CCPA privacy policy: requirements and checklist

Customer privacy is now an almost universal expectation. That's particularly true in the State of California, where the California Consumer Privacy Act (CCPA) protects residents' privacy rights and penalizes companies that expose customer data.

Privacy policies are a core component of the CCPA. A good policy defines data practices, allows consent to share, and enables customers to exercise their rights. This article will explain how CCPA privacy policies work and the essential sections, before offering compliance tips.

Key takeaways

  • CCPA applies to for-profit businesses meeting thresholds for revenue, data handling amounts, or earnings from selling personal data. Non-profits and some classes of regulated data (e.g., HIPAA, GLBA) are exempt.
  • CCPA privacy policies explain consumer rights of access, deletion, and opting-out. Policies must also detail data collection, use, and sharing practices over the past year. They must include links to opt out of data sharing and channels to exercise CCPA rights.
  • Privacy policies must be prominently displayed on company websites and provided via multiple channels (such as apps or social media). The policy should be clear and available in all relevant languages.
  • Annual policy updates are essential. Audits identify changes in how you collect, store, use, and share personal information. Annual updates also assess regulatory changes to ensure ongoing compliance.

Who needs a CCPA-compliant privacy policy?

The California Consumer Privacy Act (CCPA) safeguards the privacy of California residents. Drafting a comprehensive CCPA-compliant privacy policy is critical to achieve compliance. However, not everyone needs a CCPA privacy policy.

The act applies mainly to for-profit companies, although not all businesses active in California must comply. CCPA covers for-profit organizations that:

  • Earn annual gross revenues over $25 million.
  • Buy, sell, or share the personal data of more than 100,000 California residents, devices, or households annually.
  • Derive over 50% of their annual revenue from selling the personal information of California residents.

Nonprofits and government agencies are exempt from compliance. Some categories of personal information are also exempt where regulations overlap.

For example, healthcare companies do not need a CCPA privacy policy regarding personal health data. This personal information is already protected by HIPAA. The same applies to financial data, which is guarded by GLBA regulations.

Some types of personal information are not covered by the CCPA. Credit reports, driver data, and publicly available government records do not fall under the CCPA umbrella.

However, there is an important caveat: Organizations need a CCPA privacy policy if they share or sell data to covered entities. This applies if organizations share control of data with covered entities. For instance, charities with business partnerships may need a privacy policy.

Organizations that meet the above criteria need a robust CCPA privacy policy. Privacy policies ensure transparency, build consumer trust, and mitigate compliance risks. They are also required under California law, and not having a compliant privacy policy counts as an intentional violation.

CCPA privacy policy requirements

The California Consumer Privacy Act defines how to draft a compliant privacy policy, making the task easier for covered entities.

Note that requirements go beyond the text itself. Storing and distributing privacy policies also matters. Let's run through critical CCPA privacy policy requirements to cover every essential:

Accessibility

Regulators want privacy policies to be available to consumers, not hidden from view. Companies must include a prominent link on the front page of their websites. This link must feature the keyword “privacy,” although companies can choose a wording that suits their needs.

Companies must make privacy policies available via multiple channels where possible. Examples include websites, social media accounts, or smartphone and tablet apps. Websites should also follow Web Content Accessibility Guidelines (WCAG) to make privacy policies accessible to those with visual or cognitive impairments.

Explain how to exercise consumer rights

The CCPA sets out several core consumer privacy rights. Privacy policies inform customers about these rights and explain how to put them into effect.

A CCPA privacy policy should describe how to access, delete, or amend a consumer's personal information. Companies must provide at least two ways to exercise these rights unless they operate online only. In that case, the policy must include a contact email for consumer requests.

Additionally, customers must have the option to opt out of selling or sharing their personal information. Include a link with the text "Do Not Sell or Share My Personal Information". If you process sensitive information or information relating to minors, you also need a link to "Limit the Use of My Sensitive Personal Information."

CCPA also includes a right to non-discrimination. It is advisable to include a disclaimer informing customers that opting out of sharing personal information will not affect the service they receive.

How companies use personal information

A compliant CCPA privacy policy also informs customers what the business does with personal information. The privacy policy must communicate how the company stores, secures, and uses customer data. Policies must document:

  • The sources of personal information (how data is gathered)
  • Types of personal information collected over the past year
  • The business reason for collecting personal information

Extra clauses apply to businesses that sell and share personal information with third parties. The privacy policy must explain how the company has shared or sold data over the past year. Document who receives shared customer data, and why data sharing is necessary.

Note: This aspect of CCPA applies to tracking cookies on company websites. Providing third-party tracking data to marketing partners counts as "selling data" even if businesses receive no direct financial benefit.

Special rules apply to the personal information of minors. The policy must note any instances of sharing minors' data. Companies must also gain consent from parents or guardians to collect personal information from customers under 16. The policy should assure readers that they will only receive one consent request over a 12-month period.

Annual privacy policy updates

A CCPA privacy policy is a living document. Texts that comply now may not meet consumer privacy requirements in two or five years. That's why the CCPA requires companies to revisit and amend their privacy policy every 12 months.

Annual updates should assess whether the company has changed how it collects consumers' personal information. For example, you may have started collecting data about repeated purchases or social media contact details. The CCPA privacy policy must document changes to the categories of personal information you gather.

The same applies if you change the purpose of data collection. For example, a fitness app might shift from gathering pure fitness data to using that data in marketing strategies. This changed purpose should be featured in the updated privacy policy.

Note: Include the date when the new privacy policy is approved by company stakeholders. It also helps to schedule regular CCPA audit exercises to systematically analyze data practices and make necessary updates.

Clarity

Finally, the CCPA requires companies to draft privacy policies that California residents can easily understand. Use simple language where possible, and revisit the text regularly to ensure every section is as accessible as possible.

Formatting is also essential. Avoid large chunks of text when explaining how you safeguard sensitive personal information. Use headers and sub-headers to guide readers and break up the document into digestible sections.

Note: California residents speak many languages, and CCPA reflects this linguistic diversity. The privacy policy must be available in all significant customer languages. It often helps to enlist translators to avoid confusion or imprecise language.

CCPA privacy policy checklist

A robust CCPA privacy policy has many components. Use the checklist below to simplify the drafting process:

  • Make it easy to find the privacy policy. Create a prominent website link on the front page.
  • Include information about how consumers can access, edit, and remove their personal information. Explain how to make consumer requests and exercise CCPA rights.
  • Allow customers to opt out of sharing via a "Do Not Sell or Share My Personal Information" link.
  • Include a "Limit the Use of My Sensitive Personal Information" link if you process sensitive personal information.
  • Inform customers about the categories of personal information gathered in the past 12 months.
  • Document how you use personal information, and why this is necessary.
  • Explain the sources of personal information and your data collection methods.
  • Note how you have shared or sold personal information in the past year. Include details of who receives personal information, and why they do so.
  • Update the policy annually and include the date of the last update. Note any changes to the categories of personal information you collect or how you use data.
  • Proofread the privacy policy to ensure clarity. Use neutral third parties to check that the text is easy to read and communicates key points well.
  • Translate the CCPA privacy policy into languages spoken by California residents.
CCPA privacy policy checklist

Tips for complying with CCPA privacy rules

The cost of a CCPA compliance failure can be severe. Fines of $7,500 per intentional violation and $2,500 for unintentional violations can become huge penalties when hundreds of thousands of customers are involved.

A watertight privacy policy is a critical component of CCPA compliance. Here are some best practices to guide your policy writing process and ensure you cover every area:

  • Understand your data landscape: Assess the categories of personal information you collect, how you do so, and the reasons for data gathering. Audit every source, including web forms, mobile apps, CRM systems, and third-party vendors. Check for hidden data flows via tracking cookies or pixels.
  • Make the privacy policy available to everyone: A CCPA privacy policy must be clearly and prominently displayed. Provide the policy at the point of data collection, alongside a cookie banner. Customers should immediately know what personal information you collect and how.
  • Refresh your privacy policy regularly: Annual updates are essential. Audit your privacy policy to reflect new data collection activities or categories of personal information. Check for regulatory developments, and ensure your policy accurately informs customers how to exercise their consumer rights.
  • Make it easy to exercise CCPA rights: The privacy policy should connect seamlessly with tools to access, delete, or amend personal information. Provide several accessible methods and audit requests to stay within the 45-day fulfillment period. Include clear links to opt out of data sharing and selling.
  • Verify user identities: There is another side to user requests: preventing unauthorized access or deletions. Implement identity verification systems to authenticate customers and protect personal information from malicious actors.
  • Simplify consent with third-party tools: CCPA privacy management is complex, but you can streamline the process with consent management platforms (CMPs). CMPs establish reliable consent mechanisms, log user requests, and help you segment user data to serve California residents.

California takes customer privacy extremely seriously. Companies operating in the Golden State need accurate, clearly worded, and accessible privacy policies to ensure CCPA compliance.

However, companies can achieve compliance by understanding how they use data, transparently communicating data practices to customers, and allowing customers to exercise their CCPA privacy rights.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consult a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.

Learn next

Network security
Zero Trust
Secure Access Service Edge (SASE)
Cloud security
Virtual Private Network (VPN)
Identity access management (IAM)
Firewall
Access control
PCI-DSS
Regulatory compliance