of personal information, and how to contact the business with privacy-related inquiries or complaints.
  7. Contact Information: The privacy policy must include contact details for consumers to reach out to the business with privacy-related inquiries or complaints. This may include an email address, phone number, or physical mailing address.
  8. Date of Last Update: Businesses must indicate when the privacy policy was last updated. The CCPA requires businesses to review and update their privacy policies at least once every 12 months to ensure compliance with the law.

If you already have a privacy policy, make sure you have or add these CCPA privacy policy requirements or take a look at our CCPA privacy policy template below (California privacy policy template).

Do you also need a toll-free number for CCPA compliance?

Under CCPA and the CPRA, users have the right to access: they can request a business that collects and process their personal information to access the data they have about them.

As a business, you must provide consumers with two or more methods for submitting access requests. These methods can vary from business to business, but must include, at a minimum, a toll-free number and, if the business has a website, the website address.

However, some exceptions apply. Your business can avoid providing a toll-free number if:

  • it “operates exclusively online”; and if
  • it has a “direct relationship with a consumer from whom it collects personal information”.
👉 Learn more about toll-free numbers and CCPA compliance!

How can iubenda help you Comply?

CCPA / CPRA Compliance in no time.

Our solutions are backed by our international team of expert lawyers.

Get Compliant in Minutes

Get a CCPA/CPRA-compliant Privacy Policy, customizable based on 1800+ clauses and available in 10 languages.

Add a Privacy Controls widget to your site allowing California users to opt-out from processing.

Among the few providers compatible with GPP & GPC, making it easier to honor these opt-out requests.

Automatically store user preferences and document CCPA/CPRA opt-outs.

CCPA (CPRA) Comparison to Other Major Privacy Laws

The following table provides a comprehensive comparison of key aspects within the realms of CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), GDPR (General Data Protection Regulation), and LGPD (Lei Geral de Proteção de Dados) in Brazil. This analysis delves into their similarities, differences, and implications for businesses and individuals.

Aspect CCPA/CPRA GDPR LGPD
Scope Applies to businesses collecting personal information of California residents, regardless of business location Applies to businesses processing personal data of individuals in the European Economic Area (EEA) Applies to businesses operating in Brazil, regardless of data processing location
Consent Requirements Focuses on giving consumers the right to opt out of the sale of their personal information Generally requires explicit consent for data processing, with some exceptions Generally requires explicit consent for data processing, with some exceptions
Data Protection Officers (DPOs) No specific requirement for appointing DPOs Mandates the appointment of DPOs for certain types of organizations No specific requirement for appointing DPOs
Penalties for Non-Compliance Fines of up to $7,500 per violation for intentional violations and $2,500 per violation for unintentional violations Fines of up to €20 million or 4% of global annual turnover, whichever is higher, for serious violations Penalties of up to 2% of a company’s revenue in Brazil
Data Subject Rights Right to access, delete, and correct personal information; right to opt out of sale of personal information Right to access, rectification, erasure, restriction of processing, data portability, and object to processing Right to access, correct, delete, anonymize, or block personal data; right to request information on third parties with whom data is shared
Transparency Requirements Businesses must provide privacy notices and disclose data collection and sharing practices Businesses must provide privacy notices and be transparent about data processing practices Businesses must provide clear information about data processing practices and obtain consent for data processing
Applicability Applies to businesses collecting personal information of California residents meeting certain criteria Applies to businesses processing personal data of individuals in the European Economic Area (EEA) Applies to businesses operating in Brazil, regardless of data processing location

What is an example of CCPA policy?

Are you curious about what a CCPA privacy policy template (California privacy policy template) looks like? We understand your need for a clear example.

That’s why we’ve created a comprehensive CCPA compliance example using our user-friendly generator.

Our Privacy and Cookie Policy Generator allows you to include all the essential components:

  • Categories of Personal Information: The CCPA privacy policy template outlines the specific categories of personal information that the company collects, uses, sells, or shares.
  • Information Collection: The privacy policy template clarifies the sources from which the company collects personal information and describes the methods used for collection.
  • Purpose of Data Usage: It explains the purposes for which the company utilizes the collected personal information.
  • Data Retention: The privacy policy template discloses the duration for which the company retains the personal information it gathers.
  • Third-Party Disclosure: It details the circumstances under which the company may share personal information with third parties for business purposes.
  • Sale or Sharing of Personal Information: The privacy policy addresses the company’s practices concerning the sale or sharing of personal information and provides information on how individuals can opt out of such activities.
  • Privacy Rights: It informs individuals about their rights under the California Consumer Privacy Act (CCPA), including the right to opt out, access their personal information, request deletion or correction of inaccurate information, and limit the use of sensitive personal information.
  • Non-Retaliation: The privacy policy assures individuals that they will not face any negative consequences or discrimination for exercising their privacy rights.
  • Exercising Rights: It outlines the process and means by which individuals can exercise their privacy rights and submit requests.
  • Request Handling: The CCPA privacy policy template specifies how and when the company will handle individuals’ privacy-related requests in a timely and appropriate manner.

Explore the document to gain valuable insights and a better understanding of how we cover the privacy rights of individuals in California. Click on the button to open it 👇


Privacy Policy

As you can see, the document outlines the categories of personal information of California residents that are collected, used, sold, or shared. It is generally a section dedicated to Californian consumers within the general privacy policy, and includes details on individuals’ rights, such as the right to access and delete their data, and the right to opt out of the sale or sharing of their personal information. The policy also explains how to contact the business with privacy-related inquiries or complaints.

Right to opt out - CCPA privacy policy template
Example of the right to opt-out for California-based users in a CCPA privacy policy template

CCPA Privacy Policy Example

Remember, a proper CCPA policy helps protect consumers’ privacy rights and ensures compliance with the law.

Let’s have a look at a real-world example from Hellenic Technologies, a leading digital agency based in Greece. Their privacy policy demonstrates a commitment to transparency and compliance with data protection regulations. You can view their privacy policy to see how they inform users about their data practices and provide mechanisms for exercising privacy rights. Additionally, they include further information specifically tailored for California consumers to ensure compliance with CCPA privacy policy requirements.

ccpa privacy policy template
CCPA Privacy Policy Example

Remember, a proper CCPA policy helps protect consumers’ privacy rights and ensures compliance with the law.

CCPA Privacy Policy Template

Now let’s have a look at a proper CCPA privacy policy template / CPRA privacy policy template that you can use as a starting point. This is just to give you an idea of how your document should be structured.

You will have to replace the fields highlighted in yellow and add all the necessary information according to your specific business scenario.

Too many things to think about?

Using just a CCPA privacy policy template may be too complicated and a bit risky. We recommend using a professional solution: jump to this section to learn more.

Owner and Data Controller

[Here you should disclose your identity and make available all the necessary information to contact you]

Owner contact email: [your email address]

This Privacy Policy describes how [Your Company Name] (“we,” “us,” or “our”) collects, uses, shares, and protects the personal information of California residents in accordance with the California Consumer Privacy Act (CCPA).

Categories of personal information collected, used, sold, or shared

[In this section, you should summarize the categories of personal information that you’ve collected, used, sold, or shared].

Information we collect: the categories of personal information we collect

  • We have collected the following categories of personal information about you: [explain what information you have collected]
  • We do not collect sensitive personal information. (OR) [if you do collect sensitive personal information, disclose which type of sensitive personal information you are collecting]
  • We will not collect additional categories of personal information without notifying you.

What are the purposes for which we use your personal information?

[Here you should describe the purposes of the collection, e.g. why you are collecting and processing personal information. A few examples may be the ones listed below.]

  • To provide and maintain our products and services.
  • To process and fulfill your orders and requests.
  • To personalize your experience and improve our website.
  • To communicate with you, respond to inquiries, and provide support.
  • To send you promotional materials and updates if you have consented to such communication.
  • To comply with legal obligations and protect our rights.

We won’t process your information for unexpected purposes, or for purposes incompatible with the purposes originally disclosed, without your consent.

How long do we keep your personal information?

[In this section, explain the data retention period, that is how long you will store the personal information you have collected]

How we collect information: what are the sources of the personal information we collect?

[Explain how you are going to collect the information. A few examples are: web forms, navigation, third parties, etc.]

How we use the information we collect

[Here you should explain the purpose of the collection]

Your rights as a user

[List what rights the users have in relation to their data. Under the CCPA users have:]

  • The right to opt out of the sale or sharing of your personal information
  • The right to access personal information
  • The right to request the deletion of your personal information
  • The right to correct inaccurate personal information
  • The right to non-discrimination

*Please note: additional rights may apply according to the CPRA. You can learn more here.

How to exercise your rights

[In this section, describe how your users can exercise their rights. In particular, how to submit a verifiable request containing all the necessary information to process it]

How and when we are expected to handle your request

[Explain how you will handle users’ requests and how long it will take to process it]

⚠️ Note

This is a general and basic template and must be customized to fit your specific circumstances and requirements. As mentioned, because these are legal documents, we highly recommend consulting with legal professionals or using a generator created by legal professionals to ensure compliance with applicable laws and regulations.

Monitoring Privacy Compliance: Essential Key Performance Indicators (KPIs) under CCPA for Businesses and Individuals

Clear performance metrics, or Key Performance Indicators (KPIs), are essential for both businesses and individuals seeking to ensure privacy compliance. These KPIs act as benchmarks, enabling evaluation of the effectiveness of privacy policies and data protection practices, crucial for adhering to regulations such as the CCPA (California Consumer Privacy Act). Prioritizing specific KPIs is key for instilling consumer trust and promoting transparency in data handling.

Below, we highlight core KPIs, such as the frequency of privacy policy updates and response times for privacy inquiries and data breaches, crucial for maintaining regulatory compliance.

Metric Description Target/Threshold
Privacy Policy Updates Frequency of updates to the privacy policy to ensure compliance. At least annually or as regulations change.
User Consent Rate Percentage of users who consent to the privacy policy and data processing practices. Target >90% consent rate.
Data Access Requests Completed Number of user requests for data access fulfilled within the legal timeframe. 100% completion within 45 days (CCPA requirement).
Opt-Out Requests Processed Number of user requests to opt-out of data selling or sharing processed successfully. 100% processed within the legal timeframe.
Privacy Inquiries Response Time Average time taken to respond to privacy-related inquiries from users. Less than 24 hours for initial response.
Data Breach Response Time Time taken to notify users and authorities in case of a data breach. Within 72 hours of discovery, as per best practices.
Third-party Compliance Monitoring and ensuring that third-party service providers comply with your privacy policy and standards. 100% of third parties audited annually.

What are the penalties for violating the CCPA?

If the CCPA applies to you and you don’t have a valid privacy policy, you’re in breach of the law. The consequences of non-compliance are pretty serious:

  • Consumers are given the right to sue businesses that violate the law. You may have to pay damages of up to $ 750 (or cover actual losses if greater) for each affected consumer.
  • If you unintentionally violate the CCPA, you can be fined up to $ 2,500 for each violation.
  • If you intentionally violate the CCPA, you can be fined up to $ 7,500 for each violation.

While these fines might not seem like a lot when compared to the GDPR, do consider that the CCPA penalties apply per individual violation and per consumer. Here you can find more information.

How to generate a valid CCPA privacy policy

As you can see, having a badly-written document can cost you way more than generating a legally sound privacy policy. Remember: templates can be a great starting point, but you should always make sure you’re document is valid and up-to-date.

iubenda can help you with that!

Creating a CCPA privacy policy is easy with our Privacy and Cookie Policy Generator: add all the relevant clauses, save, and embed the document on your website or app!

Create your CCPA Privacy Policy

Start generating

CCPA / CPRA privacy policy: FAQs

Does CCPA apply outside of California?

Yes, the CCPA can apply outside California as well. Your business could be based anywhere: as long as your services are accessible in California, you may need to comply with CCPA.

Is CCPA California privacy the same as GDPR?

Though there are some similarities, CCPA and GDPR are two different laws. Just to mention a few differences:

  • The GDPR has a broader scope than the CCPA, regarding both businesses and data subjects.
  • The GDPR always requires prior consent (opt-in) – unless another legal basis legitimately applies – while the CCPA only requires opt-in in the case of minors and in cases of previous opt-out.
  • The consequences of non-compliance for the GDPR are generally harsher than the CCPA.

Want to learn more? Check our guide 👉 CCPA vs GDPR: what’s the difference?

What is CCPA policy?

A CCPA policy is a document required to comply with the California Consumer Privacy Act. It outlines (at the very least):

  • The categories of personal information of California residents that are collected, used, sold, or shared.
  • What are the rights of users under the CCPA.
  • How users can contact a business to exercise their rights.

How do I write a CCPA policy?

The safest way to write a CCPA policy is to seek the help of a legal expert: they will analyze your business situation and write a document to match your needs.

If you can’t afford to hire a legal expert, there are cheaper alternatives that are still safe to use. For example, you can rely on a generator created by legal professionals – like iubenda –, that allows you to customize your document with clauses written by legal professionals.

Where do I display my CCPA privacy policy?

A best practice is to add your privacy policy in the footer of your website, so that users can access it anytime. Don’t forget to also add a link to your CCPA privacy policy in places like subscriptions or contact forms.

Do I need to have a CCPA-compliant Privacy Policy?

You need a CCPA-compliant privacy policy if your business is for-profit, operates in California, and meets any of the following criteria: processes personal information of 50,000 or more California residents, households, or devices annually; has annual gross revenues exceeding $25 million; or earns more than half of its annual revenue from selling California residents’ personal information. The law applies regardless of where your business is based, as long as you deal with California residents’ data.

What is the standard privacy policy in California?

The standard privacy policy in California tells people how a business collects, uses, and shares personal information. It needs to be easy to find on the website and must say what kinds of personal information are collected, how the business keeps that information safe, and how people can review and change their personal information. It also needs to explain how the business will let people know if it changes the privacy policy and if and how it tracks users over time and across different websites.

What is required in a CalOPPA privacy policy?

A CalOPPA-compliant privacy policy must:

  • Specify the types of personal information collected, its use, and sharing practices.
  • Be easily accessible to website visitors, typically through a link in the website footer.
  • Disclose whether “Do Not Track” requests are honored.
  • Provide a clear option for users to opt out of the sale of their personal information, if applicable, usually through a “Do Not Sell My Personal Information” link.”

About us

iubenda

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

Read also