Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

CCPA Privacy Policy is an important factor in compliance.

Updated June 8, 2020.


California Consumer Privacy Act (CCPA) carves out specific requirements for how businesses around the world are allowed to handle the personal information of California residents.

Some of these requirements have to do specifically with a website’s privacy policy (also known as the CCPA privacy notice).

In this blogpost, we take a look at what constitutes a CCPA compliant privacy policy.


What is CCPA?


California Consumer Privacy Act (CCPA) is a state-wide law that took effect on January 1, 2020 and governs the collection, processing and selling of California residents’ personal information (PI).

The CCPA empowers California residents (known as consumers in the law) with the:

If a company or organization meets the CCPA definition of business, it is obligated to operate in compliance with the law when handling the PI of California residents – no matter where in the world the business itself is located.


CCPA compliance with Cookiebot

Cookiebot is a consent management platform (CMP) that enables compliance with the CCPA, the EU’s GDPR and other data privacy laws through technology that deep-scans your website to uncover all cookies and trackers present.

This way, you can know exactly what personal information your website collects, for what purposes, which third parties it shares it with – and take control for compliance.



CCPA privacy policy: Cookiebot ensures compliance with California's law.

Cookiebot enables CCPA compliance, including the required Do Not Sell link.



Try Cookiebot for free today for CCPA compliance.


CCPA privacy policy - overview


A cornerstone of CCPA compliance for a business is its privacy policy – or CCPA privacy notice, as it is often called.

Your website may already have a privacy policy, as this is also a requirement of data protection laws like the European General Data Protection Regulation (GDPR) that preceded the CCPA.

However, the CCPA has specific requirements for what your privacy policy must include, so in order to ensure compliance, you will need to amend and update it to reflect Californian law as well.



A CCPA privacy notice is a cornerstone of compliance for websites.

Cookiebot enables CCPA compliance, including the required Do Not Sell link.



In broad terms, a CCPA privacy policy is about transparency.

It’s the way you tell your users from California what happens to their data when they visit your website, and the way you let them know what rights they have in this online exchange, including how they can exercise their rights when it comes to your business.

It’s very important that your CCPA privacy notice includes all the required content, otherwise you are not in compliance with the law.

Later in the blogpost, we provide you with some examples of CCPA privacy policy templates (links to different company CCPA privacy notices found online).

But first, let’s break down the CCPA privacy policy requirements. We’ll do this by looking at the overall must-haves in this CCPA privacy policy checklist.

Become CCPA compliant with Cookiebot for free.


CCPA privacy policy checklist


Here is a CCPA privacy policy checklist of what you must include in order to be compliant with California’s data law. Your CCPA privacy policy must –

Your CCPA privacy policy must also be updated every 12 months, so make sure it features a last updated or similar time stamp for your consumers to see.

A CCPA privacy notice requirement is also that your users have easy access to it from your website’s front page. This can be a link in the footer of your front page. More on this below.

Okay, let’s take a more detailed look at these requirements.


CCPA privacy policy requirements


First off, even though the CCPA demands that businesses provide a privacy policy on their website, most websites probably have one already, since data protection laws like the European General Data Protection Regulation also demands this.

However, the CCPA makes specific demands to a business’ privacy policy that are different from those in the GDPR.

Let’s break down the checklist from above to look at the individual CCPA privacy policy requirements that your business and website must adhere to.


Conspicuous link to CCPA privacy notice

First off, your privacy policy must be accessible from your website’s front page.

One of the clear CCPA privacy notice requirements is that it has to be available for consumers through a conspicuous link on your website’s front page, i.e. clearly visible and accessible for your users.

This can be done in several ways – really it is up to you and your website’s layout, so long as you make sure that a CCPA privacy policy link is featured in a way that is easy to find and click on by your visitors on the front page.


Updated CCPA privacy policy

Another requirement of the California law is that your CCPA privacy notice is updated at least once every twelve months.

Most CCPA privacy policies therefore have a last updated header or footer to inform the consumers that the content they are reading is correct and up to date.



CCPA privacy notice: compliance.

CCPA privacy policy templates can be good, but don’t copy-paste.



One of the reasons that a CCPA privacy notice needs to be updated is because it is a requirement of the law that consumers are made aware if your business starts collecting new categories of personal information, or if it starts collecting PI with a different purpose than before.

Make sure to always keep your CCPA compliant privacy policy updated, and let your users know when it was updated last.


Inform users on their CCPA rights

When it comes to the CCPA privacy policy requirements, the right to be informed of rights is of particular concern to a business with a website seeking CCPA compliance.

List of CCPA rights that you must inform your users of in your CCPA privacy policy:

You must also tell your user how to exercise the disclosure, deletion and opt out rights. This is another important CCPA privacy notice requirement.

Consumers must send a verifiable consumer request, commonly through a link on your website, by calling your business or sending you an e-mail.

Let your users know clearly what their rights are and how they can exercise them in relation to your business.


What PI do you collect and from where?

The CCPA specifies that California residents must get a notice at collection, i.e. your users must be informed at or before the point of collection about the categories of PI that you collect and the purposes for which you collect them.

It is central to the CCPA privacy notice that a business list exhaustively all categories of personal information that they have collected in the last 12 months.

A common way of categorizing personal information in CCPA privacy policies is between –

Another CCPA privacy policy requirement is for a business to list its sources, i.e. wherefrom it obtains the different categories of personal information, as listed above.

This means that you must, in your CCPA privacy notice, tell your users where you collect the different categories of PI from.

A common list of sources would include third party implementations (such as Google Analytics), affiliates, customers, publicly available sources, resellers, partners, vendors, suppliers, data brokers, service providers and so on.

You must of course list specifically who these sources are, not just say that “you collect PI”.


How do you use PI?

The purpose for your PI collection is another important CCPA privacy policy requirement for you to disclose to your consumers. For which purposes do you collect personal information from California residents? What are the specific business purposes for which you collect and use PI?

Tell your Californian users why you collect their personal information, and what you intend to use it for.

Common purposes for PI collection include:

Additionally, consumers have the right to be informed every time a business begins collecting new forms of personal information, or if they start collecting personal information for new purposes.

Try Cookiebot for free today to uncover how your website collects and shares PI


Who do you share PI with?

A very important CCPA privacy policy requirement is to disclose to your consumers which third parties you share or sell their PI with.

Do you share personal information with Google or Facebook or other third parties through plugins and cookies on your website? You need to tell your Californian users about this.



CCPA privacy policy templates are good, but don't copy-paste.

Check out these CCPA privacy notice templates if you’re in doubt of how to write yours.



If you don’t know what third party cookies and trackers your website harbors, try Cookiebot for free today.

Not only do you have to disclose all third parties with whom you share or sell personal information in your CCPA privacy notice, you must also feature a Do Not Sell My Personal Information link on your website.



CCPA privacy notice templates can inspire compliance for your website.

Cookiebot’s cookie declaration for websites seeking CCPA compliance.



This CCPA mandatory link will enable consumers to exercise their perhaps most famous CCPA right: the right to opt out of having their personal information sold to third parties.


What PI have you sold in the last 12 months?

Additionally, you have to disclose to consumers what categories of PI your business has sold to third parties in the last 12 months.

Selling has a broad definition in the CCPA that includes disclosure and sharing in exchange for money or things of other values.

Since no enforcement has been taken on the CCPA yet, it is difficult to know how this is to be interpreted.

To be on the safe side, a list of the PI you have sold in the last 12 months should include the categories of PI that you have disclosed to third parties, e.g. through third party cookies on your website.

You will need to deep-scan your website in order to know all third-party cookies and trackers that are embedded on your website.

A 2020 study on website tracking shows the unsettling reality of third-party tracking:

Try Cookiebot’s deep-scanning technology today to uncover all cookies and similar trackers on your website.


CCPA privacy policy template


After a long breakdown of all the requirements, you might be wondering how your CCPA privacy policy is going to look like on your website. You might be tempted to go search for CCPA privacy notice templates. But before you do, here is a word of caution.

Relying on a CCPA privacy policy template for your website’s notice is not without problems. A simple copy-paste would be disastrous for your level of compliance, since you must inform Californian consumers of your particular PI collection scheme.

If you have a privacy policy on your website already, it’s important that you take the time to update this with all the mandatory stuff you’ve read about in this article, in order to ensure CCPA compliance.

If you don’t have a privacy policy on your website yet, then this is an excellent time to write one out and to make sure that you do it in a CCPA compliant way.

If you feel like you need help with how to set the whole thing up, then take a look at IAPP’s sample CCPA privacy notice templates. They include CCPA privacy policy templates from companies like Horne, Indio and Termsfeed.

But remember, don’t copy-paste.


FAQ


What is the CCPA?

The California Consumer Privacy Act (CCPA) is a data privacy law that governs the personal information of California residents and how businesses are allowed to collect, share and sell these. The CCPA empowers California residents with a set of rights over their own personal information, such as the right to opt out of third-party data sales and the right to have collected PI deleted. The CCPA also sets out specific rules for how businesses are allowed to handle the personal information of California residents.

Learn more about the CCPA


What are the CCPA privacy policy requirements?

A CCPA compliant privacy policy must inform consumers of what kinds of personal information the business collects, including the specific purposes of collection and sources for each category of personal information. A CCPA privacy policy must also inform consumers of what kinds of personal information the business has sold to third parties in the last 12 months. A CCPA privacy policy must be updated annually and be easily accessible from the website’s front page.

Learn more about CCPA and personal information


Who needs to comply with the CCPA?

The CCPA defines a business as a company that meets at least one of the three following thresholds: 1) have an annual gross revenue exceeding $25 million, 2) derive 50% or more of its annual revenues from selling the personal information of California residents, or 3) buys, receives, sells or shares the personal information of 50.000 or more California residents annually. A company doesn’t have to be based in California to be liable under the CCPA - if a company in Texas or Europe meets any of the three thresholds above, it must live up to the CCPA requirements for compliance.

Learn more about CCPA compliance


What rights do California residents have under the CCPA?

The CCPA empowers California residents with the following rights: the right to opt out of having their personal information sold to third-parties, the right to be informed of data collection, sharing and selling, the right to disclosure of what kind of personal information has been collected on them, the right to have already collected data deleted, and the right to equal services and prices regardless of whether they choose to exercise any of these rights.

Learn more about CCPA rights


Resources


Try Cookiebot for free today for CCPA & GDPR compliance

California Consumer Privacy Act (CCPA)

CCPA compliance with Cookiebot

CCPA and personal information

CCPA and rights

CCPA and cookies

General Data Protection Regulation (GDPR)

CCPA privacy policy template (Indio)

Make your website’s use of cookies and online tracking compliant today

Try for free