You need a CCPA privacy policy if your business is subject to comply with the California Consumer Privacy Act (CCPA).
The CCPA applies to businesses that collect personal information from California consumers. Let’s define each of these terms in the context of the official CCPA legislation:
Businesses — Under the CCPA, businesses meet one of the following thresholds:
- Makes $25million+ in annual gross revenue
- Buys, sells, or engages in the exchange of 50,000+ consumers’ personal information in a year
- Makes 50%+ annual revenue from the sale of personal information
Personal Information — Personal information is any piece of data that can be reasonably linked to an individual. Publicly available information is not considered personal information under the CCPA.
Consumers — Consumers are California residents.
Understanding these definitions is the first step toward creating a CCPA-compliant privacy policy. The next step is to edit your existing privacy policy, or create a new CCPA privacy policy.
Here’s a checklist for making your privacy policy CCPA compliant:
1. Provide a Notice of Collection
The CCPA requires you to provide consumers with a notice of what personal information you’ve collected in the past 12 months, along with details about your purpose for collecting that information.
Here’s an example of what a notice of collection looks like in a CCPA privacy policy:
The above is an excerpt from Experian’s privacy policy. Notice that the table is broken into multiple columns that address different details of how Experian collects and handles personal information.
Let’s break down each item of information you need to include in your CCPA privacy policy’s notice of collection.
Categories of Personal Information
Your notice of collection must list which categories of personal information your business collects from consumers. The CCPA lists the following as categories of information:
| Category | Examples |
| Personal identifiers | Name, email address, social security number |
| Commercial information | Records of purchase, property records, transaction histories |
| Information described in subdivision (e) Section 1798.80 of the California Civil Code | Passport number, driver’s license number, state ID number |
| Protected classifications | Race, gender, sexual orientation |
| Biometric information | Fingerprints, call recordings, facial recognition |
| Electronic network activity | Browsing records, search history, internet preferences |
| Geolocation information | IP address, mobile app location, search settings |
| Sensory information | Audio recordings, thermal data, visual settings |
| Professional information | Employment history, employment records, application information |
| Education information | Exam details, admissions history, attendance records |
| Inferences used to create a consumer profile | Aptitudes, behavior, preferences |
However, the CCPA explicitly states that personal information is not limited to the above categories. If you collect any personal information or category of personal information that doesn’t match one of those listed, you still need to include it in your privacy policy in order to comply with the CCPA.
Here’s an example of how Caderet Grant’s notice of collection lists the categories of personal information they’ve collected in the past 12 months:
Types of Personal Information Collected
In the example above, you’ll notice that next to each category of personal information is a list of types of personal information collected.
Your list should be as exhaustive as possible, and each type of personal information should be grouped with the corresponding category.
Purpose of Collection
The next item in your CCPA notice of collection should be your commercial or business purpose for collection.
State why your business collects each category of personal information and how you use this information.
Check out Daimler’s privacy notice and how they state their purposes for collection under the heading “How we use it”:
Like you can see in the example, your explanation of purpose doesn’t need to be extensive or formal. Use plain language and be transparent so consumers can easily understand why you need their personal information.
Sources of Collection
Alongside each category of personal information, list what sources this information is collected from. See the example above for reference.
Common sources include:
- Directly from the consumer
- Social media
- Cookies
- Analytics software
- Third parties
Data mapping can help you determine each piece of personal information you collect and where that information comes from.
Sharing or Sale of Information
The last activity that your notice of collection needs to address is whether you share or sell any categories of personal information. The CCPA defines “selling” as:
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating […] for monetary or other valuable consideration
You need to specify whether each category of personal information is sold (as defined above) or simply shared.
Your notice of collection doesn’t need to be entirely in table format. For example, LinkedIn’s privacy policy has a table detailing their collection of personal information, followed by an standalone section explaining why they may share personal information:
Whether you outline this information within a table or its own section, you need to explain whether you share or sell information, who with, and for what purposes.
2. Explain Consumer Rights
The next item on your CCPA privacy policy checklist is to address the unique rights that consumers are granted under the CCPA.
Have a single “California Consumer Rights” section in your privacy policy that covers all the rights, or dedicate individual sections to each right.
Here are the rights you need to explain to consumers in your CCPA privacy policy:
Right to Access
The right to access allows consumers to request you provide them with logs of the personal information you’ve collected from or about them.
Keep in mind two unique features of the CCPA right to access:
- A consumer can only request access to their personal information twice in a year.
- Once you’ve verified a consumer’s request, you need to provide them with their requested information within 45 days.
Here’s how Toyota’s privacy policy explains the right to access:
Toyota’s policy clearly explains this right and what information consumers may request from the business.
Right to Deletion
The next CCPA consumer right you need to address in your privacy policy is the right to deletion. Consumers have the right to request that you delete personal information collected from them in the past 12 months.
Looking again at Toyota’s privacy policy, here’s how it outlines the right to deletion:
Like Toyota’s, your CCPA privacy policy needs to explain why a deletion request may be denied.
Right to Non-Discrimination
The CCPA also grants consumers the right to not be discriminated against because of actions they take regarding their privacy rights. For example, you can’t penalize a consumer who requests the deletion of their personal information.
Forms of discrimination that are prohibted under the CCPA include:
- Denying goods, services, or discounts
- Charging different prices
- Providing a different quality of goods or services
- Implying that you’ll discriminate against them if they act on their consumer rights
Here’s how Toyota addresses the right to non-discriminaton in their CCPA privacy policy:
After describing all of the above rights in its privacy policy, Toyota gives instructions on how consumers can act on their rights:
You also need to explain to consumers how they can act on their rights. Methods can include a form, webpage, phone number, or email address.
3. Add a Do Not Sell My Personal Information Link
Another consumer right under the CCPA is the right to opt out of the sale of their personal information. To lawfully grant consumers this right, your privacy policy needs a Do Not Sell My Personal Information link.
Here’s how Government Executive’s privacy policy provides consumers with a Do Not Sell link:
A Do Not Sell My Personal Information link directs consumers to a method where they can opt out of the sale of their personal information.
If you sell consumers’ personal information, you must provide this link in your privacy policy as well as on your website’s homepage.
When consumers click this link, they should be taken to a form, page, or portal that allows them to request their personal information not be sold. Once you receive this request, verify it immediately and honor the consumer’s right to opt out.
4. Provide Contact Information
Add accurate contact information to your CCPA privacy policy.
According to the CCPA, you must provide at least an active email address or a toll-free number where consumers can reach you if they have questions, or want to take action regarding your privacy policy or their consumer rights.
Here’s an example of Blueair’s contact information section in their privacy policy:
While a toll-free number or email address is the minimum CCPA requirement, it’s recommended that you add multiple contact methods (as Blueair does in the example above).
5. Post Your Policy
Post your CCPA privacy policy conspicuously on your website so consumers can easily find it.
Common places to link to your privacy policy include:
- Website footer
- Main menu
- Checkout pages
- Sign-up pages
- Help centers
If your CCPA privacy policy is separate from your general privacy policy, make sure to clearly label it as “CCPA Privacy Policy” or “California Privacy Policy” so consumers know where to find information about their unique rights.
6. Update Your Policy
The final checklist item for your CCPA privacy policy is to update your privacy policy at least once every 12 months, as annual policy updates are mandated by the CCPA.
7. Create Your CCPA Privacy Policy
Follow this CCPA privacy policy checklist when updating your current policy or creating a new one on your own.
If you want to save time, generate a privacy policy with CCPA compliance built in using our free builder.
