Amidst the labyrinth of data privacy concerns, CCPA emerges as a beacon for individuals by ensuring data transparency. The Californian privacy law mandates businesses to keep individuals informed of their data-handling practices. This ensures data transparency and gives users ultimate control over their personal information.

What is a privacy policy?

A privacy policy is a public document that contains the information practices of an organization. It includes categories and purposes for the collection of personal information, sources of the information, rights of consumers, etc.

Businesses must provide their privacy policies conspicuously on their websites under a link titled “privacy” or similar terms. Privacy policies are also known as privacy notices, privacy statements, privacy terms, etc. They must be concise, easy to understand, and navigate through. 

Privacy policies will keep the consumers informed and help build trust with your company. It is also the reason why many companies like Google and Sephora were fined millions of dollars.

If you are an organization aiming for CCPA compliance or looking for a checklist to compare your privacy policy, you are at the right place.

Who should post a privacy policy under CCPA?

All entities subject to CCPA must prominently display a privacy policy.

CCPA applies to for-profit businesses in California or elsewhere that collect the personal information of Californians and meet any of the following requirements:

  • Have a gross annual revenue exceeding $25 Million.
  • Buy/sell/share the personal information of at least 100,000 Californian residents, households, or devices.
  • Generate 50% or more of its revenue from the sale of personal information of Californian residents.

Take note that just because your business is not in California will not automatically exempt you from its applicability. 

Penalties for violations under CCPA, including the failure to provide a privacy policy, can result in penalties of up to $7500 for each violation. This implies that the amount of fines will escalate based on the number of individuals who have been infringed upon.

Create a CCPA privacy policy
for free!

Create Privacy Policy for Free

No signup required

What are the CCPA privacy policy requirements?

CCPA prescribes the key components of a privacy policy. With the help of the requirements enumerated below, you can draft an effective privacy policy using a free privacy policy generator, privacy policy templates or even create one by yourself.

Categories of personal information 

A privacy policy must contain the categories of personal information collected from consumers annually. Consumers have the right to know what personal information is handled by businesses. Therefore keep it simple and less complicated.

Here are some illustrations:

This is how CookieYes enumerates the categories of personal information collected. 

CCPA privacy policy- Categories of personal data collected

Now let us take a look at how Horne’s website lays down the categories of personal information.

Sources of personal information

Businesses must reveal the source from which the personal information was collected, for example- directly from the consumers, cookies, website, etc. Enumerate the actual sources in your privacy policy. Here is an example from Amazon.

CCPA privacy policy-sources of personal data

Specific purposes

Your privacy policy should also contain the purpose for which it is processed/sold in simple language. This can be for many purposes like customer service, delivery of service, etc. 

For example, this is how the iapp does it. They have accommodated the purposes under CCPA and the lawful basis under GDPR in the same table.

Sale/disclosure of personal information

A privacy policy should also contain the categories of personal information sold/disclosed in the last 12 months along with the categories of the recipients. Under this section, you must also mention the purposes for which it was sold/disclosed.

If you sell/disclose consumers’ personal information, provide a notice of right to opt-out of sale/share or its link in the privacy policy.

If you do not engage in any of the above activities, that must also be specified. Here is an example from Amazon.

Personal information of children

Your privacy policy should contain a statement on the processing of the personal information of children. Let us take a look at how Taco Bell provides the information.

If a website sells the personal information of children under 16 years of age, it should be properly disclosed along with the right to opt-in and how they can opt out of it later.

Sensitive information

Sensitive information is a type of personal information that can cause damage, discrimination, or harm if compromised. Examples are any information that reveals the race or origin of an individual, geographical location, etc.

If your business sells sensitive personal information, it should be revealed in the privacy policy along with a link to the notice of “limit the use of sensitive information” as provided under 3 (D) of § 7011 of the CPPA regulations. It is one of the privacy disclosures under CCPA and deals with the consumer’s right to control the processing of sensitive information.

Consumer rights 

A privacy policy must reveal consumer rights to its users. This includes the right to know, the right to delete, the right to opt-out of sale/share, the right to correct inaccuracies, the right to limit the use of sensitive information, and the right to non-discrimination.

Provide a short description of these rights in layman’s language. Take a look at this example from Nike’s official website.

Exercise of consumer rights

A privacy policy should also lay down how the consumers can initiate consumer requests under CCPA. Provide links to consumer request forms or portals. Also, specify the criteria and process used to verify a consumer request.

Give details regarding the global opt-opt mechanisms, how they can be implemented, etc. In addition, describe how an agent can make consumer requests on behalf of the consumer. Here is another example from Nike’s website.

Date of policy update

Privacy policies should be updated once a year. This is the rationale behind providing the details of personal information processed in 12 months. 

Provide the date of the policy update and notify your users in a preferred way.

 Here is Google’s privacy policy with the effective date and archived versions of its previous policies.

Contact information

Provide contact details of your organization in the privacy policy. This can be an email, phone number, etc to enable the consumers to clear any queries regarding the privacy policy or the information handling process in general. Here is an example from Horne’s website.

Where can a privacy policy be posted under CCPA?

Privacy policies can be posted in the header of a homepage, footer of webpages, landing pages, sign-up forms, etc. You may also create a separate or additional homepage for Californian consumers to publish your privacy policy. Here is an example from Apple’s website.

Additionally, for a mobile application, the privacy policy may also be provided in its settings menu. 

What are the privacy policy guidelines under CCPA?

The objective of the privacy policy is to provide information to the consumers and therefore be transparent. Here are some guidelines to keep in mind while drafting a CCPA privacy policy:

  • Try to avoid jargon and complicated terms
  • Use plain language that is easy to understand
  • Use readable formats, for example- tables, suitable headings, etc.
  • It should be in printable formats
  • Available in languages commonly used to provide other information, like their sale announcements to Californian consumers.
  • Privacy policies should be inclusive and reasonably accessible to persons with disability.
  • It should be posted conspicuously
  • It must be distinct and noticeable- use appropriate formats and text colors 

How to create a CCPA-compliant privacy policy?

Consent management platforms

This is an easy and common method used to create a privacy policy. You can resort to CMPs like CookieYes to publish a CCPA-compliant privacy policy. The free privacy policy generator of CookieYes is no-cost, hassle-free, and easily customizable.

Create a CCPA privacy policy
for free!

Create Privacy Policy for Free

No signup required

Privacy policy templates

Another way to create a privacy policy for your business is by resorting to privacy policy templates. They already contain the required format and basic information and the best part- they are customizable. You may also refer to our privacy policy guide for a clearer picture.

Create one yourself

You can also create a privacy policy from square one. Go through the reference materials, gather enough information, organize it, and draft one yourself.

Legal consultant

Creating a privacy policy can be a daunting task at times. The entire process is multifaceted and requires a lot of attention to detail, especially the legal side. Therefore, you can also take the help of a legal expert to create your privacy policy.

Checklist for CCPA privacy policy [Infographic]

Checklist for CCPA privacy policy

FAQ on CCPA privacy policy

What are the GDPR and CCPA privacy policies?

GDPR and CCPA provide separate guidelines and requirements for privacy policy. GDPR privacy policy requires businesses to provide the categories of personal information, sources, purpose, legitimate interest, data retention period, etc. Read more about the GDPR privacy policy.

How to create a CCPA privacy policy?

A CCPA privacy policy can be drafted using any of these 3 methods: Create one by yourself, use a Privacy policy template available on the internet, or use a free privacy policy generator like that of CookieYes.

Are privacy policies required by US laws?

As of now, There are no federal laws that require organizations to publish privacy policies except COPPA. However several state-level privacy policies like CCPA, VCDPA, CTDPA, etc impose an obligation upon businesses to have a privacy policy.