eForms Logo

CCPA Privacy Policy Template & Generator

Create a high-quality document now!

CCPA Privacy Policy Template & Generator

Updated May 28, 2024

A CCPA privacy policy, under the California Consumer Privacy Act of 2018 (CCPA), requires businesses to disclose the personal information being held and how it is collected. The law was created to protect users while giving them the right to stop their data from being used for marketing purposes.

Who Must Comply with the CCPA?

The CCPA applies to for-profit businesses serving Californians and meets any of the following:[1][2]

  • Has annual revenues of more than $25 million;
  • Handles 50,000 or more annual consumers, households, or devices through the business’s commercial purpose; or
  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

The CCPA does not apply to non-profit organizations or government agencies.

Table of Contents

Privacy Policy Requirements (8)

A privacy policy must describe a consumer’s rights with the CCPA, including:[3]

  1. List, in categories, the types of personal information collected and used for a business (marketing) purpose;
  2. If the business sells personal information, the types of information sold in the preceding 12 months;
  3. For medical offices, to describe the deidentified patient information is disclosed or sold
  4. Two (2) or more methods for users to submit requests, including a toll-free phone number as a method unless the business operates exclusively online, then an e-mail is adequate.
  5. A webpage URL where users can submit requests related to their personal information;
  6. A statement that a consumer has the right to correct any inaccurate personal information;
  7. Language that states the business will respond free of charge and within 45 days of receiving a verifiable consumer request; and
  8. The document must be updated every 12 months.

What is considered “Personal Information”?

Personal information, under CCPA, is any type of information collected by a business that “could reasonably” be connected with a user or household.[4]

Categories (12)

Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household in the following 12 categories:[5]

  1. Identifiers – Real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, e-mail address, account name, social security number (SSN), driver’s license number, passport number, or other similar identifiers.
  2. Customer Records – As defined under CIV 1798.80, that includes business information, name, address, phone number, signature, social security number (SSN), physical characteristics or description, passport number, driver’s license number, state ID number, insurance policy number, education or employment history, bank or credit card number, medical information, or health insurance information.
  3. Characteristics of Protected Classes – Those listed under California law and 42 U.S. Code § 3604 regarding a person’s race, color, national origin, religion, sex, and familial status.
  4. Commercial Information – Records of personal property and any information related to products and services purchased, obtained, or at one time considered to purchase as part of a person’s consuming history or tendencies.
  5. Biometric Information – Fingerprints, facial recognition, voiceprint, iris or eye scan, and hand geometry.
  6. Internet Activity – Network information such as browsing history, search history, and information regarding interaction with a website or application.
  7. Geolocation Data – An IP address or any type of location-based data shared.
  8. Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information.
  9. Professional or Employment-Related Information – Any history regarding where a person has worked, paid or unpaid.
  10. Education-Related Information – Educational information not publicly available as defined under U.S. 20 § 1232g and 34 CFR Part 99.
  11. Information Identified to Create a Profile – Data collected from any information drawn from the previously mentioned identifiers to build a profile based on a user’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  12. Sensitive Personal Information – Social security number (SSN), driver’s license number, state ID number, passport number, login information, financial account, debit or credit card, security number (back of card), access codes, password, credentials that allow access to an account, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, communication data that is not directly made to a business (mail, e-mail, and message content), genetic data, personal information concerning a consumer’s health, sex life, or sexual orientation.

Who is Protected under CCPA?

It protects California residents only. Although, since California represents 11.8% of the total population of the United States,[6] most entities that want to conduct business in the USA will be compliant with the CCPA.

Is a Business Liable for a Data Breach?

Yes, a business is liable to be sued under CCPA if a user’s first and last name was stolen in combination with their:[4]

  • Social Security Number (SSN);
  • Government ID or any data mentioned on such identification (e.g., driver’s license number, tax ID number, military ID number, etc.);
  • Financial information such as credit card numbers, bank account numbers, etc.;
  • Personal health information; or
  • Biometric data such as fingerprints, retina or iris imagery, etc.

Rights of Users (6)

  1. Right to Notice
  2. Right to Know
  3. Right to Delete
  4. Right to Correct
  5. Right to Opt-Out
  6. Right Not to be Discriminated

1. Right to Notice

Businesses must inform users “at or before the point of collection” when disclosing their information practices.[7]

2. Right to Know

A user has the right to know regarding personal information:[8]

  1. The categories (types) being collected;
  2. The sources where it is coming from;
  3. The reason or business purpose for accepting;
  4. The categories (types) of 3rd parties it’s being shared; and
  5. The specific “pieces” being collected.

3. Right to Delete

A user has the right to request any of their personal information be deleted that is stored with a business. It must be a “verifiable request,” and the business will have 45 days to complete it.[9]

4. Right to Correct

A consumer has the right to correct any inaccurate, mislabeled or erroneous personal information by a business. There must be “reasonable efforts” made to correct the data on file.[10]

5. Right to Opt-Out

A consumer has the right, at any time their personal information is being sold or shared, to opt-out of their data being sold or used for a commercial purpose.

A business cannot share or sell the personal information of someone they know is between 13 to 16 years of age without their consent. If the consumer is under 13 years of age, then the parent or guardian’s consent is required. It is only a violation if the business has actual knowledge of the consumer’s age.[11]

6. Right Not to be Discriminated

A consumer has the right not to be discriminated against for exercising the privacy rights granted to them under the CCPA. Examples of discrimination include:[12]

  • Rejecting services or goods;
  • Offering different pricing, plans, subscriptions, or discounts;
  • Delivering an inferior product or lower level of service; and
  • Suggesting any of the above when giving a quote or estimate for goods or services.


  1. CIV 1798.140(c)
  2. CIV 1798.145(n)(1)
  3. CIV 1798.130
  4. CCPA Frequently Asked Questions
  5. CIV 1798.140(v)
  6. 2021 Census
  7. CIV 1798.100
  8. CIV 1798.110
  9. CIV 1798.105
  10. CIV 1798.106
  11. CIV 1798.120
  12. CIV 1798.125