Drafting a CCPA/CPRA Privacy Policy

The CCPA, as amended by the CPRA (collectively, CCPA), grants California residents enhanced rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California. It also establishes specific public notification obligations for covered businesses that collect, share, or sell personal information about California residents.

The CPRA amendments to the CCPA took effect on January 1, 2023 and became enforceable on July 1, 2023. The CPRA added new consumer privacy protections and created the first state agency focused exclusively on privacy, the California Privacy Protection Agency (Agency). On March 29, 2023, California’s Office of Administrative Law approved the Agency’s final regulations to implement the CPRA amendments (CCPA Regulations), but enforcement of the CCPA Regulations is stayed until March 29, 2024. (Cal. Civ. Code §§ 1798.100 to 1798.199.100; Cal. Code Regs. tit. 11, §§ 7000 to 7304; for more on the development of implementing regulations for the CPRA, see CPRA Regulation Tracker on Practical Law.)

Given the CCPA’s broad reach, it is likely to significantly impact entities both inside and outside California that collect and process California residents’ personal information. This article explains the requirements under the CCPA for providing California consumers with a privacy policy when collecting, using, selling, sharing, disclosing, and retaining personal information.

(For the complete version of this resource, which includes information on the CCPA’s other disclosure obligations, such as collection notices, opt-out right notices, right to limit notices, and financial incentive notices, see Drafting Privacy Policies and Notices (CCPA and CPRA) on Practical Law; for a collection of resources to help counsel understand, prepare for, and meet the requirements of the CCPA, see California Privacy Toolkit (CCPA and CPRA).)

Separate Notice Versus General Application

As a state law, the CCPA’s coverage only extends to businesses operating within California’s jurisdictional reach. The CCPA places thresholds on a covered business’s size or personal information sales to limit its impact on small businesses. Only California residents are entitled to receive the CCPA’s required information disclosures. (For more on covered businesses and protected individuals under the CCPA, see Understanding the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) on Practical Law.)

A business with a nationwide customer base or operation faces the choice of deciding whether to:

A business that chooses to limit the CCPA’s protections to California residents may have to:

Businesses should consider that new consumer privacy laws in other states may increase the burden and difficulty of adopting state-by-state approaches. (For a collection of resources to assist counsel in advising clients about US state-specific privacy, data protection, and cybersecurity requirements, see State Data Privacy Laws Toolkit on Practical Law.)

A business that chooses to adopt one common approach for all US customers should compare its current privacy notices to the CCPA’s requirements and make any necessary adjustments.

Whichever option a business chooses, accurately providing the CCPA’s required disclosures requires the business to have a full understanding of exactly how it collects, obtains, uses, stores, shares, sells, and protects personal information. To accomplish this, most businesses start by developing detailed data maps that track and visualize how information moves through its systems during the data lifecycle. (For more on developing data maps and other considerations involved in drafting a privacy notice, see Drafting Privacy Notices on Practical Law; for a model questionnaire that counsel can use to assess an organization’s personal information collection and handling practices, with explanatory notes and drafting tips, see Privacy Audit Questionnaire on Practical Law.)

Privacy Policy Elements

The CCPA’s general consumer privacy notice obligations extend over several different sections that sometimes overlap or cross-reference each other. To help businesses comply with these obligations, the CCPA Regulations require all businesses to provide consumers with a privacy policy that:

While the CCPA Regulations do not prescribe a specific format, the privacy policy must include the following elements:

Businesses should also consider including sections that describe:

Many US-based privacy policies present these elements in a different order. One typical formulation organizes the policy along the following topics:

(For the complete version of this resource, which includes a section-by-section discussion of the different consumer notice requirements in the CCPA and CCPA Regulations, see Drafting Privacy Policies and Notices (CCPA and CPRA) on Practical Law.)

Personal Information Categories

A CCPA-compliant privacy policy must describe the categories of personal information that the business collected about consumers during the past 12 months (Cal. Civ. Code §§ 1798.110(c)(1) and 1798.130(a)(5)(B); Cal. Code Regs. tit. 11, § 7011(e)(1)(A)). The privacy policy must present these information category disclosures in a way that provides consumers with a meaningful understanding of what the business collects (Cal. Code Regs. tit. 11, § 7011(e)(1)(A)).

The CCPA defines personal information as any information that either directly or indirectly:

Notably, the CCPA protects data even if it does not relate to a single individual, because it covers households and unique devices that consumers might share. It also protects data even when a record does not contain a name. (Cal. Civ. Code § 1798.140(i), (q), (aj).) This means that personal information under the CCPA includes items such as profiles associated with internet cookie identifiers or household television viewing profiles. The CCPA also clarifies that its provisions apply regardless of the data collection method. For example, it covers personal information collected electronically, recorded over the phone, entered on printed forms, or generated by an algorithm. (Cal. Civ. Code § 1798.175.)

The personal information definition provides 12 different categories of data that could qualify as personal information. It further breaks down the 12th category (sensitive personal information) into nine sub-categories. Businesses must use and reference these 21 statutory personal and sensitive personal information categories in their privacy policy’s personal information collection disclosure (Cal. Civ. Code § 1798.130(c)). The 21 categories are:

Businesses should be aware that the CCPA lists sensitive personal information as a specific and separate personal information category (Cal. Civ. Code § 1798.140(v)(1)(L)). This means that any disclosure asking for the categories of personal information must, by definition, include any sensitive personal information as one of those categories.

Sensitive Personal Information Exception

The CCPA includes an important but challenging exception to when personal information qualifies as sensitive. Information that would otherwise fall within one of the CCPA’s sensitive personal information subcategories can avoid that designation if the business collects or processes it without the purpose of inferring characteristics about a consumer. Businesses can treat information that qualifies for the exception as regular personal information for CCPA compliance purposes, including in their privacy policy’s information category disclosures. (Cal. Civ. Code § 1798.121(d).)

The consumer’s right to limit the use and disclosure of their sensitive personal information makes this classification particularly significant (see Permitted SPI Purposes and Consumer Rights below). However, the exception’s subjective nature may make providing clear and meaningful personal information category disclosures difficult, especially when a business collects data that directly falls into a sensitive personal information category, like a consumer’s racial origin or medical diagnosis. There are also open questions on whether a business could ever collect certain sensitive personal information, like precise geolocation or genetic data, without inferring characteristics about the consumer.

A business’s privacy policy should clearly explain if and why that business is not treating data that directly falls into one of the sensitive personal information categories (such as racial origin or a medical diagnosis) as sensitive. The business should also ensure that the information category descriptions provide the consumer with a meaningful understanding of what the business collects. This may require, for example, providing two different sensitive personal information category descriptions, separating out sensitive personal information that is:

The privacy policy should also avoid making blanket statements that do not clearly explain the business’s underlying assumptions or actions. For example, the CCPA directly lists Social Security numbers as a type of sensitive personal information (Cal. Civ. Code § 1798.140(ae)(1)(A)). If the business collects consumers’ Social Security numbers, the privacy policy should not make a blanket statement that the business does not collect sensitive personal information without clarifying why it does not consider that information sensitive or subject to the CCPA’s limitation right. The blanket statement could confuse consumers unless the business further explains that, while it collects Social Security numbers, it does not use them to infer any characteristics about the consumer.

Best Practices for Information Category Disclosures

When drafting the privacy policy’s personal information category disclosures, a business should:

A business can also leverage different visual presentation methods to provide consumers with a meaningful understanding of what personal information categories it collects (Cal. Code Regs. tit. 11, § 7011(e)(1)(A)). For example, to improve reader comprehension, a business could:

Personal Information Sources

A CCPA-compliant notice must specifically describe the categories of sources from which the business collects personal information (Cal. Civ. Code § 1798.110(c)(2); Cal. Code Regs. tit. 11, §§ 7001(e) and 7011(e)(1)(B)).

A business collects personal information under the CCPA when it uses any means to obtain it, including buying, renting, gathering, or otherwise accessing it (Cal. Civ. Code § 1798.140(f)). Common means to collect personal information include:

While the CCPA does not establish specific source category types, businesses should remain mindful of the CCPA’s broad collection definition when developing their category list. The source category descriptions should be sufficiently detailed to provide consumers with a meaningful understanding of the person or entity type that provided the personal information (Cal. Code Regs. tit. 11, § 7001(e)). Generic, overly broad, or vague category descriptions may receive greater scrutiny.

Source category descriptions for the types of people and entities that provide personal information to a business may include:

When drafting the privacy policy, the business should:

Business or Commercial Purposes

The CCPA privacy policy must identify the business or commercial purposes for collecting, selling, sharing, or disclosing personal information (Cal. Civ. Code §§ 1798.100(a)(1)-(2) and 1798.110(c)(3); Cal. Code Regs. tit. 11, § 7011(e)(1)(C), (F), (J)). A business should therefore ensure that its privacy policy comprehensively describes all current and reasonably anticipated use cases in a manner that provides consumers with a meaningful understanding of the expected uses to meet the CCPA’s disclosure requirements (Cal. Code Regs. tit. 11, § 7011(e)). However, the CCPA also imposes purpose limitation and data minimization requirements, which mean that the business must:

This essentially restricts the permitted business or commercial purposes to those which are reasonable given the personal information collection’s circumstances and compatible with the original collection’s context (Cal. Code Regs. tit. 11, § 7002). Consequently, the business should also ensure that any disclosed purposes are consistent with and do not exceed what a consumer would reasonably expect based on how their personal information was first obtained.

The CCPA Regulations do not directly tie the purpose disclosures to the last 12 months as they do for personal information collections (see Personal Information Categories above). However, as a best practice, drafters should ensure that the privacy policy, at a minimum, describes all the purposes for which the business actually used, sold, shared, or disclosed the personal information it collected during the last 12 months.

Publishing clear, complete, and specific use purpose descriptions also benefits the business by providing transparency and lowering potential enforcement or compliance risks.

Consumer Rights

The CCPA establishes several new consumer rights regarding personal information, including:

A CCPA-compliant privacy policy must describe these personal information rights to consumers (Cal. Civ. Code § 1798.130(a)(5)(A); Cal. Code Regs. tit. 11, § 7011(e)(2)). However, a business that does not sell or share personal information may omit the opt-out right description, and a business that does not use sensitive personal information beyond the Permitted SPI Purposes may omit the limitation right description (Cal. Code Regs. tit. 11, § 7011(e)(2)(C)-(D)). (For more on consumer rights regarding personal information, see Responding to Consumer Rights Requests (CCPA and CPRA) on Practical Law.)

Third Party Categories

A CCPA-compliant privacy policy must list the categories of third parties to whom the business discloses personal information, including by selling or sharing it (Cal. Civ. Code §§ 1798.110(c)(4) and 1798.130(a)(5)(B)(iv)). The CCPA Regulations clarify that the business should disclose these categories in its required policy statements on personal information sales or sharing and in its business purpose disclosures (Cal. Code Regs. tit. 11, §§ 7001(f) and 7011(e)(1)(E), (I); see Personal Information Disclosures for a Business Purpose and Personal Information Sales and Sharing below).

The CCPA does not establish specific categories describing the different types of third parties. However, the CCPA Regulations define “categories of third parties” as meaningful descriptions of the third parties with whom a business shares personal information (Cal. Code Regs. tit. 11, § 7001(f)). Examples of categories of third parties include:

When developing their third party category list, businesses should keep in mind the CCPA’s purpose of providing reasonable and accessible disclosures. As with personal information source categories, generic, overly broad, or vague third party category descriptions may receive greater scrutiny.

When drafting the privacy policy, the business should:

Personal Information Disclosures for a Business Purpose

The CCPA requires a business’s privacy policy to contain a statement about personal information disclosures made for a business purpose during the preceding 12 months that either:

The CCPA Regulations:

This creates a potential gap around personal information disclosed to service providers or contractors, which are almost always for a business purpose but who by definition are not third parties (Cal. Civ. Code § 1798.140(ai)). As a best practice, businesses should consider providing similar disclosures for personal information categories disclosed to service providers and contractors.

Personal Information Sales and Sharing

Under the CCPA, the privacy policy for a business that sells or shares personal information must:

The CCPA permits the Agency to create a user-directed, opt-out preference signal standard that businesses can use as an alternative to the opt-out right notice links (Cal. Civ. Code § 1798.135(b); Cal. Code Regs. tit. 11, § 7025). A business that processes opt-out preference signals in a frictionless manner may replace the privacy policy’s opt-out notice links with a qualifying statement about that process (Cal. Civ. Code § 1798.135(c)(2); Cal. Code Regs. tit. 11, § 7025(g)(2)). (For more on the Agency’s development of implementing regulations for the CPRA, see CPRA Regulation Tracker on Practical Law; for more on frictionless opt-out preference signal processing, see Drafting Privacy Policies and Notices (CCPA and CPRA) on Practical Law.)

Notably, the CCPA also restricts third-party sale recipients from reselling or sharing the personal information unless the consumer receives explicit notice of the potential resale or sharing and an opportunity to opt-out (Cal. Civ. Code § 1798.115(d)).

Permitted SPI Purposes

The CCPA grants consumers the right to limit the use or disclosure of their sensitive personal information to specific Permitted SPI Purposes (Cal. Civ. Code §§ 1798.121(a) and 1798.140(e)(2), (4), (5), (8); Cal. Code Regs. tit. 11, § 7027(m)). (For more on what the Permitted SPI Purposes include, see Understanding the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) on Practical Law.)

To help consumers exercise this right, a business’s privacy policy must state whether it uses or discloses sensitive personal information beyond the Permitted SPI Purposes (Cal. Civ. Code §§ 1798.121(a) and 1798.135(a); Cal. Code Regs. tit. 11, § 7011(e)(1)(K)). If the business does, then its privacy policy must also:

Consumer Request Process

A CCPA-compliant privacy policy must also inform consumers how to exercise their personal information rights and what to expect from the process. It must include:

The CCPA Regulations clarify that the privacy policy disclosure requirements related to consumers under 16 years of age apply even if the business only targets consumers under 13 years of age or only targets consumers between 13 and 15 years of age (Cal. Code Regs. tit. 11, §§ 7070, 7071, and 7072(a)).

(For more on the CCPA’s consumer rights submission and response requirements, see Responding to Consumer Rights Requests (CCPA and CPRA) on Practical Law.)

Consumer Rights Request Metrics

The CCPA Regulations require that the privacy policy for large businesses disclose specific metrics on the receipt of and response to verified consumer rights requests (Cal. Code Regs. tit. 11, § 7011(e)(5)). A large business is one that knows or should know that it alone or jointly buys, receives, sells, shares, or otherwise makes available personal information from more than ten million consumers for commercial purposes in a calendar year (Cal. Code Regs. tit. 11, § 7102(a)).

Deidentified Patient Information

On September 25, 2020, California passed Assembly Bill No. 713 (AB 713), which added a deidentified patient information disclosure requirement to Cal. Civ. Code § 1798.130. However, this new disclosure requirement does not appear in the CPRA because it was added after the ballot initiative’s text was finalized.

The CPRA provides that its provisions prevail over any conflicting legislation enacted after January 1, 2020 (Cal. Prop. 24 § 25(d) (2020)). Arguably, AB 713 does not conflict with the CPRA because AB 713’s disclosure requirement is consistent with and furthers the CCPA’s purposes. However, the corresponding CPRA section approved by the voters did not contain AB 713’s new language, and the legislature has not reenacted the provision. As a result, the CPRA appears to have overwritten the disclosure requirement of AB 713.

Nevertheless, a business that sells or discloses deidentified patient information exempt from the CCPA should consider including AB 713’s required statement in its privacy policy as a best practice and disclose whether it:

Retention Period

The CCPA requires that a business disclose, at or before the point of collection, the length of time it intends to retain each category of personal information and sensitive personal information (Cal. Civ. Code § 1798.100(a)(3)). If providing the exact retention period is not possible, the business may instead describe the criteria it will use to determine how long it plans to retain that category of personal information or sensitive personal information. When setting the retention period, the business should remember that the CCPA prohibits it from retaining a consumer’s personal information for longer than is reasonably necessary to achieve the disclosed collection and use purposes. (Cal. Civ. Code § 1798.100(a)(3).)

While the CCPA Regulations’ privacy policy elements do not directly include disclosing the expected retention period, the privacy policy’s stated purpose is to provide consumers with a comprehensive description of the business’s online and offline information practices (Cal. Code Regs. tit. 11, § 7011(a), (e)). By definition, a business’s information practices include its practices regarding the retention of personal information (Cal. Code Regs. tit. 11, § 7001(o)). Consequently, businesses should consider including this information in their privacy policy as a best practice.

Contact Information

A business’s privacy policy must tell consumers who to contact if they have questions or concerns about its privacy policies and practices (Cal. Code Regs. tit. 11, § 7011(e)(3)(J)). Privacy policies often list the business’s chief privacy officer or data protection officer as the primary contact point.

However, the CCPA Regulations also require the business to use a contact method that reflects how it primarily interacts with consumers (Cal. Code Regs. tit. 11, § 7011(e)(3)(J)). Businesses should consider if or how they may integrate privacy questions or complaints into their regular customer service process.

Presentation Requirements

The CCPA and CCPA Regulations do not establish a required form or format for compliant privacy policies. Rather, they allow each business to adopt a policy format that best fits the business’s activities. However, they do direct businesses to:

A business must make its privacy policy available:

Conspicuous website links must appear in a similar manner as other similarly posted links the business uses on its homepage, for example, using the same font size and color as links that appear next to it (Cal. Code Regs. tit. 11, § 7003(c)).

(For more on privacy notice formats and drafting considerations, see Drafting Privacy Notices on Practical Law.)

Annual Review

Businesses should conduct annual reviews of their privacy policy disclosures to ensure that they remain accurate. They must update the following elements at least once every 12 months:

Beth Magnuson, CIPP/US, CIPP/E, joined Practical Law from Oracle Corp., where she was managing counsel responsible for privacy and security matters. Previously she was special counsel at Faegre & Benson LLP, general counsel of Pumpkin Masters, and an intellectual property associate at Finnegan, Henderson, Farabow, Garrett & Dunner, LLP and at Welsh & Katz (now Husch Blackwell LLP).