If your website or business collects personal information from Californians, you may need to comply with the California Consumer Privacy Act (CCPA) and provide a CCPA privacy policy.
Whether you already have a privacy policy (also referred to as a privacy notice), or you need to create one from scratch, make your privacy policy CCPA compliant as soon as possible if the law applies to you.
Here’s everything you need to know about a CCPA privacy policy.
1. What Is the CCPA?
The CCPA is a California data privacy law that sets requirements for how businesses can lawfully handle Californian consumer data.
Here are some key CCPA definitions that you need to know in order to understand the relationship between the CCPA and your privacy policy:
- Consumer — Under the CCPA, a consumer is any California resident. Therefore, “consumer” refers to those protected by the law.
- Personal information — Personal information is any data that can be used to identify a person, household, or device. This includes actively-given information like names and email addresses, as well as passively-collected information like that from cookies or analytics software.
- Do Not Sell My Personal Information — A Do Not Sell My Personal Information link directs consumers to a page, portal, or form where they can request that their personal information not be sold. Websites must include this link on their homepages and in their privacy policies to comply with the CCPA.
Who Needs to Comply with the CCPA?
Although the CCPA is based in California, businesses from around the world are subject to comply. You need to comply if you:
- Make $25 million or more in gross revenue each year
- Annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more California consumers, households, or devices
- Make 50% or more of your annual revenue from the sale of consumers’ personal information
If you meet any one of these thresholds, you need to comply with the CCPA, and therefore, need a CCPA privacy policy.
2. What Is a CCPA Privacy Policy?
A CCPA privacy policy (or CCPA privacy notice) is a statement that outlines how you collect, share, and use California consumers’ personal information, and what rights they have over their data.
Notably, a CCPA privacy policy includes a Do Not Sell My Personal Information link, and other details regarding the unique rights of California consumers (such as the right to request access to personal information collected about them).
Furthermore, you must update your CCPA privacy policy at least once a year to comply with the law.
3. CCPA Privacy Policy Requirements
CCPA privacy policy requirements include having specific clauses, using appropriate wording, and including unique links.
Let’s review the key requirements you need to meet to create a CCPA privacy policy, or make your current privacy policy CCPA compliant.
What to Include in a CCPA Privacy Policy
The CCPA outlines what information your business needs to disclose to consumers about your treatment of data. Here’s what a CCPA-compliant privacy policy needs to include:
1. What Personal Information Is Collected
Your privacy policy needs to detail what personal information you collect from consumers. Common types of personal information that are protected under the CCPA include:
- Names
- Contact information (e.g., email address, phone number)
- Residential information
- Employment history
- ID information (e.g., social security numbers, employment ID number)
- Credit card information
- Biometric data
- Browsing information
- Cookie data (information collected by cookies or similar tracking technologies)
- Visual, audio, facial, and thermal data
These are common examples of categories of information that businesses collect from consumers. The official CCPA text further outlines categories of protected personal information.
Your privacy policy should explicitly state the categories of personal information you collect.
2. With Whom You Share or Sell Personal Information
One of the primary goals of the CCPA is to regulate the buying and selling of personal data. The legislation seeks to do this is by mandating businesses disclose third parties with whom they share or sell personal information.
Take, for example, the section in Walmart’s privacy policy that addresses the sharing of information.
This privacy notice includes a table that clearly outlines what categories of information are shared for commercial purposes, and with whom they’re shared:
Although you don’t need to detail your data sharing in a table, strive to match this level of transparency in order to maximize your notice’s CCPA compliance.
3. What Rights California Consumers Have
Under the CCPA, consumers have been granted unique rights. These include:
- The right to request access to information collected from or about them
- The right to request information be edited or deleted
- The right to not be discriminated against based on actions they take regarding their data
- The right to opt out of the sale of their personal information
You need to explain these rights to consumers in your CCPA privacy policy, as you can see in SFGate’s privacy policy:
This sample privacy notice includes an explanation of each right, and provides links for California consumers who wish to act on their rights.
4. Do Not Sell My Personal Information Link
The inclusion of a Do Not Sell My Personal Information link is a unique CCPA privacy policy requirement.
This can appear as just a link within your privacy policy, or as an entire section that explains the right to opt out of data sale and provides a Do Not Sell link.
No matter how you choose to display your Do Not Sell information, it should be visible within your privacy policy and should direct users to a mechanism that allows them to opt out of the sale of their personal information.
Here’s an example of a CCPA privacy policy that dedicates an entire section to the Do Not Sell My Personal Information inclusion. Take a look at NerdWallet’s California privacy policy:
NerdWallet gives consumers detailed instructions on how they can opt out of the sale of their personal information.
Not only should your California privacy policy include information and instructions on opting out of the sale of personal information, but you also need to include a Do Not Sell My Personal Information link on your website’s homepage.
CCPA Privacy Policy Language
In addition to requirements about what a compliant privacy policy should include, the CCPA mandates that it be easily readable and use specific language.
Here are the two key requirements for the language of your CCPA privacy policy:
1. Use Plain English
To comply with the CCPA, your privacy notice must be written in plain, understandable English. The average user should be able to easily read and comprehend your privacy policy. Here are some tips to ensure CCPA-compliant language:
- Avoid legalese
- Break your privacy policy into sections with clear headings
- Explain everything carefully, yet concisely
- Use big enough font that most users can easily read the text of your privacy policy
2. Label Your California Sections or Policy
You can either edit a standard privacy policy template or a privacy policy template for small businesses to include CCPA specifications, or you can provide a dedicated CCPA privacy policy.
If you use a single privacy policy for all your users, make sure you label CCPA-specific sections clearly. For example, you may choose to title a section of your policy “California Privacy Rights” and outline CCPA rights and actions within that section.
If you have a dedicated CCPA policy, make sure it’s linked on your website with text such as “California Privacy Policy” or “CCPA Privacy Policy.”
The goal is to ensure your California consumers can easily find the privacy policy that applies to them and their unique CCPA rights.
Where to Put a CCPA Privacy Policy
Link to your CCPA privacy policy in prominent locations, such as your:
- Website’s footer
- Website’s menu
- Sign-up pages
- Checkout pages
- Contact forms
4. Sample CCPA Privacy Policy
Many companies have implemented CCPA privacy policies since the institution of the law. Look at how other businesses follow CCPA guidelines in their privacy notices to get a better idea of how your CCPA privacy statement should look.
For example, the LA Times privacy policy provides us with a great sample CCPA privacy statement. Let’s look at what the LA Times is doing right.
First, they clearly label the section dedicated to California consumers. Within this section, they provide a detailed table of categories of personal information they may collect, where it may be collected from, how it may be used, and with whom it may be shared:
The above example is only an excerpt from the privacy statement’s California notice of collection section. The table continues to extensively detail the site’s handling of California consumer information.
Further down their privacy policy, the LA Times provides consumers with a Do Not Sell My Personal Information section:
This section explains the CCPA right to opt out, and gives users instructions on how they can request that their personal information not be sold.
Finally, the LA Times policy includes a section on California consumers’ rights under the CCPA:
Notice that throughout each section of this example, the privacy policy uses simple, reader-friendly language and an easy-to-navigate format.
Follow the example set forth by the LA Times by making your own CCPA privacy policy clear, comprehensive, and user-friendly.
5. CCPA Privacy Policy Checklist
Here’s a CCPA privacy policy checklist for you to create a compliant policy:
- Generate a privacy policy or open and edit your existing privacy policy.
- Ensure your entire policy uses plain English, readable text, and is formatted for easy navigation.
- Label your CCPA policy or CCPA section of your policy to indicate that it’s for California consumers.
- Add a notice of collection, in which you detail what categories of personal information you collect, how you collect it, how you use it, and with whom you share it. (This section is most commonly formatted as a table).
- Add a section titled “California consumers’ rights.” Explain the rights Californians have under the CCPA and how they can act on these rights (for example, how they can request your website deletes their personal information).
- Add a Do Not Sell My Personal Information link (or section) that allows consumers to opt out of the sale of their personal information.
- Implement systems that allow you to handle CCPA requests, such as Do Not Sell requests.
- Add accurate contact information to your policy.
- Update your privacy policy at least every twelve months.
- Link to your CCPA privacy policy in conspicuous locations on your website.
Create a CCPA privacy policy now to comply with the California privacy law.