Book a demo
Sign up

CCPA privacy policy template

In short

Are you looking for a professional CCPA privacy policy template? Then you’re in the right place.

Figuring out what a CCPA privacy policy should include can be tricky, but we’ve got your back. In this guide, we explain what a CCPA/CPRA privacy policy should include, and provide you with examples and an easy template.

In this article

Do you need a CCPA privacy policy?

You need a CCPA privacy policy if the CCPA/CPRA applies to you.

The CCPA applies to any for-profit entity doing business in California that either:

  • processes (buy, sell, receive, share) personally identifiable information of at least 50k Californians per year,
  • has annual gross revenues of at least $25 million, or
  • makes over 50% of its yearly revenue from sharing consumers’ personal information with third parties

Please note that CCPA applies outside California as well. Your business could be based anywhere: as long as your services are accessible in California, you may need to comply with CCPA.

Does the CCPA/CPRA apply to you?

california privacy policy template

Find out now with this 1-min free quiz!

Take the quiz

What is required in a CCPA privacy policy?

Under the CCPA (California Consumer Privacy Act), businesses are required to include specific disclosures in their privacy policies to inform consumers about their data practices and rights. These disclosures must be complete, up-to-date, and easily accessible throughout the business’s website or app.

The following are the key elements that must be included in a CCPA privacy policy:

  1. Categories of personal information: the privacy policy must disclose the categories of personal information that the business has collected, sold, or shared in the past 12 months. This includes information such as names, addresses, email addresses, internet activity, geolocation data, and more.
  2. Categories of third parties: businesses must disclose the categories of third parties with whom they have shared or sold personal information. This includes service providers, advertisers, marketing partners, and other third parties involved in data processing activities.
  3. Categories of sources: the privacy policy must explain the categories of sources from which the business collects personal information. This includes information collected directly from consumers, information obtained from third-party sources, and information collected automatically through cookies or other tracking technologies.
  4. Business/commercial purpose: businesses must disclose the business or commercial purposes for which they collect, sell, or share personal information. This includes purposes such as providing services to consumers, marketing products or services, conducting analytics, and other legitimate business purposes.
  5. Consumers’ rights: the privacy policy must inform consumers about their rights under the CCPA, including the right to know about the personal information collected, used, shared, or sold by the business, the right to request deletion of their personal information, the right to opt-out of the sale of their personal information, and other rights provided by the CCPA.
  6. How to exercise rights: businesses must provide clear and conspicuous information about how consumers can exercise their rights under the CCPA. This includes providing instructions on how to submit requests to access or delete personal information, how to opt-out of the sale of personal information, and how to contact the business with privacy-related inquiries or complaints. If you sell or share personal information, this includes a “Do Not Sell My Personal Information” link on your homepage.
  7. Contact information: the privacy policy must include contact details for consumers to reach out to the business with privacy-related inquiries or complaints. This may include an email address, phone number, or physical mailing address.
  8. Date of last update: businesses must indicate when the privacy policy was last updated. The CCPA requires businesses to review and update their privacy policies at least once every 12 months to keep them aligned with the law.

If you already have a privacy policy, make sure you have or add these CCPA (CPRA) privacy policy requirements, or take a look at our CCPA privacy policy template below (California privacy policy template).

Do you also need a toll-free number for CCPA compliance?

Under CCPA and the CPRA, users have the right to access: they can request a business that collects and processes their personal information to access the data they have about them. As a business, you must provide consumers with two or more methods for submitting access requests. These methods can vary from business to business, but must include, at a minimum, a toll-free number and, if the business has a website, the website address.
However, some exceptions apply. Your business can avoid providing a toll-free number if:
– it “operates exclusively online”,
– it has a “direct relationship with a consumer from whom it collects personal information”.

CCPA (CPRA) comparison to other major privacy laws

The following table provides a side-by-side comparison of key aspects of CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), GDPR (General Data Protection Regulation), and LGPD (Lei Geral de Proteção de Dados) in Brazil. This analysis looks at their similarities, differences, and implications for businesses and individuals.

AspectCCPA/CPRAGDPRLGPD
ScopeApplies to businesses collecting personal information of California residents, regardless of business locationApplies to businesses processing personal data of individuals in the European Economic Area (EEA)Applies to businesses operating in Brazil, regardless of data processing location
Consent requirementsFocuses on giving consumers the right to opt out of the sale of their personal informationGenerally requires explicit consent for data processing, with some exceptionsGenerally requires explicit consent for data processing, with some exceptions
Data Protection Officers (DPOs)No specific requirement for appointing DPOsMandates the appointment of DPOs for certain types of organizationsNo specific requirement for appointing DPOs
Penalties for non-complianceFines of up to $7,988 per violation for intentional violations and $2,500 per violation for unintentional violationsFines of up to €20 million or 4% of global annual turnover, whichever is higher, for serious violationsPenalties of up to 2% of a company’s revenue in Brazil
Data subject rightsRight to access, delete, and correct personal information; right to opt out of sale of personal informationRight to access, rectification, erasure, restriction of processing, data portability, and object to processing. More hereRight to access, correct, delete, anonymize, or block personal data; right to request information on third parties with whom data is shared
Transparency requirementsBusinesses must provide privacy notices and disclose data collection and sharing practicesBusinesses must provide privacy notices and be transparent about data processing practicesBusinesses must provide clear information about data processing practices and obtain consent for data processing
ApplicabilityApplies to businesses collecting personal information of California residents meeting certain criteriaApplies to businesses processing personal data of individuals in the European Economic Area (EEA)Applies to businesses operating in Brazil, regardless of data processing location

What is an example of CCPA policy?

Want to see what CCPA clauses look like in a real policy? Take a look at our own privacy policy example created using our user-friendly generator.

Our Privacy and Cookie Policy Generator allows you to include all the essential components:

  • Categories of personal information: the CCPA privacy policy template outlines the specific categories of personal information that the company collects, uses, sells, or shares.
  • Information collection: the privacy policy template clarifies the sources from which the company collects personal information and describes the methods used for collection.
  • Purpose of data usage: it explains the purposes for which the company uses the collected personal information.
  • Data retention: the privacy policy template discloses the duration for which the company retains the personal information it gathers.
  • Third-Party disclosure: it details the circumstances under which the company may share personal information with third parties for business purposes.
  • Sale or sharing of personal information: the privacy policy addresses the company’s practices concerning the sale or sharing of personal information and provides information on how individuals can opt out of such activities.
  • Privacy rights: it informs individuals about their rights under the California Consumer Privacy Act (CCPA), including the right to opt out, access their personal information, request deletion or correction of inaccurate information, and limit the use of sensitive personal information.
  • Non-retaliation: the privacy policy assures individuals that they will not face any negative consequences or discrimination for exercising their privacy rights.
  • Exercising rights: it outlines the process and means by which individuals can exercise their privacy rights and submit requests.
  • Request handling: the CCPA privacy policy template specifies how and when the company will handle individuals’ privacy-related requests in a timely and appropriate manner.

Explore the iubenda privacy policy document, a real website privacy policy sample for California, to see how we cover the privacy rights of individuals in California. Click on the button to open it:


Privacy Policy

example of the right to opt out in a CCPA privacy policy template

As you can see, the document outlines the categories of personal information of California residents that are collected, used, sold, or shared. It is generally a section dedicated to Californian consumers within the general privacy policy, and includes details on individuals’ rights, such as the right to access and delete their data, and the right to opt out of the sale or sharing of their personal information. It also touches on Global Privacy Control (GPC) and explains how to contact the business with privacy-related inquiries or complaints.

Download our sample California privacy policy template for your website

A CCPA (CPRA) privacy policy template is just a good starting point, and the legal text should be customized to specific data processes and laws. If you need a general version, check out our privacy policy template. Remember that privacy policies are legal documents, and they must contain business-specific information to avoid potential risks.

How to use the template

  • Download the template: get our free California website privacy policy template in Word/PDF format, or copy and paste the HTML directly into your website.
  • Fill in company/site and contact details: before publishing, fill in all [brackets] with your company/site info and contact details. Remember also to add the effective date.
  • Customize personal information: the template simply provides examples of data processing. Customize the different sections.
  • Address legal obligations: the template includes provisions for CCPA regulations. Check which privacy laws apply to you and customize your privacy policy according to your location and your users’ locations to meet legal requirements.

Looking for a valid custom document?

ccpa privacy policy

If you want a dynamic online document that you can update any time and trust more than a template,
we recommend a privacy policy generator: it covers multiple laws at once.

Find out how an online generator can help

CCPA privacy policy template (HTML text)

Copy and paste the CCPA Privacy Policy Template HTML directly into your website.


<h1><strong>Privacy Policy of [Your Company Name]</strong></h1>
<p><strong>Effective Date</strong>: [Insert Date]</p>
<h3><strong>Owner and Data Controller</strong></h3>
<p><em><strong>Note:</strong> Disclose your identity and provide all the information needed to contact you.</em></p>
<p><strong>Owner contact email:</strong> [your email address]<br /><strong>Business address:</strong> [your physical address]<br /><strong>Phone number:</strong> [your phone number]</p>
<p>This privacy policy describes how [Your Company Name] ("we," "us," or "our") collects, uses, shares, and protects the personal information of California residents in accordance with the California Consumer Privacy Act (CCPA).</p>
<h3><strong>Categories of personal information collected, used, sold, or shared</strong></h3>
<p><em><strong>Note:</strong> Summarize the categories of personal information you've collected, used, sold, or shared. List only what actually applies.</em></p>
<p>We collect the following categories of personal information about you:</p>
<ul>
<li><strong>Personal identifiers</strong>: name, email address, phone number.</li>
<li><strong>Payment information</strong>: credit card details, billing address.</li>
<li><strong>Internet activity</strong>: IP address, browser type, and browsing behavior.</li>
<li><strong>Commercial information</strong>: transaction history.</li>
</ul>
<p>We do not collect <strong>sensitive personal information</strong> such as social security numbers, racial or ethnic data, or biometric information.</p>
<p><em><strong>Note:</strong> If you DO collect sensitive data, replace the paragraph above with a disclosure like: "We collect sensitive personal information such as government-issued identifiers (e.g., Social Security Number) when necessary for specific services, like verifying your identity for financial transactions."</em></p>
<p>We will not collect additional categories of personal information without notifying you.</p>
<h3><strong>What are the purposes for which we use your personal information?</strong></h3>
<p><em><strong>Note:</strong> Describe why you collect and process personal information. Remove any purposes that don't apply.</em></p>
<p>We use the personal information we collect for the following purposes:</p>
<ul>
<li><strong>To provide and maintain our products and services</strong>: making sure you can access and use what we offer.</li>
<li><strong>To process and fulfill your orders and requests</strong>: using your contact and payment information to complete transactions.</li>
<li><strong>To personalize your experience and improve our website</strong>: analyzing user behavior to tailor content and recommendations.</li>
<li><strong>To communicate with you, respond to inquiries, and provide support</strong>.</li>
<li><strong>To send you promotional materials and updates</strong>, if you have consented to such communication.</li>
<li><strong>To comply with legal obligations and protect our rights</strong>.</li>
</ul>
<p>We won't process your information for unexpected purposes or for purposes incompatible with the purposes originally disclosed, without your consent.</p>
<h3><strong>How long do we keep your personal information?</strong></h3>
<p><em><strong>Note:</strong> Explain your data retention periods. Adjust the examples to your actual practices.</em></p>
<p>We will retain your personal information for as long as necessary to fulfill the purposes outlined in this privacy policy or as required by law. For example:</p>
<ul>
<li><strong>Account information</strong>: kept for as long as your account is active or as needed to provide services to you.</li>
<li><strong>Transaction data</strong>: may be retained for up to 7 years for tax and accounting purposes.</li>
</ul>
<p>After the retention period has expired, we will securely delete or anonymize your personal information, unless retention is required by law.</p>
<h3><strong>How we collect information: what are the sources of the personal information we collect?</strong></h3>
<p><em><strong>Note:</strong> Explain how you collect information, e.g. web forms, automated technologies, third parties.</em></p>
<p>We collect your personal information in the following ways:</p>
<ul>
<li><strong>Directly from you</strong>: when you provide information during account creation, purchase, or customer support interactions.</li>
<li><strong>Through automated technologies</strong>: information collected automatically when you interact with our website, such as IP addresses, cookies, and browser data.</li>
<li><strong>From third parties</strong>: information we may receive from services like social media platforms or marketing partners.</li>
</ul>
<h3><strong>Your rights as a user</strong></h3>
<p>Under the CCPA, you have:</p>
<ul>
<li><strong>The right to opt out of the sale or sharing of your personal information</strong>: use the "Do Not Sell or Share My Personal Information" link on our homepage, or send a request to [email address].</li>
<li><strong>The right to access personal information</strong>: request a copy of the personal information we hold about you.</li>
<li><strong>The right to request the deletion of your personal information</strong>, subject to certain exceptions.</li>
<li><strong>The right to correct inaccurate personal information</strong>.</li>
<li><strong>The right to non-discrimination</strong>: you will not face discrimination for exercising any of your rights.</li>
</ul>
<p><em><strong>Note:</strong> If you sell or share personal information (including for targeted advertising), the CCPA/CPRA requires a "Do Not Sell or Share My Personal Information" link on your homepage, referenced in your privacy policy. Remove the link reference only if you don't sell or share data. Additional rights may apply under the CPRA. Check which apply to your business.</em></p>
<h3><strong>How to exercise your rights</strong></h3>
<p><em><strong>Note:</strong> Describe how users can submit a verifiable request and what it must contain.</em></p>
<p>To exercise your rights under the CCPA, please submit a verifiable request to [email address or method]. Please include:</p>
<ul>
<li>your full name,</li>
<li>the specific request (e.g., to access or delete personal information),</li>
<li>information verifying your identity (e.g., account number, order details).</li>
</ul>
<h3><strong>How and when we are expected to handle your request</strong></h3>
<p>Once we receive your request, we will verify your identity and respond within <strong>45 days</strong>. If we need more time, we will notify you of the extension and explain why it is necessary.</p>

CCPA privacy policy template (Word DOCX)

Download the CCPA privacy policy template Word DOCX

CCPA privacy policy template (PDF)

Download the CCPA privacy policy template PDF

Monitoring privacy compliance: key performance indicators (KPIs)

Clear performance metrics are essential for both businesses and individuals working towards privacy compliance. These KPIs act as benchmarks: they help you evaluate how well your privacy policies and data protection practices are working, and whether they meet regulations such as the CCPA (California Consumer Privacy Act). Prioritizing specific KPIs is important for inspiring consumer trust and promoting transparency in data handling.

Metric100% of third parties are audited annually.Target/Threshold
Privacy policy updatesFrequency of updates to the privacy policy to keep the policy aligned.At least annually or as regulations change.
User consent ratePercentage of users who consent to the privacy policy and data processing practices.Target >90% consent rate.
Data access requests completedNumber of user requests for data access fulfilled within the legal timeframe.100% completion within 45 days (CCPA requirement).
Opt-out requests processedNumber of user requests to opt-out of data selling or sharing processed successfully.100% processed within the legal timeframe.
Privacy inquiries response timeAverage time taken to respond to privacy-related inquiries from users.Less than 24 hours for initial response.
Data breach response timeTime taken to notify users and authorities in case of a data breach.Within 72 hours of discovery, as per best practices.
Third-party complianceMonitoring and ensuring that third-party service providers comply with your privacy policy and standards.100% of third parties audited annually.

What are the penalties for violating the CCPA?

If the CCPA applies to you and you don’t have a valid privacy policy, you’re in breach of the law. The consequences of non-compliance are pretty serious:

  • If you unintentionally violate the CCPA, you can be fined up to $2,663 for each violation.
  • If you intentionally violate the CCPA, you can be fined up to $7,988 for each violation.

“As required under the CCPA, the California Privacy Protection Agency has adjusted, and will do so every other year, monetary thresholds, monetary damages, administrative fines, and civil penalties, in line with increases to the Consumer Price Index (CPI). The current adjustment is effective on January 1, 2025. The monetary threshold within the definition of businesses has been raised to $26,625,000, while administrative fines and civil penalties to $2,663 for each violation or $7,988 for each intentional violation and violations involving the personal information of consumers whom the violator has actual knowledge are under 16 years of age.

While these fines might seem less significant than GDPR fines, do consider that the CCPA penalties apply per individual violation and per consumer.

How to generate a valid CCPA privacy policy

With iubenda:

  • Generate a CCPA/CPRA privacy policy, customizable based on 1800+ clauses and available in 10 languages.
  • Add a Privacy Controls widget to your site allowing California users to opt-out from processing.
  • We’re among the few providers compatible with GPP & GPC, making it easier to honor these opt-out requests.
  • Automatically store user preferences and document CCPA/CPRA opt-outs.
  • Our solutions are backed by our international team of expert lawyers.

CCPA PRIVACY POLICY GENERATOR

Easily create your CCPA (CPRA) privacy policy in minutes with iubenda

  • Having a badly-written document can cost you way more than generating a legally sound privacy policy.
  • Remember: templates can be a great starting point, but you should make sure your document remains valid and up-to-date.
  • With our generator, add all the relevant clauses, save, and embed the document on your website or app.
privacy policy generator

Try the generator with our 14-day money-back guarantee

Generate your CCPA privacy policy now

CCPA / CPRA privacy policy: FAQs

Yes, the CCPA can apply outside California as well. Your business could be based anywhere: as long as your services are accessible in California, you may need to comply with CCPA.

Though there are some similarities, CCPA and GDPR are two different laws. Just to mention a few differences:

  • The GDPR has a broader scope than the CCPA, regarding both businesses and data subjects.
  • The GDPR always requires prior consent (opt-in), unless another legal basis legitimately applies, while the CCPA only requires opt-in in the case of minors and in cases of previous opt-out.
  • The consequences of non-compliance for the GDPR are generally harsher than the CCPA.

Want to learn more? Check what’s the difference between CCPA and GDPR.

A CCPA policy is a document required to comply with the California Consumer Privacy Act. It outlines (at the very least):

  • The categories of personal information of California residents that are collected, used, sold, or shared.
  • What are the rights of users under the CCPA.
  • How users can contact a business to exercise their rights.

The safest way to write a CCPA policy is to seek the help of a legal expert: they will analyze your business situation and write a document to match your needs.

If you can’t afford to hire a legal expert, there are cheaper alternatives that are still safe to use. For example, you can rely on a generator created by legal professionals (like iubenda) that allows you to customize your document with lawyer-written clauses.

A best practice is to add your privacy policy in the footer of your website, so that users can access it anytime. Don’t forget to also add a link to your CCPA privacy policy in places like subscriptions or contact forms.

You need a CCPA-compliant privacy policy if your business is for-profit, operates in California, and meets any of the following criteria: processes personal information of 50,000 or more California residents, households, or devices annually; has annual gross revenues exceeding $25 million; or earns more than half of its annual revenue from selling California residents’ personal information. The law applies regardless of where your business is based, as long as you deal with California residents’ data.

The standard privacy policy in California tells people how a business collects, uses, and shares personal information. It needs to be easy to find on the website and must say what kinds of personal information are collected, how the business keeps that information safe, and how people can review and change their personal information. It also needs to explain how the business will let people know if it changes the privacy policy and if and how it tracks users over time and across different websites.

A CalOPPA-compliant privacy policy must:

  • Specify the types of personal information collected, its use, and sharing practices.
  • Be easily accessible to website visitors, typically through a link in the website footer.
  • Disclose whether “Do Not Track” requests are honored.
  • Provide a clear option for users to opt out of the sale of their personal information, if applicable, usually through a “Do Not Sell My Personal Information” link.

Related Posts

Follow us on: