CCPA Privacy Policy Generator

The California Consumer Privacy Act (CCPA) is a landmark data privacy law that went into effect on January 1, 2020. It was the first comprehensive consumer privacy statute enacted in the United States and has since served as a model for privacy legislation in other states including Virginia, Colorado, Connecticut, and Utah.

The CCPA grants California residents (referred to as "consumers" in the statute) a set of enforceable rights over how businesses collect, use, share, and sell their personal information. It is enforced by the California Attorney General and, since 2023, the California Privacy Protection Agency (CPPA).

Under the CCPA, "personal information" is defined broadly. It includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This covers names, email addresses, IP addresses, browsing history, purchase history, geolocation data, biometric data, and even inferences drawn from other data points to create a consumer profile.

The CCPA applies to any for-profit entity that does business in California and collects the personal information of California residents, provided the business meets at least one of the following thresholds:

• Annual gross revenue exceeds $25 million. This is measured in the preceding calendar year and includes global revenue, not just revenue from California customers.
• Buys, sells, or shares the personal information of 100,000 or more California consumers, households, or devices per year. Note that the CPRA lowered the original CCPA threshold from 50,000 to 100,000 but removed the "receives" trigger, meaning passive receipt alone no longer counts.
• Derives 50% or more of annual revenue from selling or sharing California consumers' personal information. Data brokers and ad-tech companies frequently meet this threshold.

Even if your business does not currently meet these thresholds, proactive compliance is strongly recommended. California is the largest consumer market in the United States with over 39 million residents, and many businesses cross these thresholds faster than expected as they scale. Additionally, having a CCPA-compliant privacy policy signals professionalism and builds trust with privacy-conscious customers.

Not sure whether your site already meets CCPA disclosure requirements? Use our free compliance checker to scan your existing privacy policy and identify gaps.

The CCPA (as amended by the CPRA) grants California consumers the following rights. Your privacy policy must clearly describe each of these rights and explain how consumers can exercise them.

One of the CCPA's most distinctive requirements is the obligation to provide consumers with a way to opt out of the sale or sharing of their personal information. If your business sells personal information or shares it for cross-context behavioral advertising, you must implement all of the following:

• Homepage opt-out link. Display a clear and conspicuous link on your website's homepage titled "Do Not Sell or Share My Personal Information." This link must take users to a page or mechanism where they can submit their opt-out request without being required to create an account.
• Sensitive data link. If you collect sensitive personal information beyond what is necessary to provide your service, you must also provide a "Limit the Use of My Sensitive Personal Information" link. You may combine both links into a single "Your Privacy Choices" link accompanied by the standard opt-out preference signal icon.
• Global Privacy Control (GPC) support. Your website must recognize and honor the GPC browser signal as a valid opt-out request. When a visitor's browser sends a GPC signal, you must treat it as though the consumer clicked your "Do Not Sell" link. Your privacy policy should disclose how you respond to GPC signals.
• Minors require opt-in. You cannot sell or share personal information of consumers you know to be under 16 years old without affirmative opt-in consent. For children under 13, consent must come from a parent or guardian.
• 12-month waiting period. After a consumer opts out, you must wait at least 12 months before asking them to opt back in to the sale or sharing of their personal information.

Common activities that constitute "sharing" under the CPRA include using Meta Pixel, Google Ads remarketing tags, TikTok Pixel, or any third-party tracking cookies that enable cross-site behavioral advertising. If you use any of these technologies, you almost certainly need the opt-out link.

Not sure if your site has the required opt-out mechanisms? Scan your website with our free compliance checker to find out.

Non-compliance with the CCPA carries substantial financial risk. Since the CPRA eliminated the 30-day cure period in 2023, businesses can face immediate penalties without a chance to fix violations first.

Beyond regulatory fines, the CCPA grants consumers a private right of action for data breaches resulting from a business's failure to implement reasonable security measures. Consumers can seek statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater. Several class action lawsuits under this provision have resulted in multi-million dollar settlements.

The California Privacy Protection Agency (CPPA) now conducts its own investigations, audits, and enforcement proceedings alongside the Attorney General's office. Enforcement activity has increased significantly since the CPPA became operational, with public inquiries targeting companies across e-commerce, ad-tech, social media, and connected vehicle industries.

The CCPA and its implementing regulations mandate that your privacy policy contain specific disclosures. Missing even one required section can expose your business to enforcement actions and fines of up to $7,500 per intentional violation. Your policy must include:

• A description of the categories of personal information you have collected in the preceding 12 months (e.g., identifiers, commercial information, internet activity, geolocation, biometric data, professional information, education information, inferences).
• The sources from which personal information is collected (e.g., directly from consumers, from third-party data providers, from cookies and tracking technologies).
• The business or commercial purposes for collecting or selling personal information (e.g., providing services, processing transactions, marketing, fraud prevention, improving products).
• The categories of third parties with whom you share personal information (e.g., service providers, advertising partners, analytics providers, affiliated companies).
• For each category of personal information collected, the categories of personal information sold or shared and the categories of third parties to whom it was sold or shared, or a statement that you have not sold or shared personal information.
• The retention period for each category of personal information, or the criteria used to determine retention periods. This is a CPRA addition that many businesses still miss.
• A description of each consumer right (know, delete, correct, opt-out, limit use of sensitive data, non-discrimination) and instructions for how consumers can submit requests.
• At least two methods for submitting requests, one of which must be a toll-free telephone number (for businesses that operate primarily online, an email address may substitute in certain cases).
• The date the privacy policy was last updated. The CCPA requires that you review and update your policy at least once every 12 months.

PolicyForge generates all of these sections automatically when you select the United States (CCPA) jurisdiction. Create your CCPA privacy policy now.

Many businesses need to comply with both the CCPA and the EU's General Data Protection Regulation (GDPR). While both laws aim to protect consumer privacy, they differ in significant ways. A single privacy policy can cover both, but you need to address the requirements of each.

The California Privacy Rights Act (CPRA), passed by California voters in November 2020 as Proposition 24, took full effect on January 1, 2023. It amends and significantly expands the original CCPA. If your privacy policy was written before 2023, it likely does not meet the updated requirements. Here are the most important changes:

• New category: Sensitive Personal Information. The CPRA created a distinct category for sensitive data (SSN, financial accounts, precise geolocation, racial/ethnic origin, religious beliefs, genetic/biometric data, health data, sex life/sexual orientation, contents of communications). Consumers can now limit how you use this data.
• Right to Correct. Consumers can now request corrections to inaccurate personal information you hold about them.
• "Sharing" for cross-context behavioral advertising. The CPRA expanded the opt-out right beyond "sales" to include "sharing" for targeted advertising purposes. This affects businesses using retargeting pixels, third-party cookies, or similar tracking for ad personalization.
• Data retention disclosures. Businesses must now disclose the retention period for each category of personal information, or the criteria used to determine how long data is kept.
• Data minimization. The CPRA introduced a requirement that collection, use, retention, and sharing of personal information must be "reasonably necessary and proportionate" to the purposes for which it was collected.
• California Privacy Protection Agency (CPPA). A new dedicated enforcement agency was created to implement and enforce the CCPA/CPRA, supplementing the Attorney General's existing authority. The CPPA began formal rulemaking in 2023 and continues to issue new regulations.
• Global Privacy Control (GPC) recognition. Businesses must treat GPC browser signals as valid opt-out requests. Your privacy policy should disclose whether and how you respond to GPC signals.
• Contractor obligations. The CPRA added "contractors" as a new category alongside service providers, with specific contractual requirements for how they handle personal information.

PolicyForge generates policies that incorporate all CPRA amendments by default, so you do not need to worry about missing any of these updates. Generate your updated CCPA/CPRA privacy policy here.