Iubenda logo
Start generating


Table of Contents

CCPA (CPRA) Privacy Policy Template

Are you looking for a professional CCPA privacy policy template? Then you’re in the right place!

Figuring out what a CCPA privacy policy should include can be tricky, but we’ve got your back. In this guide, we explain what a CCPA/CPRA privacy policy should include, and provide you with examples and an easy template.

Do you need a CCPA privacy policy?

You need a CCPA privacy policy if the CCPA/CPRA applies to you.

The CCPA applies to any for-profit entity doing business in California that either:

  • processes (buy, sell, receive, share) personally identifiable information of at least 50k Californians per year,
  • has annual gross revenues of at least $ 25 million, or
  • makes over 50% of its yearly revenue from sharing consumers’ personal information with third parties

Please note that CCPA applies outside California as well. Your business could be based anywhere: as long as your services are accessible in California, you may need to comply with CCPA.

👋 Does the CCPA apply to you?

Find out right now with this 1-minute quiz!

What is required in a CCPA privacy policy?

Under the CCPA, businesses must include specific disclosures in their privacy policies.

This information must be complete, up-to-date and easily accessible throughout your website/app.
In order to be compliant, your policy must at the very least contain:

  • the categories of personal information that you’ve collected, sold or shared in the past 12 months;
  • the categories of third parties that you have and/or may share the information with;
  • the categories of sources from which you collect this information;
  • the business / commercial purpose for processing the information;
  • the applicable consumers’ rights and how they can be exercised.

If you already have a privacy policy, make sure you have or add these CCPA privacy policy requirements or take a look at our CCPA privacy policy template below.

Do you also need a toll-free number for CCPA compliance?

Under CCPA and the CPRA, users have the right to access: they can request a business that collects and process their personal information to access the data they have about them.

As a business, you must provide consumers with two or more methods for submitting access requests. These methods can vary from business to business, but must include, at a minimum, a toll-free number and, if the business has a website, the website address.

However, some exceptions apply. Your business can avoid providing a toll-free number if:

  • it “operates exclusively online”; and if
  • it has a “direct relationship with a consumer from whom it collects personal information”.
👉 Learn more about toll-free numbers and CCPA compliance!

How can iubenda help you Comply?

CCPA / CPRA Compliance in no time.

Our solutions are backed by our international team of expert lawyers.

Get Compliant in Minutes

Get a CCPA/CPRA-compliant Privacy Policy, customizable based on 1800+ clauses and available in 10 languages.

Add a Privacy Controls widget to your site allowing California users to opt-out from processing.

Among the few providers compatible with GPP & GPC, making it easier to honor these opt-out requests.

Automatically store user preferences and document CCPA/CPRA opt-outs.

What is an example of CCPA policy?

Are you curious about what a CCPA privacy policy template looks like? We understand your need for a clear example.

That’s why we’ve created a comprehensive CCPA compliance example using our user-friendly generator.

Our Privacy and Cookie Policy Generator allows you to include all the essential components:

  • Categories of Personal Information: The CCPA privacy policy template outlines the specific categories of personal information that the company collects, uses, sells, or shares.
  • Information Collection: The privacy policy template clarifies the sources from which the company collects personal information and describes the methods used for collection.
  • Purpose of Data Usage: It explains the purposes for which the company utilizes the collected personal information.
  • Data Retention: The privacy policy template discloses the duration for which the company retains the personal information it gathers.
  • Third-Party Disclosure: It details the circumstances under which the company may share personal information with third parties for business purposes.
  • Sale or Sharing of Personal Information: The privacy policy addresses the company’s practices concerning the sale or sharing of personal information and provides information on how individuals can opt out of such activities.
  • Privacy Rights: It informs individuals about their rights under the California Consumer Privacy Act (CCPA), including the right to opt out, access their personal information, request deletion or correction of inaccurate information, and limit the use of sensitive personal information.
  • Non-Retaliation: The privacy policy assures individuals that they will not face any negative consequences or discrimination for exercising their privacy rights.
  • Exercising Rights: It outlines the process and means by which individuals can exercise their privacy rights and submit requests.
  • Request Handling: The CCPA privacy policy template specifies how and when the company will handle individuals’ privacy-related requests in a timely and appropriate manner.

Explore the document to gain valuable insights and a better understanding of how we cover the privacy rights of individuals in California. Click on the button to open it 👇

Privacy Policy

As you can see, the document outlines the categories of personal information of California residents that are collected, used, sold, or shared. It is generally a section dedicated to Californian consumers within the general privacy policy, and includes details on individuals’ rights, such as the right to access and delete their data, and the right to opt out of the sale or sharing of their personal information. The policy also explains how to contact the business with privacy-related inquiries or complaints.

Right to opt out - CCPA privacy policy template
Example of the right to opt-out for California-based users in a CCPA privacy policy template

Remember, a proper CCPA policy helps protect consumers’ privacy rights and ensures compliance with the law.

CCPA Privacy Policy Template

Now let’s have a look at a proper CCPA privacy policy template that you can use as a starting point. This is just to give you an idea of how your document should be structured.

You will have to replace the fields highlighted in yellow and add all the necessary information according to your specific business scenario.

Too many things to think about?

Using just a CCPA privacy policy template may be too complicated and a bit risky. We recommend using a professional solution: jump to this section to learn more.

Owner and Data Controller

[Here you should disclose your identity and make available all the necessary information to contact you]

Owner contact email: [your email address]

This Privacy Policy describes how [Your Company Name] (“we,” “us,” or “our”) collects, uses, shares, and protects the personal information of California residents in accordance with the California Consumer Privacy Act (CCPA).

Categories of personal information collected, used, sold, or shared

[In this section, you should summarize the categories of personal information that you’ve collected, used, sold, or shared].

Information we collect: the categories of personal information we collect

  • We have collected the following categories of personal information about you: [explain what information you have collected]
  • We do not collect sensitive personal information. (OR) [if you do collect sensitive personal information, disclose which type of sensitive personal information you are collecting]
  • We will not collect additional categories of personal information without notifying you.

What are the purposes for which we use your personal information?

[Here you should describe the purposes of the collection, e.g. why you are collecting and processing personal information. A few examples may be the ones listed below.]

  • To provide and maintain our products and services.
  • To process and fulfill your orders and requests.
  • To personalize your experience and improve our website.
  • To communicate with you, respond to inquiries, and provide support.
  • To send you promotional materials and updates if you have consented to such communication.
  • To comply with legal obligations and protect our rights.

We won’t process your information for unexpected purposes, or for purposes incompatible with the purposes originally disclosed, without your consent.

How long do we keep your personal information?

[In this section, explain the data retention period, that is how long you will store the personal information you have collected]

How we collect information: what are the sources of the personal information we collect?

[Explain how you are going to collect the information. A few examples are: web forms, navigation, third parties, etc.]

How we use the information we collect

[Here you should explain the purpose of the collection]

Your rights as a user

[List what rights the users have in relation to their data. Under the CCPA users have:]

  • The right to opt out of the sale or sharing of your personal information
  • The right to access personal information
  • The right to request the deletion of your personal information
  • The right to correct inaccurate personal information
  • The right to non-discrimination

*Please note: additional rights may apply according to the CPRA. You can learn more here.

How to exercise your rights

[In this section, describe how your users can exercise their rights. In particular, how to submit a verifiable request containing all the necessary information to process it]

How and when we are expected to handle your request

[Explain how you will handle users’ requests and how long it will take to process it]

⚠️ Note

This is a general and basic template and must be customized to fit your specific circumstances and requirements. As mentioned, because these are legal documents, we highly recommend consulting with legal professionals or using a generator created by legal professionals to ensure compliance with applicable laws and regulations.

What are the penalties for violating the CCPA?

If the CCPA applies to you and you don’t have a valid privacy policy, you’re in breach of the law. The consequences of non-compliance are pretty serious:

  • Consumers are given the right to sue businesses that violate the law. You may have to pay damages of up to $ 750 (or cover actual losses if greater) for each affected consumer.
  • If you unintentionally violate the CCPA, you can be fined up to $ 2,500 for each violation.
  • If you intentionally violate the CCPA, you can be fined up to $ 7,500 for each violation.

While these fines might not seem like a lot when compared to the GDPR, do consider that the CCPA penalties apply per individual violation and per consumer. Here you can find more information.

How to generate a valid CCPA privacy policy

As you can see, having a badly-written document can cost you way more than generating a legally sound privacy policy. Remember: templates can be a great starting point, but you should always make sure you’re document is valid and up-to-date.

iubenda can help you with that!

Creating a CCPA privacy policy is easy with our Privacy and Cookie Policy Generator: add all the relevant clauses, save, and embed the document on your website or app!

Create your CCPA Privacy Policy

Start generating

CCPA privacy policy: FAQs

Does CCPA apply outside of California?

Yes, the CCPA can apply outside California as well. Your business could be based anywhere: as long as your services are accessible in California, you may need to comply with CCPA.

Is CCPA California privacy the same as GDPR?

Though there are some similarities, CCPA and GDPR are two different laws. Just to mention a few differences:

  • The GDPR has a broader scope than the CCPA, regarding both businesses and data subjects.
  • The GDPR always requires prior consent (opt-in) – unless another legal basis legitimately applies – while the CCPA only requires opt-in in the case of minors and in cases of previous opt-out.
  • The consequences of non-compliance for the GDPR are generally harsher than the CCPA.

Want to learn more? Check our guide 👉 CCPA vs GDPR: what’s the difference?

What is CCPA policy?

A CCPA policy is a document required to comply with the California Consumer Privacy Act. It outlines (at the very least):

  • The categories of personal information of California residents that are collected, used, sold, or shared.
  • What are the rights of users under the CCPA.
  • How users can contact a business to exercise their rights.

How do I write a CCPA policy?

The safest way to write a CCPA policy is to seek the help of a legal expert: they will analyze your business situation and write a document to match your needs.

If you can’t afford to hire a legal expert, there are cheaper alternatives that are still safe to use. For example, you can rely on a generator created by legal professionals – like iubenda –, that allows you to customize your document with clauses written by legal professionals.

Where do I display my CCPA privacy policy?

A best practice is to add your privacy policy in the footer of your website, so that users can access it anytime. Don’t forget to also add a link to your CCPA privacy policy in places like subscriptions or contact forms.

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.


Read also