Skip to content

CCPA Privacy Policy Requirements and Template

William Newmark
Author
William Newmark
Read time
38 mins
Published
May 15, 2026
Resources / Blog / CCPA Privacy Policy Requirements and Template
Summary

If your business has customers in California and meets at least one of the eligibility thresholds of the California Consumer Privacy Act (CCPA), you need a privacy policy that’s transparent, accessible, up to date, and complies with the regulation’s requirements.

A generic privacy policy won’t cut it. You need a document that’s customized for your business and data handling operations, and that outlines consumers’ legal rights and how they can exercise them.

This article outlines what you need to include to create a CCPA-compliant privacy policy and provides a template you can customize for your website.

  • A CCPA/CPRA privacy policy is a legally required public disclosure that must accurately reflect your business’s data practices.
  • The CPRA significantly expanded on the original CCPA, adding new obligations around sensitive personal information, retention disclosures, and more. 
  • In addition to a privacy policy, you also need a functioning consent management infrastructure and documented proof that consumer requests are being honored.
  • Enforcement is accelerating: the California Attorney General and the California Privacy Protection Agency are actively investigating businesses across industries. 
  • Keeping your privacy policy current, accessible, and aligned with your actual data practices is foundational to CCPA/CPRA compliance.

What Does a CCPA Privacy Policy Do?

A CCPA privacy policy is a public-facing document that discloses how your business collects, uses, shares, and sells personal information (PI), as well as what rights California residents have over their data and how they can exercise them.

It serves as an official record of data practices that any consumer, regulator, or third-party can reference to understand how you handle PI and how individuals can exercise their legal rights under the CCPA and the California Privacy Rights Act (CPRA), which substantially amended and expanded it.

Although these three notices are easy to confuse for one another, they serve different functions under the CCPA/CPRA. 

1

Privacy policy: A privacy policy provides the legally required disclosures about your data practices. It is a comprehensive document covering all categories of personal information collected, how it is used, and what rights consumers have — maintained on an ongoing basis.

2

Notice at collection: California privacy law requires businesses to give consumers notice at or before the point of any personal information collection. This applies to all collection methods — whether passive, such as cookies and tracking technologies, or active, such as filling out a contact form, creating an account, or completing a purchase.

3

Opt-out mechanism: The CCPA/CPRA requires businesses that sell or share personal information to provide consumers with a clear way to opt out. Most commonly via a “Do Not Sell or Share My Personal Information” link. A CCPA cookie banner from a consent management platform is often used to surface this mechanism, but the legal requirement is the opt-out itself, not the banner.

As noted, the CCPA operates on an opt-out model, as do all other U.S. states with privacy laws to date. This means that in most cases businesses can collect and use personal information without obtaining prior consent, provided they give consumers clear notice and a meaningful way to opt out. The exceptions tend to be processing of sensitive or children’s personal information.

That distinction makes transparent, accessible disclosure critical to compliance. If consumers aren’t properly informed of what data you collect and how you use it, they can’t be fully informed to exercise their rights, and your business is at risk regarding its compliance obligations.

Compliance tip: A privacy policy that’s hard to find, difficult to understand, outdated, or doesn’t align with your actual data practices doesn’t satisfy the standard of transparent and accessible disclosure.

CCPA vs. CPRA Privacy Policy Requirements

The California Privacy Rights Act (CPRA) amended and generally replaced the CCPA. For most businesses, the CPRA’s practical impact shows up in two places: what your privacy policy must say, and what your internal systems and processes need to support. 

Here’s what the CPRA changed, and what that means for your policy and your business. 

Sensitive Personal Information (SPI)

The CPRA introduced this category of data, which carries stricter handling requirements. Sensitive personal information can include precise geolocation, racial or ethnic origin, health information, and financial account details combined with access credentials. 

Your privacy policy must explicitly identify what SPI you collect and the purposes for which you use it. If you use or disclose SPI beyond certain permitted purposes, consumers have the right to limit that use, and you must provide a mechanism to exercise it, typically a “Limit the Use of My Sensitive Personal Information” link.

Retention Periods

The CPRA requires businesses to disclose how long they retain each category of personal information and the criteria used to determine retention periods. You need to have a documented data retention schedule that your teams actually follow, with clear processes for data deletion or anonymization, and the ability to enforce deletion once those periods expire. 

Expanded Consumer Rights

The CPRA gives consumers the right to correct inaccurate personal information and strengthens their right to opt out by explicitly including the sharing of data, not just its sale. Your privacy policy must describe both of these rights clearly, and your business must have functioning workflows to process requests within prescribed timeframes.

Contractor and Third-Party Disclosures

The CPRA has drawn clear distinctions among service providers, contractors, and third parties, with different obligations attached to each relationship. Your policy should reflect these distinctions accurately and describe what data flows to each type of recipient and under what terms. 

What to Include in a CCPA/CPRA Privacy Policy

The CCPA/CPRA outlines specific disclosure requirements for privacy policies. Your policy must cover the following:

What personal information you collect and where it comes from: Identify the categories of PI your business processes and how you collect it.

Why you collect and use PI: Explain the business or commercial purposes for collecting and using each category of PI.

Consumer rights and how to submit requests: Clearly describe all rights available to California residents under the CCPA/CPRA and provide at least two methods for submitting requests, such as an email address and a toll-free phone number.

How consumers can opt out of the sale or sharing of their PI: If your business sells or shares personal information, your policy must explain this practice and provide a clear, functional mechanism for consumers to opt out.

Authorized agents: Explain that California residents may designate an authorized agent to submit privacy requests on their behalf. Describe how your business verifies and processes those requests.

What you disclose, sell, or share with third parties: Identify the categories of PI you disclose to service providers, contractors, or other third parties, and for what purposes. The CPRA draws important distinctions between these recipient types, and your policy should reflect them accurately.

Sensitive PI disclosures: If you collect sensitive personal information, your policy must identify these categories, state the purposes for which they are used, and disclose whether consumers have the right to limit that use.

“Limit the Use of My Sensitive Personal Information” controls: Where the right to limit applies, your policy must explain how consumers can exercise it and link to the relevant opt-out mechanism.

Automated decision-making and AI: If your business uses automated decision-making technologies or AI tools to process personal information, your policy must disclose this, describe the purposes for which AI is used, and explain how consumers can request human review of automated decisions or opt out where applicable.

Retention disclosures: State how long you retain each category of PI and describe the criteria your business uses to determine retention periods.

Contact information: Provide clear contact details consumers can use to reach your privacy team with questions or concerns.

Last updated date: Your policy must display the date it was most recently updated. If your data practices change materially, revise the policy and update the date accordingly.

The CCPA/CPRA requires that your privacy policy be accessible, written in plain language that consumers can reasonably understand, and easy to find on your website. Link to it prominently in your website footer, at every point of data collection, and within any marketing communications that involve personal information.

Customizable CCPA Privacy Policy Template

Below you’ll find a customizable template you can reference when creating your website’s CCPA privacy policy. 

You will need to tailor this document to your organization’s specific data processing practices, so be sure to have a qualified legal or data privacy professional review your version before publishing.

Last updated: [Insert Date]

This policy is reviewed and updated periodically to reflect changes in our data practices, legal obligations, or regulatory requirements. We encourage you to check this page regularly. Material changes will be communicated through the notification methods described in the Policy Updates and Changes section.

Introduction and Organizational Information

We, at [Business Name], are dedicated to serving our customers and contacts to the best of our abilities. Part of our commitment involves the responsible management of personal information collected through our website [insert business website URL], and any related interactions. Our primary goals in processing this information include:

  • Enhancing the user experience on our platform by understanding customer needs and preferences.
  • Providing timely support and responding to inquiries or service requests.
  • Improving our products and services to meet the evolving demands of our users.
  • Conducting necessary business operations, such as billing and account management.

It is our policy to process personal information with the utmost respect for privacy and security. We adhere to all relevant regulations and guidelines to protect the data we handle against unauthorized access, disclosure, alteration, and destruction. Our practices are designed to safeguard the confidentiality and integrity of your personal information, while enabling us to deliver the services you trust us with.

Your privacy is our priority. We are committed to processing your personal information transparently and with your safety in mind. This commitment extends to our collaboration with third-party services that may process personal information on our behalf, such as in the case of sending invoices. Rest assured, all activities are conducted in strict compliance with applicable privacy laws.

Scope and Application

Our privacy policy is designed to protect the personal information of all our stakeholders, including website visitors, registered users, and customers. Whether you are just browsing our website [insert business website URL], using our services as a registered user, or engaging with us as a valued customer, we process your personal data with the highest standards of privacy and security. This policy outlines our practices and your rights related to personal information.

Data Collection and Processing

The following list details the types of personal information we may process:

  • [list the personal information you collect]

Please note that we only process information that is essential for delivering our services, complying with legal obligations, or enhancing your user experience. Your privacy is paramount, and we are dedicated to handling your personal information responsibly and in accordance with all applicable laws.

At [Business Name], we believe in using personal information responsibly and ethically. The data we collect serves multiple purposes, all aimed at enhancing the services we offer and meeting the highest level of satisfaction among our users, customers, and employees. Here are the key ways in which we use the personal information collected:

  • [list ways in which you use personal information]

Your privacy is our priority. We process your personal information transparently and in accordance with your preferences and applicable privacy laws. We are committed to using your data solely for the purposes for which it was collected and in ways that you have authorized.

Data Storage and Protection

Data Storage

  • Personal information is stored in secure servers located in the following locations: [location(s)].
  • For services that require international data transfer, we ensure that such transfers comply with all applicable laws and maintain data protection standards equivalent to those in our primary location.
  • Data hosting partners: We partner with reputable data hosting providers committed to using state-of-the-art security measures. These partners are selected based on their adherence to stringent data protection standards.

Data Protection Measures

  • Encryption: We employ robust encryption technologies to protect data during transfer and at rest.
  • Access control: Access to personal information is strictly limited to authorized personnel who have a legitimate business need to access the data. We enforce strict access controls and regularly review permissions.
  • Security audits and monitoring: Regular security audits are conducted to identify and remediate potential vulnerabilities. We also monitor our systems for unusual activities to prevent unauthorized access.

Data Sharing and Disclosure

At [Business Name], we are committed to safeguarding your personal information and treating it with the utmost respect. This commitment extends to how we handle the sharing and disclosure of your data. Below we outline our practices in this area:

Categories of Third-Party Recipients

We may disclose personal information to the following categories of recipients, depending on the nature of our relationship with them:

  • Service Providers: Third parties that process personal information on our behalf to perform business functions, such as payment processing, email delivery, customer support, and data analytics. Service providers are contractually prohibited from using your personal information for any purpose other than providing services to us.
  • Contractors: Third parties that work directly with us under contract and are subject to the same use limitations as service providers under the CPRA.
  • Third Parties: Organizations to which we may sell, share, or disclose personal information for their own business purposes, including advertising partners. If we sell or share your personal information with third parties, you have the right to opt out as described in the Do Not Sell or Share section of this policy.

The categories of personal information we disclose to each type of recipient vary depending on the services they provide. We do not disclose sensitive personal information to third parties for purposes beyond those you have authorized or those permitted by law.

Retention of Personal Information

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements. The criteria we use to determine retention periods include:

  • The length of time required to provide you with our services
  • Whether you have an active account or ongoing relationship with us
  • Legal, regulatory, or contractual obligations that require us to retain certain records
  • Whether retention is necessary to protect against or respond to legal claims

When personal information is no longer required for these purposes, we securely delete or anonymize it. You may also request deletion of your personal information at any time, subject to certain legal exceptions, by submitting a request using the contact methods described in the User Rights section of this policy.

Transparency and Control

We believe in transparency and providing you with control over your personal information. You will always be informed about any significant changes to our sharing practices, and where applicable, you will have the option to consent to such changes.

Your trust is important to us, and we strive to ensure that your personal information is disclosed only in accordance with this policy and when there is a justified reason to do so. For any queries or concerns about how we share and disclose personal information, please reach out to us at [insert business email] or [insert business phone number].

User Rights and Choices

At [Business Name], we recognize and respect your rights regarding your personal information in accordance with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and other applicable data protection laws. We are committed to ensuring you can exercise your rights effectively. Below is an overview of your rights and how you can exercise them.

To appeal a decision we may make regarding your request, please contact us within 60 days of receiving our response by submitting your request through the link on our website or by using one of the following methods:

[insert business email]

[insert business phone number]

In your appeal request, please include your original request, the date of our response, and a brief explanation of why you believe our decision was incorrect.

For California residents, the following provisions apply:

A. Individual Rights

The California Consumer Privacy Act provides residents of California specific rights regarding their personal information, in addition to what has been described above.

B. Right to Know

You may request that we disclose to you what personal information we have collected, used, shared, or sold about you, and why we collected, used, shared, or sold that information. Specifically, you may request the disclosure of:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which we collected personal information
  • The purposes for which personal information is used
  • The categories of third parties with whom personal information is shared
  • The categories of information that are sold or disclosed to third parties

C. Right to Delete

You may request that we delete personal information we have collected about you.

D. Right to Correct

You may ask us to correct inaccurate information that we have about you.

E. Right to Limit

You can request that we only use your sensitive personal information (for example, your social security number, your genetic data, etc.) for limited purposes, such as providing you with the services you requested.

F. Right to Opt-Out

If your personal information is sold or shared with third parties for cross-context behavioral advertising or other commercial purposes, you have the right to opt out at any time. To exercise this right, click the “Do Not Sell or Share My Personal Information” link located in the footer of our website, or submit your request by contacting us at [insert business email].

Once you submit an opt-out request, we will cease selling or sharing your personal information within 15 business days. We will not ask you to opt back in for at least 12 months following your request.

G. Right to Non-Discrimination

You have the right to be protected from discrimination for exercising your rights.

H. Sensitive Data and/or Biometric Data

If we collect sensitive personal information, you have the right to request that we limit its use to only what is necessary to provide the services you have requested. To exercise this right, click the “Limit the Use of My Sensitive Personal Information” link located in the footer of our website, or submit your request by contacting us at [insert business email].

We will honor your request within 15 business days of receipt.

Children’s Personal Information

For children between the ages of 13 and 15, the CCPA/CPRA require that we obtain opt-in consent before selling or sharing their personal information. We do not sell or share the personal information of consumers we know to be under the age of 16 without first obtaining the required consent: from the consumer directly if they are between 13 and 15, or from a parent or guardian if they are under 13.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, you have the right to request that we delete it. Requests may be submitted using the contact methods described in the Exercising Your Rights section of this policy. We will honor verified deletion requests involving minors’ data as a matter of priority.

Exercising Your Rights

To exercise any of these rights, please contact us at [insert business email] or [insert business phone number]. We will respond to your request in accordance with applicable data protection laws and within the timeframes stipulated by the CCPA. Please note that in some cases, we may need to verify your identity as part of the process to ensure the security of your personal information.

We are committed to facilitating the exercise of your rights and to ensuring you have full control over your personal information. If you have any questions or concerns about how your personal information is handled, please do not hesitate to contact us.

Authorized Agents

California residents may designate an authorized agent to submit a privacy request on their behalf. To do so, the authorized agent must provide written proof of their authorization to act on your behalf, and you must either verify your own identity directly with us or provide the authorized agent with a signed permission granting them authority to submit the request.

We may deny a request from an authorized agent who does not provide sufficient proof of authorization. To submit a request through an authorized agent, please contact us at [insert business email] or [insert business phone number].

Cookies and Tracking Technologies

At [Business Name], we value your privacy and are committed to being transparent about our use of cookies and other tracking technologies on our website [insert business website]. These technologies play a crucial role in ensuring the smooth operation of our digital platforms, enhancing your user experience, and providing insights that help us improve.

Understanding Cookies and Tracking Technologies

Cookies are small data files placed on your device that enable us to remember your preferences and collect information about your website usage. Tracking technologies, such as web beacons and pixel tags, help us understand how you interact with our site and which pages you visit.

How We Use These Technologies

  • Essential cookies: Necessary for the website’s functionality, such as authentication and security. They do not require consent under the CCPA/CPRA.
  • Performance and analytics cookies: These collect information about how visitors use our website, which pages are visited most frequently, and if error messages are received from web pages. These cookies help us improve our website.
  • Functional cookies: Enable the website to provide enhanced functionality and personalization, like remembering your preferences.
  • Advertising and targeting cookies: Used to deliver advertisements that are relevant to you and your interests. They are also used to limit the number of times you see an advertisement and help measure the effectiveness of the advertising campaign.

Your Choices and Consent

Upon your first visit, our website will present you with a cookie consent banner, where you can:

  • Accept all cookies: Consent to the use of all cookies and tracking technologies.
  • Reject non-essential cookies: Only essential cookies will be used to provide you with necessary website functions.
  • Customize your preferences: Choose which categories of cookies you wish to allow.

Automated Decision-Making and AI

We may use automated decision-making technologies, including artificial intelligence (AI) and machine learning (ML) systems, to process personal information for purposes such as personalizing your experience, detecting fraudulent activity, assessing user behavior, and improving our products and services.

Where these systems produce decisions that have a significant effect on you, such as determining eligibility for offers, flagging accounts for review, or customizing the content you see, you have the right to know that automated processing is taking place and to request a human review of any decision that affects you.

We do not use automated decision-making in ways that produce legal or similarly significant effects without maintaining appropriate human oversight. If you wish to opt out of having your personal information used for automated decision-making or profiling purposes beyond what is necessary to deliver our core services, you may submit a request using the contact methods described in the Exercising Your Rights section of this policy.

Where AI tools are used by third-party service providers to process personal information on our behalf, those providers are contractually required to handle that data in accordance with this policy and applicable privacy law, including the CCPA/CPRA.

Direct Marketing and Communications

At [Business Name], we may use your personal information to send you direct marketing communications about our products, services, promotions, and other relevant information that we believe may be of interest to you. We are committed to engaging in marketing practices that are transparent, lawful, and in compliance with applicable data protection laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Obtaining Consent for Direct Marketing

  • Opt-in consent: We will obtain your explicit opt-in consent before sending you direct marketing communications, where required by law. This means that you will have the opportunity to actively consent to receiving marketing messages from us before we send them to you.
  • Unsubscribe option: Every direct marketing communication we send will include clear instructions on how to unsubscribe or opt-out from receiving future marketing communications. You can exercise your right to opt-out at any time, and we will promptly honor your request to stop sending you marketing messages.

Types of Direct Marketing Communications

We may use your personal information to send you direct marketing communications via various channels, including:

  • Email

Managing Your Preferences

You have control over the direct marketing communications you receive from us. You can manage your communication preferences by using the unsubscribe link provided in our marketing emails or text messages.

Notification Obligations

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and, where required, relevant regulatory authorities, in the most expedient time possible and without unreasonable delay. Notification will be provided in accordance with applicable California law and will include:

  • A description of the nature of the breach
  • The categories and approximate volume of personal information involved
  • The steps we have taken or are taking to address the breach
  • Recommended steps you can take to protect yourself

We will communicate breach notifications via email using the contact information you have provided, and where appropriate, through a prominent notice on our website.

Detection and Assessment

  • Internal monitoring: We employ robust security measures and monitoring systems to detect and respond to potential data breaches promptly.
  • Assessment of breach impact: Upon discovery of a data breach, we will conduct a thorough assessment to determine the nature and scope of the breach, including the types of personal information involved and the potential impact on affected individuals.

Notification Obligations

  • Regulatory authorities: If required by law, we will notify the relevant data protection authorities of the data breach within 30 day(s), following the procedures specified by applicable regulations.
  • Affected individuals: If a data breach poses a significant risk to your privacy rights and freedoms, we will notify you within 30 day(s), providing clear and concise information about the breach, the types of personal information affected, and the steps you can take to protect yourself.

Communication Channels

  • Email notification: We may notify affected individuals via email, using the contact information provided to us, if feasible and appropriate.
  • Website notification: We may also post a notification on our website or through other communication channels accessible to affected individuals.

Support and Assistance

In the event of a data breach, we are committed to providing affected individuals with the support and assistance they need, including guidance on steps they can take to mitigate the potential risks associated with the breach.

Point of contact: If you have any questions or concerns about a data breach or believe you may have been affected, please contact us immediately at [insert business email] or [insert business phone number].

Policy Updates and Changes

At [Business Name], we are committed to keeping you informed about how we handle your personal information and any changes to our privacy practices. We may update this privacy policy from time to time to reflect changes in legal requirements, industry standards, or our business operations. We want to assure you that any updates will be communicated transparently and in accordance with applicable data protection laws.

Notification of Changes

  • Notification process: In the event of significant changes to our privacy policy that may affect your rights or the way we handle your personal information, we will provide notice through prominent means, such as email, website notifications, or other appropriate channels. We will also indicate the effective date of the updated policy at the top of the document.
  • Reviewing changes: We encourage you to review our privacy policy periodically to stay informed about how we collect, use, and protect your personal information. Your continued use of our services after any changes to the policy signifies your acceptance of the updated terms.

Contact Us

If you have any questions or concerns about our privacy policy or any updates to it, please don’t hesitate to contact us at [insert business email] or [insert business phone number]. We are here to address any inquiries you may have and to ensure that you have the information you need to feel confident about how your personal information is handled.

Last updated: [Insert Date]
This policy is reviewed and updated periodically to reflect changes in our data practices, legal obligations, or regulatory requirements. We encourage you to check this page regularly. Material changes will be communicated through the notification methods described in the Policy Updates and Changes section.
Introduction and Organizational Information
We, at [Business Name], are dedicated to serving our customers and contacts to the best of our abilities. Part of our commitment involves the responsible management of personal information collected through our website [insert business website URL], and any related interactions. Our primary goals in processing this information include:
Enhancing the user experience on our platform by understanding customer needs and preferences.Providing timely support and responding to inquiries or service requests.Improving our products and services to meet the evolving demands of our users.Conducting necessary business operations, such as billing and account management.
It is our policy to process personal information with the utmost respect for privacy and security. We adhere to all relevant regulations and guidelines to protect the data we handle against unauthorized access, disclosure, alteration, and destruction. Our practices are designed to safeguard the confidentiality and integrity of your personal information, while enabling us to deliver the services you trust us with.
Your privacy is our priority. We are committed to processing your personal information transparently and with your safety in mind. This commitment extends to our collaboration with third-party services that may process personal information on our behalf, such as in the case of sending invoices. Rest assured, all activities are conducted in strict compliance with applicable privacy laws.
Scope and Application
Our privacy policy is designed to protect the personal information of all our stakeholders, including website visitors, registered users, and customers. Whether you are just browsing our website [insert business website URL], using our services as a registered user, or engaging with us as a valued customer, we process your personal data with the highest standards of privacy and security. This policy outlines our practices and your rights related to personal information.
Data Collection and Processing
The following list details the types of personal information we may process:
[list the personal information you collect]
Please note that we only process information that is essential for delivering our services, complying with legal obligations, or enhancing your user experience. Your privacy is paramount, and we are dedicated to handling your personal information responsibly and in accordance with all applicable laws.
At [Business Name], we believe in using personal information responsibly and ethically. The data we collect serves multiple purposes, all aimed at enhancing the services we offer and meeting the highest level of satisfaction among our users, customers, and employees. Here are the key ways in which we use the personal information collected:
[list ways in which you use personal information]
Your privacy is our priority. We process your personal information transparently and in accordance with your preferences and applicable privacy laws. We are committed to using your data solely for the purposes for which it was collected and in ways that you have authorized.
Data Storage and Protection
Data Storage
Personal information is stored in secure servers located in the following locations: [location(s)]. For services that require international data transfer, we ensure that such transfers comply with all applicable laws and maintain data protection standards equivalent to those in our primary location.Data hosting partners: We partner with reputable data hosting providers committed to using state-of-the-art security measures. These partners are selected based on their adherence to stringent data protection standards.
Data Protection Measures
Encryption: We employ robust encryption technologies to protect data during transfer and at rest.Access control: Access to personal information is strictly limited to authorized personnel who have a legitimate business need to access the data. We enforce strict access controls and regularly review permissions.Security audits and monitoring: Regular security audits are conducted to identify and remediate potential vulnerabilities. We also monitor our systems for unusual activities to prevent unauthorized access.
Data Sharing and Disclosure
At [Business Name], we are committed to safeguarding your personal information and treating it with the utmost respect. This commitment extends to how we handle the sharing and disclosure of your data. Below we outline our practices in this area:
Categories of Third-Party Recipients
We may disclose personal information to the following categories of recipients, depending on the nature of our relationship with them:
Service Providers: Third parties that process personal information on our behalf to perform business functions, such as payment processing, email delivery, customer support, and data analytics. Service providers are contractually prohibited from using your personal information for any purpose other than providing services to us.Contractors: Third parties that work directly with us under contract and are subject to the same use limitations as service providers under the CPRA.Third Parties: Organizations to which we may sell, share, or disclose personal information for their own business purposes, including advertising partners. If we sell or share your personal information with third parties, you have the right to opt out as described in the Do Not Sell or Share section of this policy.
The categories of personal information we disclose to each type of recipient vary depending on the services they provide. We do not disclose sensitive personal information to third parties for purposes beyond those you have authorized or those permitted by law.
Retention of Personal Information
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements. The criteria we use to determine retention periods include:
The length of time required to provide you with our servicesWhether you have an active account or ongoing relationship with usLegal, regulatory, or contractual obligations that require us to retain certain recordsWhether retention is necessary to protect against or respond to legal claims
When personal information is no longer required for these purposes, we securely delete or anonymize it. You may also request deletion of your personal information at any time, subject to certain legal exceptions, by submitting a request using the contact methods described in the User Rights section of this policy.
Transparency and Control
We believe in transparency and providing you with control over your personal information. You will always be informed about any significant changes to our sharing practices, and where applicable, you will have the option to consent to such changes.
Your trust is important to us, and we strive to ensure that your personal information is disclosed only in accordance with this policy and when there is a justified reason to do so. For any queries or concerns about how we share and disclose personal information, please reach out to us at [insert business email] or [insert business phone number].
User Rights and Choices
At [Business Name], we recognize and respect your rights regarding your personal information in accordance with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and other applicable data protection laws. We are committed to ensuring you can exercise your rights effectively. Below is an overview of your rights and how you can exercise them.
To appeal a decision we may make regarding your request, please contact us within 60 days of receiving our response by submitting your request through the link on our website or by using one of the following methods:
[insert business email] [insert business phone number]
In your appeal request, please include your original request, the date of our response, and a brief explanation of why you believe our decision was incorrect.
For California residents, the following provisions apply:
A. Individual Rights
The California Consumer Privacy Act provides residents of California specific rights regarding their personal information, in addition to what has been described above.
B. Right to Know
You may request that we disclose to you what personal information we have collected, used, shared, or sold about you, and why we collected, used, shared, or sold that information. Specifically, you may request the disclosure of:
The categories of personal information collectedSpecific pieces of personal information collectedThe categories of sources from which we collected personal informationThe purposes for which personal information is usedThe categories of third parties with whom personal information is sharedThe categories of information that are sold or disclosed to third parties
C. Right to Delete
You may request that we delete personal information we have collected about you.
D. Right to Correct
You may ask us to correct inaccurate information that we have about you.
E. Right to Limit
You can request that we only use your sensitive personal information (for example, your social security number, your genetic data, etc.) for limited purposes, such as providing you with the services you requested.
F. Right to Opt-Out
If your personal information is sold or shared with third parties for cross-context behavioral advertising or other commercial purposes, you have the right to opt out at any time. To exercise this right, click the “Do Not Sell or Share My Personal Information” link located in the footer of our website, or submit your request by contacting us at [insert business email].
Once you submit an opt-out request, we will cease selling or sharing your personal information within 15 business days. We will not ask you to opt back in for at least 12 months following your request.
G. Right to Non-Discrimination
You have the right to be protected from discrimination for exercising your rights.
H. Sensitive Data and/or Biometric Data
If we collect sensitive personal information, you have the right to request that we limit its use to only what is necessary to provide the services you have requested. To exercise this right, click the “Limit the Use of My Sensitive Personal Information” link located in the footer of our website, or submit your request by contacting us at [insert business email].
We will honor your request within 15 business days of receipt.
Children’s Personal Information
For children between the ages of 13 and 15, the CCPA/CPRA require that we obtain opt-in consent before selling or sharing their personal information. We do not sell or share the personal information of consumers we know to be under the age of 16 without first obtaining the required consent: from the consumer directly if they are between 13 and 15, or from a parent or guardian if they are under 13.
If you are a parent or guardian and believe your child has provided us with personal information without your consent, you have the right to request that we delete it. Requests may be submitted using the contact methods described in the Exercising Your Rights section of this policy. We will honor verified deletion requests involving minors’ data as a matter of priority.
Exercising Your Rights
To exercise any of these rights, please contact us at [insert business email] or [insert business phone number]. We will respond to your request in accordance with applicable data protection laws and within the timeframes stipulated by the CCPA. Please note that in some cases, we may need to verify your identity as part of the process to ensure the security of your personal information.
We are committed to facilitating the exercise of your rights and to ensuring you have full control over your personal information. If you have any questions or concerns about how your personal information is handled, please do not hesitate to contact us.Authorized Agents
California residents may designate an authorized agent to submit a privacy request on their behalf. To do so, the authorized agent must provide written proof of their authorization to act on your behalf, and you must either verify your own identity directly with us or provide the authorized agent with a signed permission granting them authority to submit the request.
We may deny a request from an authorized agent who does not provide sufficient proof of authorization. To submit a request through an authorized agent, please contact us at [insert business email] or [insert business phone number].
Cookies and Tracking Technologies
At [Business Name], we value your privacy and are committed to being transparent about our use of cookies and other tracking technologies on our website [insert business website]. These technologies play a crucial role in ensuring the smooth operation of our digital platforms, enhancing your user experience, and providing insights that help us improve.
Understanding Cookies and Tracking Technologies
Cookies are small data files placed on your device that enable us to remember your preferences and collect information about your website usage. Tracking technologies, such as web beacons and pixel tags, help us understand how you interact with our site and which pages you visit.
How We Use These Technologies
Essential cookies: Necessary for the website’s functionality, such as authentication and security. They do not require consent under the CCPA/CPRA.Performance and analytics cookies: These collect information about how visitors use our website, which pages are visited most frequently, and if error messages are received from web pages. These cookies help us improve our website.Functional cookies: Enable the website to provide enhanced functionality and personalization, like remembering your preferences.Advertising and targeting cookies: Used to deliver advertisements that are relevant to you and your interests. They are also used to limit the number of times you see an advertisement and help measure the effectiveness of the advertising campaign.
Your Choices and Consent
Upon your first visit, our website will present you with a cookie consent banner, where you can:Accept all cookies: Consent to the use of all cookies and tracking technologies.Reject non-essential cookies: Only essential cookies will be used to provide you with necessary website functions.Customize your preferences: Choose which categories of cookies you wish to allow.
Automated Decision-Making and AI
We may use automated decision-making technologies, including artificial intelligence (AI) and machine learning (ML) systems, to process personal information for purposes such as personalizing your experience, detecting fraudulent activity, assessing user behavior, and improving our products and services. 
Where these systems produce decisions that have a significant effect on you, such as determining eligibility for offers, flagging accounts for review, or customizing the content you see, you have the right to know that automated processing is taking place and to request a human review of any decision that affects you.
We do not use automated decision-making in ways that produce legal or similarly significant effects without maintaining appropriate human oversight. If you wish to opt out of having your personal information used for automated decision-making or profiling purposes beyond what is necessary to deliver our core services, you may submit a request using the contact methods described in the Exercising Your Rights section of this policy.
Where AI tools are used by third-party service providers to process personal information on our behalf, those providers are contractually required to handle that data in accordance with this policy and applicable privacy law, including the CCPA/CPRA.
Direct Marketing and Communications
At [Business Name], we may use your personal information to send you direct marketing communications about our products, services, promotions, and other relevant information that we believe may be of interest to you. We are committed to engaging in marketing practices that are transparent, lawful, and in compliance with applicable data protection laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). 
Obtaining Consent for Direct Marketing
Opt-in consent: We will obtain your explicit opt-in consent before sending you direct marketing communications, where required by law. This means that you will have the opportunity to actively consent to receiving marketing messages from us before we send them to you.Unsubscribe option: Every direct marketing communication we send will include clear instructions on how to unsubscribe or opt-out from receiving future marketing communications. You can exercise your right to opt-out at any time, and we will promptly honor your request to stop sending you marketing messages.
Types of Direct Marketing Communications
We may use your personal information to send you direct marketing communications via various channels, including:
Email
Managing Your Preferences
You have control over the direct marketing communications you receive from us. You can manage your communication preferences by using the unsubscribe link provided in our marketing emails or text messages.
Notification Obligations
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and, where required, relevant regulatory authorities, in the most expedient time possible and without unreasonable delay. Notification will be provided in accordance with applicable California law and will include:
A description of the nature of the breachThe categories and approximate volume of personal information involvedThe steps we have taken or are taking to address the breachRecommended steps you can take to protect yourself
We will communicate breach notifications via email using the contact information you have provided, and where appropriate, through a prominent notice on our website.
Detection and Assessment
Internal monitoring: We employ robust security measures and monitoring systems to detect and respond to potential data breaches promptly.Assessment of breach impact: Upon discovery of a data breach, we will conduct a thorough assessment to determine the nature and scope of the breach, including the types of personal information involved and the potential impact on affected individuals.
Notification Obligations
Regulatory authorities: If required by law, we will notify the relevant data protection authorities of the data breach within 30 day(s), following the procedures specified by applicable regulations.Affected individuals: If a data breach poses a significant risk to your privacy rights and freedoms, we will notify you within 30 day(s), providing clear and concise information about the breach, the types of personal information affected, and the steps you can take to protect yourself.
Communication Channels
Email notification: We may notify affected individuals via email, using the contact information provided to us, if feasible and appropriate.Website notification: We may also post a notification on our website or through other communication channels accessible to affected individuals.
Support and Assistance
In the event of a data breach, we are committed to providing affected individuals with the support and assistance they need, including guidance on steps they can take to mitigate the potential risks associated with the breach.
Point of contact: If you have any questions or concerns about a data breach or believe you may have been affected, please contact us immediately at [insert business email] or [insert business phone number].
Policy Updates and Changes
At [Business Name], we are committed to keeping you informed about how we handle your personal information and any changes to our privacy practices. We may update this privacy policy from time to time to reflect changes in legal requirements, industry standards, or our business operations. We want to assure you that any updates will be communicated transparently and in accordance with applicable data protection laws.
Notification of Changes
Notification process: In the event of significant changes to our privacy policy that may affect your rights or the way we handle your personal information, we will provide notice through prominent means, such as email, website notifications, or other appropriate channels. We will also indicate the effective date of the updated policy at the top of the document.Reviewing changes: We encourage you to review our privacy policy periodically to stay informed about how we collect, use, and protect your personal information. Your continued use of our services after any changes to the policy signifies your acceptance of the updated terms.
Contact Us
If you have any questions or concerns about our privacy policy or any updates to it, please don’t hesitate to contact us at [insert business email] or [insert business phone number]. We are here to address any inquiries you may have and to ensure that you have the information you need to feel confident about how your personal information is handled.

Why a CCPA Privacy Policy Alone Is Not Enough for Compliance

Enforcement of California’s privacy laws is now a shared responsibility between two bodies, each with independent authority to investigate and penalize. 

  • California Attorney General’s office handles civil enforcement and can pursue litigation against non-compliant businesses. 
  • California Privacy Protection Agency (CPPA) (now CalPrivacy) operates as a dedicated regulatory body with its own investigative division, rulemaking authority, and power to impose administrative fines directly. 

These enforcement authorities are taking a firm approach across sectors. 

For instance, food delivery app DoorDash was fined USD 375,000 for sharing customer data through a marketing cooperative without giving consumers adequate notice or a way to opt out. 

Disney’s USD 2.75 million settlement with the AG, the largest CCPA penalty to date, was the result of opt-out mechanisms that failed to work consistently across its streaming services, even for consumers who were logged in to their accounts. 

While a privacy policy is a foundational requirement for CCPA compliance, it’s only one piece of a much larger picture. An accurate, well-structured policy tells consumers what your data practices are, but it can’t ensure those practices are lawful, enforceable, or operationally sound. 

Enforcement actions have repeatedly shown that the gap between what a policy says and what a business does can be a major liability. In addition to a comprehensive privacy policy, you also need the following elements to support CCPA compliance and avoid fines and penalties

Regular Updates to Your Policy

Your data practices will change over time. A compliant privacy policy should always reflect your current practices and current legislation. Update and review your policy regularly, include the most recent updated date, and communicate any material changes to consumers.

A policy informs consumers of your data practices, but it can’t capture, record, or manage their choices. You need a separate consent management platform (CMP) to collect and honor consumer consent.

Opt-out Enforcement Mechanisms

While your privacy policy informs users of their right to opt out of the sale or sharing of their data, it doesn’t enable them to enact this right. To do so, provide a designated “Do Not Sell or Share My Personal Information” link. 

“Limit the Use” Enforcement Mechanisms

Similarly, the CPRA requires that “Limit the Use of My Sensitive Personal Information” requests be honored operationally, not just acknowledged on a policy page. That requires technical controls, like a CMP, that automatically action these consumer choices. 

Proof of Compliance

In the event of a regulatory investigation, you need evidence of compliance, such as records of consumers’ consent choices over time, consumer requests and responses, and timestamps showing when opt-outs were processed. In addition to stating that you’ll do these things in your policy, you need a system that captures and securely stores this proof in an auditable format. 

How Usercentrics Helps Operationalize CCPA/CPRA Compliance

Getting your privacy policy right is the first step. Keeping it in line with your business as operations expand, tools change, and regulations shift is where most organizations struggle. Usercentrics builds the infrastructure to make that possible.

Our Privacy Policy Generator produces a customized, CCPA/CPRA-aligned policy and updates automatically when laws change, supporting ongoing alignment with your business practices.

And the Usercentrics CMP captures consumer choices, enforces opt-outs across your digital properties, and stores audit-ready records that demonstrate compliance over time.

Explore your comprehensive CCPA compliance solution

Manage visitors’ consent choices, tailor notifications, and stay privacy-compliant with Usercentrics.

Explore solution
William Newmark
Read bio
Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Frequently asked questions

The California Consumer Privacy Act (CCPA) is a state privacy law that gives California residents rights over their personal information and imposes obligations on organizations that process personal information.

These include the right to know what data is collected, the right to delete it, and the right to opt out of its sale or sharing. Amended and expanded by the California Privacy Rights Act (CPRA), the CCPA applies to for-profit businesses that meet certain thresholds related to revenue, data volume, or data sales.

The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following thresholds: 

  • Annual gross revenue exceeding USD $26.625 million (adjusted to the Consumer Price Index every two years)
  • Buying, selling, or sharing the personal information of 100,000 or more consumers or households per year
  • Deriving 50 percent or more of annual revenue from selling or sharing personal information 

Businesses that do not meet these thresholds are not subject to the CCPA, though some choose to align with its requirements voluntarily.

A CCPA privacy policy is a public-facing document that discloses how a business collects, uses, and shares the personal information of California residents. It must describe the categories of personal information collected, the purposes for collection, the consumer rights available under the CCPA, and how those rights can be exercised. The policy must be accessible from the business’s homepage and updated at least once every 12 months.

The CCPA and the General Data Protection Regulation (GDPR) are both data privacy frameworks, but they differ significantly in scope, legal basis, and consumer rights.

The GDPR is a comprehensive EU regulation covering all EU Member States and EEA countries, requiring a lawful basis for data processing, with consent as one of the primary mechanisms.

The CCPA is a U.S. state law based primarily on an opt-out model, requiring businesses to honor consumers’ right to opt out of the sale or sharing of their data.

The GDPR applies to any organization processing EU residents’ data; the CCPA applies to qualifying for-profit businesses handling California residents’ information. Penalties and enforcement mechanisms also differ substantially.

A CCPA/CPRA-compliant privacy policy must include: 

  • Categories of personal information collected in the past 12 months
  • Purposes for which that information is used
  • Categories of third parties with whom it is shared
  • A description of consumers’ rights (including the right to know, delete, correct, and opt out of sale or sharing)
  • How consumers can submit requests
  • If applicable, whether the business sells or shares personal information or uses it for profiling

Businesses subject to the CPRA must also disclose data retention periods and include information about sensitive personal information. Policies must be updated at least annually.

Yes, if your business sells or shares personal information as defined by the CCPA, you are required to display a clear and conspicuous “Do Not Sell or Share My Personal Information” link on your website’s homepage.

This link must enable California residents to opt out of the sale or sharing of their data. Businesses that do not sell or share personal information are not required to include this link, but should document that determination in their privacy policy.

The CCPA requires covered businesses to update their privacy policy at least once every 12 months. Beyond that minimum, updates should be made whenever there is a material change to your data collection or processing practices, a change in the categories of personal information collected or shared, or a relevant update to the law itself. Keeping your policy current supports compliance and maintains consumer trust.

Yes. Under the CCPA and CPRA, covered businesses are required to recognize and honor Global Privacy Control (GPC) signals as a valid opt-out of the sale and sharing of personal information. GPC is a browser-based technical signal that communicates a consumer’s privacy preferences automatically. The California Privacy Protection Agency has confirmed that failing to honor GPC signals constitutes a violation of the CCPA. As of early 2026, GPC is required under 12 U.S. state privacy laws.

A template can serve as a useful starting point, but a CCPA privacy policy must reflect your business’s actual data practices to be compliant. A generic template that does not accurately describe the categories of personal information you collect, your specific retention practices, your contact methods, or your data-sharing arrangements would not satisfy CCPA requirements and could expose your business to regulatory risk.

Any template should be reviewed and adapted by someone familiar with your operations, and legal review is advisable before publication.