CCPA Privacy Policy Template


When the GDPR was enacted in 2018, businesses all over the world were forced to rework their Privacy Policies, websites and business practices in response to the regulation's new rules. This also forced countries to begin overhauling their own privacy laws to comply with the EU's more strict privacy regulations.

Businesses and countries are required again to look at their Privacy Policies and laws now that the CCPA was enacted on January 1, 2020. The CCPA is an overarching and overreaching privacy law that adds further protections for consumers regarding their privacy online.

If your company is looking to rewrite its Privacy Policy, take a look at the article below for tips on how to comply with the CCPA.

What is the CCPA?

The CCPA, or the California Consumer Privacy Act, is the latest privacy law to be enacted in the world that has far-reaching effects. The act came into effect at the beginning of 2020 with the purpose to enhance the rights of California consumers and to create a transparent relationship between websites or apps and their users. The act gives the consumers "more control" over their personal information that is collected by businesses.

The four major rights it gives California consumers are:

  • Right to know what information is collected
  • Right to have their information deleted
  • Right to opt-out of the sale of their information to third-parties
  • Right to not be discriminated against if they exercise their rights under the CCPA

What qualifies as "personal information" under the CCPA can include a large amount of information. The act's definition is intentionally broad to include as much as possible, including:

  • Social Security Numbers
  • Email addresses
  • Records of previous purchases
  • Geolocation data
  • Search histories

Note, the above list is not exhaustive. Any information that "identifies, relates to, or could reasonably be linked" to a consumer is considered private information.

Who is Required to have a CCPA Privacy Policy?

Like the act's definition of "private information," what businesses fall under its umbrella is also intentionally broad. However, there are exceptions.

The act only applies to for-profit businesses. The CCPA does not apply to non-profits or governmental agencies.

To take this a step further globally, any business, including data brokers, that does business in California or has a consumer in California must have a CCPA Privacy Policy. The location doesn't matter. This is one of the reasons why the CCPA is such an important law that can affect businesses worldwide.

In addition to being a for-profit business and doing business in California or having California consumers, there are additional requirements that you must meet, that include:

  • A gross revenue of over $25 million;
  • Buy, sell, or receive the information of over 50,000 California residents; OR
  • 50% or more or your income is from the sale of the information of California residents

A note to remember is the "or." You have to meet one of the additional items. You don't have to meet all of them, just one for the CCPA to apply.

Failure to Comply with the CCPA

The only way a consumer can sue under the CCPA is if there is a data breach at the business, and even then there are certain limitations.

First, a consumer can sue if the business failed to "maintain reasonable security procedures and practices" to protect the information. If this happens, a consumer can:

  1. Sue for monetary damages that they suffered because of the breach of up to $750 per breach
  2. Sue for statutory damages

    1. Consumers must give a written notice to the business of what CCPA section they have violated and allow 30 days for them to cure it

A consumer cannot sue if your business has been able to cure the violation and provides a written statement reflecting the cure.

Other violations under the CCPA can only be brought by the Attorney General of California. Consumers can file a "consumer complaint" with the Attorney General which could lead to a lawsuit. This is why making sure your policy follows the guidelines of the CCPA is extremely important.

How to Draft a CCPA Privacy Policy

The CCPA does have specific requirements you must include in your privacy policy. Failure to include any of these could potentially leave your website or business open to future issues. The main sections you must have are:

  • CCPA Consumer Rights
  • How to request access on information
  • How to request deletion of information
  • What Information is collected
  • Where and how information is collected
  • Why your business gathers the information
  • Do Not Sell My Information Page
  • Right to non-discrimination
  • Personal information disclosed for business purposes

Let's take a closer look at each of these.

CCPA Consumer Rights

As we mentioned above, the CCPA's greatest impact on privacy laws is that it has given additional rights to California residents for how they can control the collection and use of their personal information.

Know What Information. Consumers have the right to know what information that is being collected by the business.

Delete Information. They have the right to request that their information be deleted from the website or app.

Opt-Out of Selling Information. Consumers are able to tell websites that their information is not allowed to be sold to third-parties.

Not be Discriminated Against. They also have the right to not be discriminated against if they choose to exercise any of the above rights.

It is recommended that you include somewhere in your Privacy Policy notifying California users of these rights. You can include it in a separate CA resident page or in your policy.

A critical thing to note is that only California residents have rights under the CCPA. A resident of New York will not have access to the same rights. California residents who are temporarily outside of the state will still have to maintain those rights.

Right of Access

California consumers under the CCPA have the "right to know about the personal information" that is collected by a business, website, or app.

This information a consumer has the right to access or request can include:

  • Categories of personal information collected
  • Specific pieces of information
  • Types of sources the information is collected from
  • Why the information is collected
  • Types of third-parties the business shares the information with
  • Categories of information the business sells

If a business sells your information, all of these would apply as well to what is being disclosed or sold to third-parties.

Businesses must offer two different methods for how to request what information is collected, one must be a toll-free number. The other ways could be an email address, website form, or hard paper form. This information should be somewhere in your policy.

Apple has a good example of how to have two options, the toll-free number and an email address:

Apple California Privacy Disclosures: How to exercise rights section

If your business has a website, one of the methods must be through the website. However, if your business is only online, you only need to provide an email address.

When a consumer submits a right to request to know, businesses have 45 calendar days to respond. This time limit can be extended by another 45 days if a business notifies the consumer.

You can state how consumers can make those requests as Canva does:

Canva Privacy Policy: Making a request in relation to your personal information clause

Requesting Deletion

One of the rights given under the CCPA is the right to request deletion of information collected by businesses, so it is essential and a requirement that you have a section in your policy stating how a consumer can do this.

Your business must provide at least two ways for a consumer to request deletion. It doesn't matter the combination of the two, it just has to be at least two. These can be through a:

  • Toll-free number
  • Website form
  • Email address
  • Paper copy form

Wells Fargo combines a phone number and a link to submit a request via a website form:

Wells Fargo CCPA Notice: How to Make Requests clause

Do Not Sell My Information Page

The right to opt-out of selling information allows customers to tell businesses they cannot sell their private information once they have received the opt-out request. This can change if the consumer decides to opt back in. However, there is a grace period of 12 months before a business can ask a consumer to opt in.

How this affects your Privacy Policy is that under the CCPA, you must provide a "clear and conspicuous Do Not Sell My Personal Information" link on your website. This link will then take the customer to a request form or "page" where they can submit their opt-out request.

Remember, the link needs to be easily accessible since this is a requirement under the law.

Uber offers a separate link in its footer to its Do Not Sell Page:

Uber website footer: Do not sell link

You can create a simple request form on your page where consumers can request as Six Flags does on its website:

Six Flags: Screenshot of CCPA Request for Information form

What Information You Collect

The CCPA's requirement for detailing what private information is collected is similar to other laws, such as the GDPR. It clearly gives consumers the right to ask what information businesses have "collected, shared, or sold about." The information must be provided to consumers for a 12-month period before the request.

The CCPA provides a long list of the types of information collected that fall under its purview. Here are just a few:

  • Identifiers (email addresses, street addresses, maiden name)
  • Protected legal characteristics
  • Commercial information
  • Biometric information
  • Internet activity
  • Geological information
  • Employment information

REI provides a detailed example of all of the information that it collects:

REI Privacy Policy: Collection of Information clause - Information You Provide to Us section

Where and How You Collect Personal Information

The CCPA requires that the "sources" from which you collect the private information must be disclosed. It's not necessary to go into great detail as you would for what information is collected, just where you collected the information. This section can also cover the "how" you collect personal information as well.

Examples of this are through online forms, email lists, check outs, site usage, etc.

Blue Apron sources include analytic vendors and cookies:

Blue Apron Privacy Policy: Information collection via third party and cookies section

While on the other hand, Weebly's sources include social media, direct sources, devices, or affiliates:

Weebly Privacy Policy: Sources of Information We Collect About You clause

Why You Collect Personal Information

The "purposes" for why your business or website collects the private information must be clearly stated in an understandable way. This can include for use of cookies, advertising, website optimization, or other reasons.

Make sure you include all of the different ways you use the information. If you use the data in a way that was not included or the consumer did not give permission for, could be a violation of the act and could mean your business is potentially liable.

You can separate your reasons as the BBC does or create a simple list. As long as it's clear, that's what's most important:

BBC: Screenshot of what are you doing with my information help page

Right to Non-Discrimination

A business or website cannot discriminate against a consumer if they choose to practice one of their rights under the CCPA.

If a consumer exercised one of their rights, a business cannot:

  • Deny goods or services
  • Charge a different price from other consumers
  • Provide a different level of quality of their goods or services

It's recommended to include in your policy or in your California resident section that your business does not discriminate if a consumer chooses to exercise their rights as Macy's does in its California section:

Macys Notice of Privacy Practices: CCPA section with non-discrimination statement highlighted

Personal Information Disclosed for Business Purposes

A unique feature of the CCPA is that it requires businesses to disclose to consumers all types of information they have disclosed for "business purposes" in the last 12 months.

Under the CCPA, a "business purpose" can be any one of the following. The below isn't a complete list, as there are an "x" number of business purposes that your business may sell the information for.

The ones included in the act are:

  • Security of website and information collected
  • Short-term uses
  • Performing services
  • Testing or improvement of the website
  • Auditing (analytics, advertising)
  • Fixing or identifying issues
  • Internal research

Even if you haven't disclosed personal information in the last 12 months, you still need to notify users that you haven't done this. In this particular section, it's best to be overly descriptive than vague, with what and why you disclosed the information.

Hulu lists every type of provider and what type of information is disclosed:

Hulu Privacy Policy: Sharing Information with Others clause excerpt

Where to Include Your Privacy Policy

Notice of Collection

First, before we delve into where a CCPA Privacy Policy should be, you should be aware that the CCPA requires a "notice at collection" of private information.

A notice must disclose what categories of information is collected and the purpose for the collection. If your business or website sells personal information, then the notice must also include a "Do Not Sell Link" too. The notice must contain a link to your Privacy Policy where consumers can learn more.

The notice must be "at or before" the point of collection. This can be on your business's homepage or the check out page. If your business is a brick-and-mortar store, you can have a flyer notifying users of the collection.

Where to Put Your Policy

Thankfully, the CCPA provides consumers with where they can look for a link to a business's Privacy Policy. They recommend placing it in the footer of the website. The CCPA also directs consumers to look for a link in the Settings section of a mobile app.

Since the CCPA has given direction for where to look, it's best to follow their suggestions and include your link in either the footer, settings page, or even on a sidebar where consumers can easily access it.

Coach includes its link in its footer:

Coach website footer with Privacy Policy link highlighted

The CCPA mentions many businesses will have a link to their privacy policy, but also a link to "California Privacy Rights" or "California Residents." This is an indication to the consumer that if they are from California, they can find out more information from these specific links. You can include a link to your general Privacy Policy and a link specific for California residents as well.

Summary

The CCPA added and required additional items to a business's Privacy Policy. The act is designed to give California consumers even more rights and control over their information your business collects.

These rights are:

  • Right to access
  • Right to delete
  • Right to opt-out if the sale of their information
  • Right to not be discriminated against

How this is reflected in your policy is that you are now required to have certain sections. If you don't have these sections, you may be in violation of the CCPA:

  1. Right to access information
  2. Right to delete information
  3. Do Not Sell Information Page
  4. What information is collected
  5. Why and how information is collected
  6. Why you collect the information
  7. Right to not be discriminated against if they submit a request under the CCPA
  8. What information is disclosed for business purposes

Your link to your Privacy Policy and even your California policy, should be easily accessible in your website footer, and the Settings or other menu of a mobile app.