If you collect personal data from California residents, even if your business isn’t based in California, you need a California privacy policy.
Personal data includes names, email addresses, credit card information, user behavior analytics, and any other information that can be used to identify a person.
As most websites collect some form of information from users in California, you most likely need a California privacy policy. Learn which California laws affect your privacy policy, how to meet these requirements in a single document, and how to create your own California privacy policy using our free template.
1. What’s a California Privacy Policy?
A California privacy policy (or California privacy notice) is a privacy policy that complies with California data protection laws such as CalOPPA, the CCPA, Shine the Light, and the Eraser Law.
You may choose to create a privacy policy that meets California standards, or to have a general privacy policy and a separate California privacy policy. If you create a separate policy, make sure it’s available everywhere your regular privacy policy is, and that it’s clear that the document applies to California residents only.
2. California Privacy Policy Laws
Your California privacy policy is subject to multiple California laws that outline how websites and businesses must disclose their handling of user data.
Here are the California privacy policy laws you need to comply with if you have users in California:
CalOPPA
The California Online Privacy Protection Act (CalOPPA) is the main privacy policy law in California. It was the first US-based law to establish the requirement for sites and apps to display a privacy policy. Although it was enacted in 2004, CalOPPA remains in effect today.
Under CalOPPA, your privacy policy must:
- Be prominently displayed
- Use plain and clear language
- Specify which types of personal information you collect (e.g., names, addresses, device data, etc.)
- State whether do not track (DNT) requests will be honored
CCPA
The newest California privacy policy law is the California Consumer Privacy Act (CCPA). Enacted in 2020, the CCPA is also known as the California GDPR, and seeks to replicate data privacy laws based in Europe.
Your CCPA privacy policy must:
- Comprehensively explain how you collect, handle, share, and sell consumer data
- Be made available to consumers “at or before” the point of data collection
- Include instructions on how consumers can act on their California privacy rights, including the right to opt out of the sale of their data
Follow a CCPA privacy policy checklist if you’re subject to comply with the law, as the CCPA outlines fairly extensive requirements for your privacy policy.
California Shine the Light Law
The California Shine the Light law has been in effect since 2003, and seeks to regulate list brokerage (the sale or sharing of consumers’ personal information for marketing benefits) in California.
Under the California Shine the Light law, your privacy policy must:
- Be linked to on your website’s homepage with the anchor text “Your California Privacy Rights”
- Describe Californians’ privacy rights under Shine the Light
- Provide valid contact information
Under the Shine the Light law, consumers also have the right to request receipt of what types of their information are shared for marketing purposes. The law lists 27 applicable types of personal information.
Eraser Law
The Eraser Law (or Content Eraser Law) applies to online services that target California minors. It gives minors the right to request that information they’ve uploaded be removed from a site or service.
Under the Eraser Law, your privacy policy must:
- Include a section that explains California minors’ rights and how they can act upon them
- Make the above information clearly visible and easy to find
Your Eraser Law privacy policy should include information on California minors’ rights under a separate heading. This information cannot be buried in dense paragraphs, small text, or complicated legalese.
3. California Website Privacy Policy Requirements
You don’t need separate privacy policies to comply with each of the above laws. Instead, create a single privacy notice that meets all the privacy policy requirements for California websites.
Here are some California website privacy policy requirements you can easily meet:
1. Detail Your Data Collection
Privacy laws in California require clear and comprehensive explanations of your data collection, handling, sharing, and selling.
While the laws vary in what degree of transparency they require (for example, the CCPA has much stricter transparency requirements than Shine the Light), your privacy policy should be as transparent as possible to avoid legal consequences.
2. Include Your Contact Information
California privacy laws require your privacy policy to include valid contact details.
List your phone number, email address, mailing address, or any other contact details that consumers may need to make requests, issue complaints, or ask questions regarding your privacy policy and privacy practices.
Make sure this section is prominent and easy to find. You should include your contact details as a separate section under a visible heading within your privacy policy.
3. Explain Californians’ Rights
Your California privacy notice needs a section explaining what rights Californians have over their data. User rights will vary depending on the laws you’re subject to comply with — so make sure you understand which of the above laws apply to your website.
This section needs to include any related links. For example, it needs to include a “Do Not Sell My Personal Information” link to comply with the CCPA. This link should direct users to a page or form through which they can opt out of having their personal information sold.
If your online service targets California minors, you should separate this into two sections:
- California Privacy Rights
- California Minors’ Privacy Rights
These sections should be easy to find and give users clear instructions on acting upon their California rights.
4. Display Your California Privacy Policy Prominently
To comply with California privacy policy requirements and laws, your privacy policy needs to be easy to find.
Display your privacy policy throughout your site by linking to it in prominent locations. Consider adding privacy policy links to your:
- Main menu
- Website footer
- Sign-up page
- Newsletter or email form
- Checkout page
- Other points of data collection
Remember, if you’re subject to comply with the Shine the Light law, you need to link your privacy policy on your homepage using the anchor text “Your California Privacy Rights.”
4. California Privacy Policy Samples
Look to examples of California privacy policies to understand how major websites meet California privacy policy requirements:
Walt Disney Company’s Separate California Privacy Policy
The Walt Disney Company offers a privacy policy that links out to a supplementary privacy policy for California users.
This California privacy policy can be found in their menu and linked within their general privacy policy. It features an expandable menu, which makes it easy for users to find the section of the privacy policy they’re looking for.
Notice that among the laws and privacy policy samples, there’s an emphasis on making California privacy policies easy to navigate and understandable for users.
Instagram’s California Privacy Notice
Instagram’s California privacy notice is also separate from their standard privacy policy:
Like Disney, Instragam’s notice has a navigable menu and expandable sections specifically for California consumers.
Note how clearly this privacy notice outlines rights afforded to Californians:
Californians’ privacy rights are concisely stated, and a link is provided for consumers to click if they wish to act upon their rights.
WebMD’s California Privacy Policy
WebMD’s privacy policy for Californians sets a good example by clearly and comprehensively outlining their data collection. Their California privacy policy includes a table that describes categories of personal information and whether or not they collect those categories:
Along with listing categories of information and if they collect them, WebMD’s policy gives examples of personal information that may be classified under each category.
Like WebMD, you should be as descriptive as possible about the data you collect.
5. California Privacy Policy Template
If you have California users, you need a California privacy policy to avoid legal penalties and consumer backlash. Luckily, creating a privacy notice that meets California requirements doesn’t require a lawyer — or any money.
Download our California privacy policy template for free and customize it to match your business:
If you own a small business that collects personal information from California users, you can also tailor our privacy policy template for small businesses to comply with privacy laws.
Save yourself even more time by using our free privacy policy generator to create a privacy policy that meets California requirements.
