CCPA Privacy Policy Requirements: A Complete Breakdown
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents significant control over their personal information. A major component of compliance is maintaining a privacy policy that meets the CCPA's specific disclosure requirements.
Who Must Comply with the CCPA?
The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these criteria:
- Annual gross revenue exceeding $25 million
- Buy, sell, or share the personal information of 100,000 or more California consumers, households, or devices per year
- Derive 50% or more of annual revenue from selling or sharing personal information
Even if your business is not based in California, these thresholds apply if you collect data from California residents.
The CCPA's threshold of 100,000 consumers, households, or devices is easier to meet than many businesses realize. If your website receives significant traffic from California, unique visitor counts from cookies and IP addresses can quickly push you past this number.
What the CCPA Requires in Your Privacy Policy
The CCPA mandates several specific disclosures in your privacy policy. Each must be addressed clearly and completely.
Categories of Personal Information Collected
List the categories of personal information you have collected in the preceding 12 months. The CCPA defines specific categories:
- Identifiers (name, email, IP address, account name)
- Personal information under California Civil Code Section 1798.80 (address, phone number, financial information)
- Protected classification characteristics (age, gender, race)
- Commercial information (purchase records, consumer histories)
- Biometric information
- Internet or network activity (browsing history, search history, interaction data)
- Geolocation data
- Sensory data (audio, electronic, visual)
- Professional or employment-related information
- Non-public education information
- Inferences drawn from the above categories
Sources of Personal Information
Disclose the categories of sources from which personal information is collected. These typically include:
- Directly from consumers (forms, account registration, purchases)
- Automatically through technology (cookies, pixels, analytics tools)
- From third parties (data brokers, advertising partners, social media platforms)
Business or Commercial Purpose for Collection
Explain why you collect each category of personal information. Purposes must be specific and legitimate:
- Fulfilling orders and providing services
- Processing payments
- Customer support and communication
- Marketing and advertising
- Analytics and product improvement
- Security and fraud prevention
- Legal compliance
Categories of Third Parties with Whom Data Is Shared
Identify the types of third parties that receive personal information from your business. Common categories include service providers, advertising networks, analytics providers, and business partners.
Consumer Rights Disclosures
Your privacy policy must inform California consumers of their rights under the CCPA:
- Right to know — Consumers can request disclosure of what personal information has been collected, the sources, the business purposes, and the third parties with whom it has been shared
- Right to delete — Consumers can request deletion of their personal information, with certain exceptions
- Right to opt out of sale/sharing — Consumers can direct businesses to stop selling or sharing their personal information
- Right to correct — Consumers can request correction of inaccurate personal information
- Right to limit use of sensitive personal information — Consumers can limit the use and disclosure of sensitive categories
- Right to non-discrimination — Businesses cannot penalize consumers for exercising their CCPA rights
How to Submit Requests
Provide at least two methods for consumers to submit privacy requests. At minimum, businesses must offer:
- A toll-free telephone number
- A website address (typically a web form or dedicated email address)
If you operate exclusively online and have a direct relationship with consumers, you may provide only an email address.
Response Timelines
Disclose that you will respond to verified consumer requests within 45 days, with a possible 45-day extension when necessary.
The "Do Not Sell or Share My Personal Information" Link
If your business sells or shares personal information, you must provide a clear and conspicuous link on your homepage titled "Do Not Sell or Share My Personal Information." This link must allow consumers to opt out without creating an account.
What Counts as "Selling" or "Sharing"?
Under the CCPA, "selling" includes any exchange of personal information for monetary or other valuable consideration. "Sharing" includes making personal information available to third parties for cross-context behavioral advertising purposes.
Common activities that may constitute selling or sharing:
- Using advertising pixels that transmit user data to ad networks
- Participating in data cooperatives or data exchanges
- Providing customer lists to marketing partners
- Using retargeting cookies that share browsing data with ad platforms
Even if you do not consider yourself to be "selling" data, the CCPA's broad definition means that common advertising practices like retargeting pixels and third-party analytics may qualify as "sharing." Audit your marketing technology stack to identify any data flows that might trigger these requirements.
Privacy Policy Update Requirements
The CCPA requires businesses to update their privacy policy at least once every 12 months. Your policy must include the date it was last updated.
Each annual update should reflect:
- Any new categories of personal information collected
- Changes in data sharing practices
- New third-party service providers
- Updates to consumer rights procedures
- Changes in business operations affecting data handling
Financial Incentive Disclosures
If you offer financial incentives related to the collection, sale, or deletion of personal information — such as loyalty programs, discounts for data sharing, or price differences for consumers who opt out — you must describe these programs in your privacy policy and explain how you calculate the value of the consumer's data.
Penalties for Non-Compliance
The CCPA is enforced by the California Attorney General and, under the CPRA, the California Privacy Protection Agency (CPPA). Penalties include:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation
- Private right of action for data breaches resulting from failure to maintain reasonable security
These penalties are assessed per consumer, per incident. For businesses with large user bases, non-compliance can result in substantial financial exposure.
Practical Steps for Compliance
- Conduct a data inventory — Map all personal information you collect, the sources, purposes, and third-party recipients
- Update your privacy policy — Ensure all CCPA-required disclosures are present and accurate
- Implement request mechanisms — Set up processes to receive and respond to consumer requests within required timelines
- Train your team — Ensure staff who handle consumer inquiries understand CCPA requirements
- Review vendor agreements — Confirm that your service providers have appropriate data processing agreements in place
- Establish an annual review cycle — Schedule regular privacy policy updates to maintain compliance
The CCPA landscape continues to evolve as the CPPA issues new regulations and enforcement actions provide clarity on compliance expectations. Building a strong privacy policy foundation now will make it easier to adapt as requirements change.