Are you looking for a professional CCPA privacy policy template? Then youâre in the right place!
Figuring out what a CCPA privacy policy should include can be tricky, but weâve got your back. In this guide, we explain what a CCPA/CPRA privacy policy should include, and provide you with examples and an easy template.
You need a CCPA privacy policy if the CCPA/CPRA applies to you.
The CCPA applies to any for-profit entity doing business in California that either:
Please note that CCPA applies outside California as well. Your business could be based anywhere: as long as your services are accessible in California, you may need to comply with CCPA.
Under the CCPA (California Consumer Privacy Act), businesses are required to include specific disclosures in their privacy policies in order to inform consumers about their data practices and rights. These disclosures must be complete, up-to-date, and easily accessible throughout the businessâs website or app.
The following are the key elements that must be included in a CCPA privacy policy:
If you already have a privacy policy, make sure you have or add these CCPA privacy policy requirements or take a look at our CCPA privacy policy template below (California privacy policy template).
Under CCPA and the CPRA, users have the right to access: they can request a business that collects and process their personal information to access the data they have about them.
As a business, you must provide consumers with two or more methods for submitting access requests. These methods can vary from business to business, but must include, at a minimum, a toll-free number and, if the business has a website, the website address.
However, some exceptions apply. Your business can avoid providing a toll-free number if:
Our solutions are backed by our international team of expert lawyers.
Get a CCPA/CPRA-compliant Privacy Policy, customizable based on 1800+ clauses and available in 10 languages.
Add a Privacy Controls widget to your site allowing California users to opt-out from processing.
Among the few providers compatible with GPP & GPC, making it easier to honor these opt-out requests.
Automatically store user preferences and document CCPA/CPRA opt-outs.
The following table provides a comprehensive comparison of key aspects within the realms of CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), GDPR (General Data Protection Regulation), and LGPD (Lei Geral de Proteção de Dados) in Brazil. This analysis delves into their similarities, differences, and implications for businesses and individuals.
Aspect | CCPA/CPRA | GDPR | LGPD |
---|---|---|---|
Scope | Applies to businesses collecting personal information of California residents, regardless of business location | Applies to businesses processing personal data of individuals in the European Economic Area (EEA) | Applies to businesses operating in Brazil, regardless of data processing location |
Consent Requirements | Focuses on giving consumers the right to opt out of the sale of their personal information | Generally requires explicit consent for data processing, with some exceptions | Generally requires explicit consent for data processing, with some exceptions |
Data Protection Officers (DPOs) | No specific requirement for appointing DPOs | Mandates the appointment of DPOs for certain types of organizations | No specific requirement for appointing DPOs |
Penalties for Non-Compliance | Fines of up to $7,988 per violation for intentional violations and $2,500 per violation for unintentional violations | Fines of up to âŹ20 million or 4% of global annual turnover, whichever is higher, for serious violations | Penalties of up to 2% of a companyâs revenue in Brazil |
Data Subject Rights | Right to access, delete, and correct personal information; right to opt out of sale of personal information | Right to access, rectification, erasure, restriction of processing, data portability, and object to processing | Right to access, correct, delete, anonymize, or block personal data; right to request information on third parties with whom data is shared |
Transparency Requirements | Businesses must provide privacy notices and disclose data collection and sharing practices | Businesses must provide privacy notices and be transparent about data processing practices | Businesses must provide clear information about data processing practices and obtain consent for data processing |
Applicability | Applies to businesses collecting personal information of California residents meeting certain criteria | Applies to businesses processing personal data of individuals in the European Economic Area (EEA) | Applies to businesses operating in Brazil, regardless of data processing location |
Are you curious about what a CCPA privacy policy template (California privacy policy template) looks like? We understand your need for a clear example.
Thatâs why weâve created a comprehensive CCPA compliance example using our user-friendly generator.
Our Privacy and Cookie Policy Generator allows you to include all the essential components:
Explore the document to gain valuable insights and a better understanding of how we cover the privacy rights of individuals in California. Click on the button to open it đ
As you can see, the document outlines the categories of personal information of California residents that are collected, used, sold, or shared. It is generally a section dedicated to Californian consumers within the general privacy policy, and includes details on individualsâ rights, such as the right to access and delete their data, and the right to opt out of the sale or sharing of their personal information. The policy also explains how to contact the business with privacy-related inquiries or complaints.
Remember, a proper CCPA policy helps protect consumersâ privacy rights and ensures compliance with the law.
Letâs have a look at a real-world example from Hellenic Technologies, a leading digital agency based in Greece. Their privacy policy demonstrates a commitment to transparency and compliance with data protection regulations. You can view their privacy policy to see how they inform users about their data practices and provide mechanisms for exercising privacy rights. Additionally, they include further information specifically tailored for California consumers to ensure compliance with CCPA privacy policy requirements.
Remember, a proper CCPA policy helps protect consumersâ privacy rights and ensures compliance with the law.
Copy and paste the CCPA Privacy Policy Template HTML directly into your website.
<h1><strong>Privacy Policy of [Your Company Name]</strong></h1>
<p><strong>Effective Date</strong>: [Insert Date]</p>
<h3><strong>Owner and Data Controller</strong></h3>
<p>[Here you should disclose your identity and make available all the necessary information to contact you.]<br /><br /><strong>Owner contact email:</strong> [your email address]<br /><strong>Business address:</strong> [your physical address]<br /><strong>Phone number:</strong> [your phone number]<br /><br />This Privacy Policy describes how [Your Company Name] (“we,” “us,” or “our”) collects, uses, shares, and protects the personal information of California residents in accordance with the California Consumer Privacy Act (CCPA).<br /><br />This document was generated with the use of the <a href="https://www.iubenda.com/en/help/26696">ccpa privacy policy template</a>.</p>
<h3><strong>Categories of personal information collected, used, sold, or shared</strong></h3>
<p>[In this section, you should summarize the categories of personal information that you’ve collected, used, sold, or shared.]<br /><br /><strong>Information we collect:</strong><br />We collect the following categories of personal information about you:</p>
<ul>
<li><strong>Personal identifiers</strong>: Name, email address, phone number, etc.<br /><em>Example:</em> When you sign up for an account, we collect your name and email address for account creation.</li>
<li><strong>Payment information</strong>: Credit card details, billing address.<br /><em>Example:</em> We collect your credit card information when you purchase products from our online store.</li>
<li><strong>Internet activity</strong>: IP address, browser type, and browsing behavior.<br /><em>Example:</em> We track your IP address and page views to improve our website functionality and personalize your experience.</li>
<li><strong>Commercial information</strong>: Transaction history.<br /><em>Example:</em> We collect details about your purchases to process orders and manage returns.</li>
</ul>
<p>We do not collect <strong>sensitive personal information</strong> such as social security numbers, racial or ethnic data, or biometric information.<br /><br /><strong><em>(OR)</em></strong><br /><br />If you collect sensitive data:<br />We collect sensitive personal information such as <strong>government-issued identifiers</strong> (e.g., Social Security Number) when necessary for specific services, like verifying your identity for financial transactions.<br /><br />We will not collect additional categories of personal information without notifying you.</p>
<h3><strong>What are the purposes for which we use your personal information?</strong></h3>
<p>[Here you should describe the purposes of the collection, e.g. why you are collecting and processing personal information. A few examples may be the ones listed below.]<br /><br />[E.g. <br /><br />We use the personal information we collect for the following purposes:</p>
<ul>
<li><strong>To provide and maintain our products and services</strong>: We process your information to ensure you can access and use the products and services we offer.</li>
<li><strong>To process and fulfill your orders and requests</strong>: We use your contact and payment information to complete your transactions.<br /><em>Example:</em> When you make a purchase on our website, we use your billing information to complete the payment process.</li>
<li><strong>To personalize your experience and improve our website</strong>: We analyze user behavior to tailor content and recommendations based on your preferences.<br /><em>Example:</em> We suggest products based on your previous purchases or items you have shown interest in.</li>
<li><strong>To communicate with you, respond to inquiries, and provide support</strong>: We use your email or phone number to respond to customer service inquiries and provide technical support.</li>
<li><strong>To send you promotional materials and updates</strong> if you have consented to such communication.<br /><em>Example:</em> You will receive emails about our new products or promotional offers if you have opted in.</li>
<li><strong>To comply with legal obligations and protect our rights</strong>: We use your information to comply with legal requirements or to protect our business interests.<br /><em>Example:</em> We retain certain transaction data to comply with tax regulations and auditing requirements.</li>
</ul>
<p>We won’t process your information for unexpected purposes or for purposes incompatible with the purposes originally disclosed, without your consent.]</p>
<h3><strong>How long do we keep your personal information?</strong></h3>
<p>[In this section, explain the data retention period, that is how long you will store the personal information you have collected.]<br /><br />[E.g. <br /><br />We will retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. For example:</p>
<ul>
<li><strong>Account information</strong>: We will keep your account data for as long as your account is active or as needed to provide services to you.</li>
<li><strong>Transaction data</strong>: We may retain transaction data for up to 7 years for tax and accounting purposes.</li>
</ul>
<p>After the retention period has expired, we will securely delete or anonymize your personal information, unless retention is required by law.]</p>
<h3><strong>How we collect information: what are the sources of the personal information we collect?</strong></h3>
<p>[Explain how you are going to collect the information. A few examples are: web forms, navigation, third parties, etc.]<br /><br />[E.g.<br />We collect your personal information in the following ways:</p>
<ul>
<li><strong>Directly from you</strong>: When you provide information to us, such as during account creation, purchase, or customer support interactions.<br /><em>Example:</em> When you sign up for our newsletter, you provide your email address.</li>
<li><strong>Through automated technologies</strong>: We collect certain information automatically when you interact with our website, such as IP addresses, cookies, and browser data.<br /><em>Example:</em> We use cookies to track your browsing activity on our website and to remember your preferences.</li>
<li><strong>From third parties</strong>: We may receive information about you from third-party services like social media platforms or marketing partners.<br /><em>Example:</em> If you choose to log in using your Google account, we will collect your name and email address from Google.]</li>
</ul>
<h3><strong>Your rights as a user</strong></h3>
<p>[List what rights the users have in relation to their data. E.g. Under the CCPA, users have:</p>
<ul>
<li><strong>The right to opt out of the sale or sharing of your personal information</strong>: You can opt out of the sale or sharing of your personal data to third parties by sending a request to [email address].</li>
<li><strong>The right to access personal information</strong>: You can request a copy of the personal information we hold about you.</li>
<li><strong>The right to request the deletion of your personal information</strong>: You can request that we delete your personal information, subject to certain exceptions.<br /><em>Example:</em> If you no longer wish to receive marketing communications, you can request that we delete your email from our database.</li>
<li><strong>The right to correct inaccurate personal information</strong>: If your information is inaccurate, you have the right to request correction.<br /><em>Example:</em> You can correct your shipping address if it is entered incorrectly.</li>
<li><strong>The right to non-discrimination</strong>: You will not face discrimination for exercising any of your rights.]</li>
</ul>
<p><em>Please note: additional rights may apply according to the CPRA. You can learn more here.</em></p>
<h3><strong>How to exercise your rights</strong></h3>
<p>[In this section, describe how your users can exercise their rights. In particular, how to submit a verifiable request containing all the necessary information to process it.]<br /><br />[E.g. <br /><br />To exercise your rights under the CCPA, please submit a verifiable request to [email address or method]. Please include the following information to help us process your request:</p>
<ul>
<li>Your full name</li>
<li>The specific request (e.g., to access or delete personal information)</li>
<li>Information verifying your identity (e.g., account number, order details)]</li>
</ul>
<h3><strong>How and when we are expected to handle your request</strong></h3>
<p>[Explain how you will handle users’ requests and how long it will take to process it.]<br /><br />[E.g.<br /><br />Once we receive your request, we will verify your identity and respond within <strong>45 days</strong>. If we need more time, we will notify you of the extension and explain why it is necessary.]<br /><br /><br />This document was generated with the use of the <a href="https://www.iubenda.com/en/help/26696">ccpa privacy policy template</a>.</p>
Copy and paste the CCPA Privacy Policy Template directly into your WordPress editor.
<h1><strong>Privacy Policy of [Your Company Name]</strong></h1>
<p><strong>Effective Date</strong>: [Insert Date]</p>
<h3><strong>Owner and Data Controller</strong></h3>
<p>[Here you should disclose your identity and make available all the necessary information to contact you.]<br /><br /><strong>Owner contact email:</strong> [your email address]<br /><strong>Business address:</strong> [your physical address]<br /><strong>Phone number:</strong> [your phone number]<br /><br />This Privacy Policy describes how [Your Company Name] (“we,” “us,” or “our”) collects, uses, shares, and protects the personal information of California residents in accordance with the California Consumer Privacy Act (CCPA).<br /><br />This document was generated with the use of the <a href="https://www.iubenda.com/en/help/26696">ccpa privacy policy template</a>.</p>
<h3><strong>Categories of personal information collected, used, sold, or shared</strong></h3>
<p>[In this section, you should summarize the categories of personal information that you’ve collected, used, sold, or shared.]<br /><br /><strong>Information we collect:</strong><br />We collect the following categories of personal information about you:</p>
<ul>
<li><strong>Personal identifiers</strong>: Name, email address, phone number, etc.<br /><em>Example:</em> When you sign up for an account, we collect your name and email address for account creation.</li>
<li><strong>Payment information</strong>: Credit card details, billing address.<br /><em>Example:</em> We collect your credit card information when you purchase products from our online store.</li>
<li><strong>Internet activity</strong>: IP address, browser type, and browsing behavior.<br /><em>Example:</em> We track your IP address and page views to improve our website functionality and personalize your experience.</li>
<li><strong>Commercial information</strong>: Transaction history.<br /><em>Example:</em> We collect details about your purchases to process orders and manage returns.</li>
</ul>
<p>We do not collect <strong>sensitive personal information</strong> such as social security numbers, racial or ethnic data, or biometric information.<br /><br /><strong><em>(OR)</em></strong><br /><br />If you collect sensitive data:<br />We collect sensitive personal information such as <strong>government-issued identifiers</strong> (e.g., Social Security Number) when necessary for specific services, like verifying your identity for financial transactions.<br /><br />We will not collect additional categories of personal information without notifying you.</p>
<h3><strong>What are the purposes for which we use your personal information?</strong></h3>
<p>[Here you should describe the purposes of the collection, e.g. why you are collecting and processing personal information. A few examples may be the ones listed below.]<br /><br />[E.g. <br /><br />We use the personal information we collect for the following purposes:</p>
<ul>
<li><strong>To provide and maintain our products and services</strong>: We process your information to ensure you can access and use the products and services we offer.</li>
<li><strong>To process and fulfill your orders and requests</strong>: We use your contact and payment information to complete your transactions.<br /><em>Example:</em> When you make a purchase on our website, we use your billing information to complete the payment process.</li>
<li><strong>To personalize your experience and improve our website</strong>: We analyze user behavior to tailor content and recommendations based on your preferences.<br /><em>Example:</em> We suggest products based on your previous purchases or items you have shown interest in.</li>
<li><strong>To communicate with you, respond to inquiries, and provide support</strong>: We use your email or phone number to respond to customer service inquiries and provide technical support.</li>
<li><strong>To send you promotional materials and updates</strong> if you have consented to such communication.<br /><em>Example:</em> You will receive emails about our new products or promotional offers if you have opted in.</li>
<li><strong>To comply with legal obligations and protect our rights</strong>: We use your information to comply with legal requirements or to protect our business interests.<br /><em>Example:</em> We retain certain transaction data to comply with tax regulations and auditing requirements.</li>
</ul>
<p>We won’t process your information for unexpected purposes or for purposes incompatible with the purposes originally disclosed, without your consent.]</p>
<h3><strong>How long do we keep your personal information?</strong></h3>
<p>[In this section, explain the data retention period, that is how long you will store the personal information you have collected.]<br /><br />[E.g. <br /><br />We will retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. For example:</p>
<ul>
<li><strong>Account information</strong>: We will keep your account data for as long as your account is active or as needed to provide services to you.</li>
<li><strong>Transaction data</strong>: We may retain transaction data for up to 7 years for tax and accounting purposes.</li>
</ul>
<p>After the retention period has expired, we will securely delete or anonymize your personal information, unless retention is required by law.]</p>
<h3><strong>How we collect information: what are the sources of the personal information we collect?</strong></h3>
<p>[Explain how you are going to collect the information. A few examples are: web forms, navigation, third parties, etc.]<br /><br />[E.g.<br />We collect your personal information in the following ways:</p>
<ul>
<li><strong>Directly from you</strong>: When you provide information to us, such as during account creation, purchase, or customer support interactions.<br /><em>Example:</em> When you sign up for our newsletter, you provide your email address.</li>
<li><strong>Through automated technologies</strong>: We collect certain information automatically when you interact with our website, such as IP addresses, cookies, and browser data.<br /><em>Example:</em> We use cookies to track your browsing activity on our website and to remember your preferences.</li>
<li><strong>From third parties</strong>: We may receive information about you from third-party services like social media platforms or marketing partners.<br /><em>Example:</em> If you choose to log in using your Google account, we will collect your name and email address from Google.]</li>
</ul>
<h3><strong>Your rights as a user</strong></h3>
<p>[List what rights the users have in relation to their data. E.g. Under the CCPA, users have:</p>
<ul>
<li><strong>The right to opt out of the sale or sharing of your personal information</strong>: You can opt out of the sale or sharing of your personal data to third parties by sending a request to [email address].</li>
<li><strong>The right to access personal information</strong>: You can request a copy of the personal information we hold about you.</li>
<li><strong>The right to request the deletion of your personal information</strong>: You can request that we delete your personal information, subject to certain exceptions.<br /><em>Example:</em> If you no longer wish to receive marketing communications, you can request that we delete your email from our database.</li>
<li><strong>The right to correct inaccurate personal information</strong>: If your information is inaccurate, you have the right to request correction.<br /><em>Example:</em> You can correct your shipping address if it is entered incorrectly.</li>
<li><strong>The right to non-discrimination</strong>: You will not face discrimination for exercising any of your rights.]</li>
</ul>
<p><em>Please note: additional rights may apply according to the CPRA. You can learn more here.</em></p>
<h3><strong>How to exercise your rights</strong></h3>
<p>[In this section, describe how your users can exercise their rights. In particular, how to submit a verifiable request containing all the necessary information to process it.]<br /><br />[E.g. <br /><br />To exercise your rights under the CCPA, please submit a verifiable request to [email address or method]. Please include the following information to help us process your request:</p>
<ul>
<li>Your full name</li>
<li>The specific request (e.g., to access or delete personal information)</li>
<li>Information verifying your identity (e.g., account number, order details)]</li>
</ul>
<h3><strong>How and when we are expected to handle your request</strong></h3>
<p>[Explain how you will handle users’ requests and how long it will take to process it.]<br /><br />[E.g.<br /><br />Once we receive your request, we will verify your identity and respond within <strong>45 days</strong>. If we need more time, we will notify you of the extension and explain why it is necessary.]<br /><br /><br />This document was generated with the use of the <a href="https://www.iubenda.com/en/help/26696">ccpa privacy policy template</a>.</p>
Clear performance metrics, or Key Performance Indicators (KPIs), are essential for both businesses and individuals seeking to ensure privacy compliance. These KPIs act as benchmarks, enabling evaluation of the effectiveness of privacy policies and data protection practices, crucial for adhering to regulations such as the CCPA (California Consumer Privacy Act). Prioritizing specific KPIs is key for instilling consumer trust and promoting transparency in data handling.
Below, we highlight core KPIs, such as the frequency of privacy policy updates and response times for privacy inquiries and data breaches, crucial for maintaining regulatory compliance.
Metric | Description | Target/Threshold |
---|---|---|
Privacy Policy Updates | Frequency of updates to the privacy policy to ensure compliance. | At least annually or as regulations change. |
User Consent Rate | Percentage of users who consent to the privacy policy and data processing practices. | Target >90% consent rate. |
Data Access Requests Completed | Number of user requests for data access fulfilled within the legal timeframe. | 100% completion within 45 days (CCPA requirement). |
Opt-Out Requests Processed | Number of user requests to opt-out of data selling or sharing processed successfully. | 100% processed within the legal timeframe. |
Privacy Inquiries Response Time | Average time taken to respond to privacy-related inquiries from users. | Less than 24 hours for initial response. |
Data Breach Response Time | Time taken to notify users and authorities in case of a data breach. | Within 72 hours of discovery, as per best practices. |
Third-party Compliance | Monitoring and ensuring that third-party service providers comply with your privacy policy and standards. | 100% of third parties audited annually. |
âAs required under the CCPA, the California Privacy Protection Agency has adjusted, and will do so every other year, monetary thresholds, monetary damages, administrative fines, and civil penalties, in line with increases to the Consumer Price Index (CPI). The current adjustment is effective on January 1, 2025. The monetary threshold within the definition of businesses has been raised to $26,625,000, while administrative fines and civil penalties to $2,663 for each violation or $7,988 for each intentional violation and violations involving the personal information of consumers whom the violator has actual knowledge are under 16 years of ageâ
If the CCPA applies to you and you donât have a valid privacy policy, youâre in breach of the law. The consequences of non-compliance are pretty serious:
While these fines might not seem like a lot when compared to the GDPR, do consider that the CCPA penalties apply per individual violation and per consumer. Here you can find more information.
As you can see, having a badly-written document can cost you way more than generating a legally sound privacy policy. Remember: templates can be a great starting point, but you should always make sure youâre document is valid and up-to-date.
iubenda can help you with that!
Creating a CCPA privacy policy is easy with our Privacy and Cookie Policy Generator: add all the relevant clauses, save, and embed the document on your website or app!
Yes, the CCPA can apply outside California as well. Your business could be based anywhere: as long as your services are accessible in California, you may need to comply with CCPA.
Though there are some similarities, CCPA and GDPR are two different laws. Just to mention a few differences:
Want to learn more? Check our guide đ CCPA vs GDPR: whatâs the difference?
A CCPA policy is a document required to comply with the California Consumer Privacy Act. It outlines (at the very least):
The safest way to write a CCPA policy is to seek the help of a legal expert: they will analyze your business situation and write a document to match your needs.
If you canât afford to hire a legal expert, there are cheaper alternatives that are still safe to use. For example, you can rely on a generator created by legal professionals â like iubenda â, that allows you to customize your document with clauses written by legal professionals.
A best practice is to add your privacy policy in the footer of your website, so that users can access it anytime. Donât forget to also add a link to your CCPA privacy policy in places like subscriptions or contact forms.
You need a CCPA-compliant privacy policy if your business is for-profit, operates in California, and meets any of the following criteria: processes personal information of 50,000 or more California residents, households, or devices annually; has annual gross revenues exceeding $25 million; or earns more than half of its annual revenue from selling California residentsâ personal information. The law applies regardless of where your business is based, as long as you deal with California residentsâ data.
The standard privacy policy in California tells people how a business collects, uses, and shares personal information. It needs to be easy to find on the website and must say what kinds of personal information are collected, how the business keeps that information safe, and how people can review and change their personal information. It also needs to explain how the business will let people know if it changes the privacy policy and if and how it tracks users over time and across different websites.
A CalOPPA-compliant privacy policy must: