Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

CCPA Privacy Policy is an important factor in compliance.

February 28, 2020.


California Consumer Privacy Act (CCPA) carves out specific requirements for how businesses around the world are allowed to handle the personal information of California residents.

Some of these requirements have to do specifically with a website’s privacy policy (also known as the CCPA privacy notice).

In this blogpost, we take a look at what constitutes a CCPA compliant privacy policy.


What is CCPA?


California Consumer Privacy Act (CCPA) is a state-wide law that took effect on January 1, 2020 and governs the collection, processing and selling of California residents’ personal information (PI).

The CCPA empowers California residents (known as consumers in the law) with the:

If a company or organization meets the CCPA definition of business, it is obligated to operate in compliance with the law when handling the PI of California residents – no matter where in the world the business itself is located.


CCPA compliance with Cookiebot

Cookiebot is a consent management platform (CMP) that enables compliance with the CCPA, the EU’s GDPR and other data privacy laws through technology that deep-scans your website to uncover all cookies and trackers present.

This way, you can know exactly what personal information your website collects, for what purposes, which third parties it shares it with – and take control for compliance.



CCPA privacy policy: Cookiebot ensures compliance with California's law.

Cookiebot enables CCPA compliance, including the required Do Not Sell link.



Try Cookiebot for free today for CCPA compliance.


CCPA privacy policy - overview


A cornerstone of CCPA compliance for a business is its privacy policy – or CCPA privacy notice, as it is often called.

Your website may already have a privacy policy, as this is also a requirement of data protection laws like the European General Data Protection Regulation (GDPR) that preceded the CCPA.

However, the CCPA has specific requirements for what your privacy policy must include, so in order to ensure compliance, you will need to amend and update it to reflect Californian law as well.



A CCPA privacy notice is a cornerstone of compliance for websites.

Cookiebot enables CCPA compliance, including the required Do Not Sell link.



In broad terms, a CCPA privacy policy is about transparency.

It’s the way you tell your users from California what happens to their data when they visit your website, and the way you let them know what rights they have in this online exchange, including how they can exercise their rights when it comes to your business.

It’s very important that your CCPA privacy notice includes all the required content, otherwise you are not in compliance with the law.

Later in the blogpost, we provide you with some examples of CCPA privacy policy templates (links to different company CCPA privacy notices found online).

But first, let’s break down the CCPA privacy policy requirements. We’ll do this by looking at the overall must-haves in this CCPA privacy policy checklist.

Become CCPA compliant with Cookiebot for free.


CCPA privacy policy checklist


Here is a CCPA privacy policy checklist of what you must include in order to be compliant with California’s data law. Your CCPA privacy policy must –

Your CCPA privacy policy must also be updated every 12 months, so make sure it features a last updated or similar time stamp for your consumers to see.

A CCPA privacy notice requirement is also that your users have easy access to it from your website’s front page. This can be a link in the footer of your front page. More on this below.

Okay, let’s take a more detailed look at these requirements.


CCPA privacy policy requirements


First off, even though the CCPA demands that businesses provide a privacy policy on their website, most websites probably have one already, since data protection laws like the European General Data Protection Regulation also demands this.

However, the CCPA makes specific demands to a business’ privacy policy that are different from those in the GDPR.

Let’s break down the checklist from above to look at the individual CCPA privacy policy requirements that your business and website must adhere to.


Conspicuous link to CCPA privacy notice

First off, your privacy policy must be accessible from your website’s front page.

One of the clear CCPA privacy notice requirements is that it has to be available for consumers through a conspicuous link on your website’s front page, i.e. clearly visible and accessible for your users.

This can be done in several ways – really it is up to you and your website’s layout, so long as you make sure that a CCPA privacy policy link is featured in a way that is easy to find and click on by your visitors on the front page.


Updated CCPA privacy policy

Another requirement of the California law is that your CCPA privacy notice is updated at least once every twelve months.

Most CCPA privacy policies therefore have a last updated header or footer to inform the consumers that the content they are reading is correct and up to date.



CCPA privacy notice: compliance.

CCPA privacy policy templates can be good, but don’t copy-paste.



One of the reasons that a CCPA privacy notice needs to be updated is because it is a requirement of the law that consumers are made aware if your business starts collecting new categories of personal information, or if it starts collecting PI with a different purpose than before.

Make sure to always keep your CCPA compliant privacy policy updated, and let your users know when it was updated last.


Inform users on their CCPA rights

When it comes to the CCPA privacy policy requirements, the right to be informed of rights is of particular concern to a business with a website seeking CCPA compliance.

List of CCPA rights that you must inform your users of in your CCPA privacy policy:

You must also tell your user how to exercise the disclosure, deletion and opt out rights. This is another important CCPA privacy notice requirement.

Consumers must send a verifiable consumer request, commonly through a link on your website, by calling your business or sending you an e-mail.

Let your users know clearly what their rights are and how they can exercise them in relation to your business.


What PI do you collect and from where?

The CCPA specifies that California residents must get a notice at collection, i.e. your users must be informed at or before the point of collection about the categories of PI that you collect and the purposes for which you collect them.

It is central to the CCPA privacy notice that a business list exhaustively all categories of personal information that they have collected in the last 12 months.

A common way of categorizing personal information in CCPA privacy policies is between –

Another CCPA privacy policy requirement is for a business to list its sources, i.e. wherefrom it obtains the different categories of personal information, as listed above.

This means that you must, in your CCPA privacy notice, tell your users where you collect the different categories of PI from.

A common list of sources would include third party implementations (such as Google Analytics), affiliates, customers, publicly available sources, resellers, partners, vendors, suppliers, data brokers, service providers and so on.

You must of course list specifically who these sources are, not just say that “you collect PI”.


How do you use PI?

The purpose for your PI collection is another important CCPA privacy policy requirement for you to disclose to your consumers. For which purposes do you collect personal information from California residents? What are the specific business purposes for which you collect and use PI?

Tell your Californian users why you collect their personal information, and what you intend to use it for.

Common purposes for PI collection include:

Additionally, consumers have the right to be informed every time a business begins collecting new forms of personal information, or if they start collecting personal information for new purposes.

Try Cookiebot for free today to uncover how your website collects and shares PI


Who do you share PI with?

A very important CCPA privacy policy requirement is to disclose to your consumers which third parties you share or sell their PI with.

Do you share personal information with Google or Facebook or other third parties through plugins and cookies on your website? You need to tell your Californian users about this.



CCPA privacy policy templates are good, but don't copy-paste.

Check out these CCPA privacy notice templates if you’re in doubt of how to write yours.



If you don’t know what third party cookies and trackers your website harbors, try Cookiebot for free today.

Not only do you have to disclose all third parties with whom you share or sell personal information in your CCPA privacy notice, you must also feature a Do Not Sell My Personal Information link on your website.



CCPA privacy notice templates can inspire compliance for your website.

Cookiebot’s cookie declaration for websites seeking CCPA compliance.



This CCPA mandatory link will enable consumers to exercise their perhaps most famous CCPA right: the right to opt out of having their personal information sold to third parties.


What PI have you sold in the last 12 months?

Additionally, you have to disclose to consumers what categories of PI your business has sold to third parties in the last 12 months.

Selling has a broad definition in the CCPA that includes disclosure and sharing in exchange for money or things of other values.

Since no enforcement has been taken on the CCPA yet, it is difficult to know how this is to be interpreted.

To be on the safe side, a list of the PI you have sold in the last 12 months should include the categories of PI that you have disclosed to third parties, e.g. through third party cookies on your website.

You will need to deep-scan your website in order to know all third-party cookies and trackers that are embedded on your website.

A 2020 study on website tracking shows the unsettling reality of third-party tracking:

Try Cookiebot’s deep-scanning technology today to uncover all cookies and similar trackers on your website.


CCPA privacy policy template


After a long breakdown of all the requirements, you might be wondering how your CCPA privacy policy is going to look like on your website. You might be tempted to go search for CCPA privacy notice templates. But before you do, here is a word of caution.

Relying on a CCPA privacy policy template for your website’s notice is not without problems. A simple copy-paste would be disastrous for your level of compliance, since you must inform Californian consumers of your particular PI collection scheme.

If you have a privacy policy on your website already, it’s important that you take the time to update this with all the mandatory stuff you’ve read about in this article, in order to ensure CCPA compliance.

If you don’t have a privacy policy on your website yet, then this is an excellent time to write one out and to make sure that you do it in a CCPA compliant way.

If you feel like you need help with how to set the whole thing up, then take a look at IAPP’s sample CCPA privacy notice templates. They include CCPA privacy policy templates from companies like Horne, Indio and Termsfeed.

But remember, don’t copy-paste.


Resources


Try Cookiebot for free today for CCPA & GDPR compliance

California Consumer Privacy Act (CCPA)

CCPA compliance with Cookiebot

CCPA and personal information

CCPA and rights

CCPA and cookies

General Data Protection Regulation (GDPR)

CCPA privacy policy template (Indio)

Make your website’s use of cookies and online tracking compliant today

Try for free