California Privacy Policy Template

Do you do business in the state of California? If so, you need to keep up with the state's ever-evolving privacy laws.

The Golden State is a national leader in privacy legislation. Not only is it one of the earliest states to enact regulations designed to put the power of data back in the public's hands, but it's one of the few bodies to put teeth in the laws.

If you have customers in California, then you need a Privacy Policy at a minimum, as required by CalOPPA. If you are a large business or you earn a lot of your money by selling personal data or your business target kids, then you also need special provisions in your Privacy Policy, thanks to COPPA and the CCPA (CPRA).

What is the difference between CalOPPA, the CCPA (CPRA), and COPPA? And what does each require of your Privacy Policy? Keep reading to learn more.

CalOPPA, COPPA and the CCPA (CPRA): What's the Difference?

At present, there are three main digital privacy laws in California that you need to know about.

All of the laws impact businesses with a digital footprint in California, regardless of whether or not you have an office in the state. If you count Californians among your customers or data subjects, then you need to keep up-to-date with these laws.

CalOPPA (the California Online Privacy Protection Act) went into effect in 2004, but it received a substantial update in 2013 that initiated the need for a new Privacy Policy. CalOPPA requires you to:

• Publish a Privacy Policy in an obvious place and label it as such
• Adhere to your published Privacy Policy
• Include a "DNT" or Do Not Track clause in your Privacy Policy

COPPA (the Children's Online Privacy Protection Act) isn't California law. It's a federal law from 1998 that applies in all 50 states, including California. It protects children under 13 by requiring companies that knowingly collect and use data from children to:

• Publish special Privacy Policies that are "clear and comprehensive"
• Ask for parental consent before collecting information
• Ensure any children's information is secure

The CCPA (California Consumer Privacy Act) went into effect on January 1, 2020, and was amended and expanded by the CPRA. The law is similar to the EU's General Data Protection Regulation (GDPR). It's different from the other two in its provisions.

The goal of the law is to further establish transparency and accountability among businesses (with a focus on big tech). As a result, it:

• Creates new rights for California residents regarding their data
• Extends the fines in relation to children's information
• Provides more transparency among profiling and automated decision-making

Like the GDPR, it aims to give people back the ownership of their data by allowing them to opt-out of sales or sharing. It also offers more control over what data companies collect. Finally, it has extra provisions for security practices to better protect people.

What does this mean for your new and fully compliant Privacy Policy? Here's what you need to know and do.

Special Clauses Needed for a CalOPPA Privacy Policy

CalOPPA is the original California Privacy Policy law and it has special provisions that you must meet if you cater to California residents.

The biggest of these is the Do Not Track (DNT) requirement that came about in 2013.

The origin of the DNT feature lies in a US Federal Trade Commission report from 2010, which asks internet browsers to add a DNT feature. The feature allows users to opt-out of the monitoring of their online behaviors by websites through the use of cookies and beacons.

All the major web browser creators added the feature, even though it was voluntary. However, those same companies didn't advertise the DNT feature, and in 2012, Microsoft made "on" the default setting for its DNT feature, which protected the privacy of its users. Mozilla's Firefox browser, however, keeps the DNT feature off by default.

California can't make browsers or other tech companies switch their DNT setting to 'on' by default. However, CalOPPA does require you to be honest about how you treat DNT requests in your Privacy Policy

You're required to do two things:

1. Disclose how you respond to a browser's DNT signals, and
2. Disclose whether other parties collect information via your site and across other websites when visitors use your site

What does this clause look like?

Here's an example of a DNT clause in Target's Privacy Policy:

Target's DNT clause informs visitors of the feature and says that Target doesn't respond to the signals (i.e., they track you anyway). However, you can opt-out of it's advertising.

Twitter takes an entirely different approach. It acknowledges its DNT position under the Cookies section of its Privacy Policy:

Like Target, Twitter doesn't support DNT browser options.

Netflix follows suit and also places it under the Cookies section of its Privacy Policy. Again, it doesn't respond to DNT signals from browsers:

Finally, T-Mobile makes its position clear by adding a distinct Do Not Track Statement to its Privacy Policy:

Like the others, it does not follow DNT signals. However, its statement is the most transparent and direct.

One example of a site that does follow DNT signals is Healthcare.gov, which is a site run by the U.S. Centers for Medicare and Medicaid Services and manages the Affordable Care Act.

Remember that CalOPPA doesn't require you to respect DNT settings. It only requires you to tell users whether you do or do not interpret them. You should also, for transparency's sake, describe what other choices users have when protecting their privacy, as several of these examples do.

You'll often see some of these choices and rights under a section or clause titled "Your California Privacy Rights."

This section, page or clause must state that:

• California consumers have rights when it comes to third party sharing
• California residents can contact the business to ask questions about direct marketing

It also must include a way for users to contact the business to ask questions about their data and privacy.

Whole Foods includes this clause and provides both email addresses and postal addresses for users to contact the business:

Upwork, on the other hand, describes the law, cites the statute and tells people how they can contact the company:

While the contact information isn't included in this clause, it is included in a 'Contacting Us' clause just two clauses down. That's fine, as long as the contact information is somewhere in the Privacy Policy.

Special Clauses Needed for a COPPA Privacy Policy

The focus of COPPA is on protecting children who are below the age of 13 and on empowering parents to understand how sites collect and use their child's data.

The way you write COPPA into your Privacy Policy depends on what kind of website or app you run.

If you run a general website and you don't directly market to children or operate in a way that the FTC deems as 'attractive to children,' then all you need is a clause that says you acknowledge COPPA and you comply with it.

The most helpful way to do this is to give it a distinct clause, name the legislation, and state that you have a general audience and don't knowingly collect data from children under 13.

For example, Walmart added a clause that ticks all of the above and provides a function for contacting the company if you discover it's collecting your child's data:

Because Walmart is a general audience website, this serves as a fine COPPA notification, so long as it uses other features that prevent it from purposely collecting the data of young children.

However, if you run a site or app whose audience is very likely to be children (e.g., you run kids games, advertise with cartoon characters, etc.), then you need a much more stringent disclosure.

DisneyNow.com does this well by first segmenting its audience between Disney programs for all ages and Disney Junior for younger kids.

Doing so allows the site to automatically switch on the correct data functions and not collect any data from any users that click the 'for younger kids' option.

From here, the company provides a Children's Online Privacy Policy in addition to its general Privacy Policy.

This special Children's Privacy Policy includes standard terms, but it also includes a more detailed Children's Privacy clause that shares information about how Disney protects young children through age-gating systems, notifying parents, limiting collection generally, and providing parents with the ability to request access to personal information.

Because Disney attracts kids, its dedicated Privacy Policy for Children specifically mentions COPPA:

It includes three clauses that are all required for businesses that fall under the scope of COPPA:

• What information you collect
• Whether your share children's information
• How parents can exercise choice and control

The part that differs from a traditional Privacy Policy is the choice and control part. Remember that the essence of COPPA is to protect children by empowering their parents with information about how their data is used.

In this clause, Disney acknowledges that parents can choose to stop the collection of their children's data and request the right to delete it. It also provides the steps available to parents to make these requests, including how to do it through their account or how to ask Disney to do so on their behalf.

What You Need for a CCPA (CPRA) Privacy Policy

The CCPA (CPRA) takes notes from the GDPR, which requires a more granular approach to the Privacy Policy.

For example, you need to not only say you collect data, but you now need to identify the categories of data you collected and processed over the past 12 months.

What do you need to add to your Privacy Policy?

There are a few new provisions:

• An explanation of the new consumer rights provided by the CCPA (CPRA) (including the right not to be discriminated against)
• An explanation of how consumers can exercise their rights
• An explanation of information sold in the past 12 months
• An explanation of the rights of children aged 13-16
• A Do Not Sell My Personal Information clause (to explain the required standalone web page)

You have two options when adding these to your policy. First, you can create a separate Privacy Policy for California residents. Second, you can create a CCPA/CPRA-compliant Privacy Policy and add an extended Rights for California Residents clause that explains all available rights.

PetSuites of America takes the first approach and adds a more extensive Privacy Policy as an addendum to its general policy.

After describing the data it collects in granular detail, it details any disclosures and sales in the previous 12 months:

Then, it jumps into a full explanation of all available rights:

The rights covered include:

• Right to access and data portability
• Deletion request rights
• Personal information sales and opt-out information
• How to exert these rights

Finally, the document explains that PetSuites of America won't discriminate against residents who exercise their rights:

These clauses can get rather long and detailed as you take time to briefly explain the rights, what they entail and how they can be asserted by the user.

Common Privacy Policy Provisions Needed Under CalOPPA, COPPA, and the CCPA (CPRA)

All of the major California privacy laws require some of the same clauses. These include:

• The categories of data you collect
• How you use that data
• How you secure the data
• How users can contact you with privacy questions
• Whether you use Google Analytics or Amazon Affiliates (or other similar services)

These are generally required across all Privacy Policies, but some require a California twist like completeness and regular updates.

You can conduct a privacy law self-audit to put together the information you need to create these clauses and inform your users of your practices.

Data Categories

A basic Privacy Policy always explained what kinds of data you collected. However, thanks to the CCPA (CPRA), you need to be more granular than ever.

The Gap's Privacy Policy provides a good example of the evolution of this clause.

At the top, Gap says it collects information like contact details and payment information. The team then added a drop down menu that provides clear examples of what it collects:

How You Use Data

You also need to provide information on how you use the data you collect.

Like the GDPR, new California legislation focuses on data minimization. If you don't have a use for the data, then you shouldn't have it. However, you don't need to provide a legal basis to comply with California law as you do with European law.

Peet's Coffee, a California-based chain, provides an example of all the ways it uses data to justify its data collection practices:

Data Security Practices

Sharing your data security practices is always a good idea, but because the CCPA (CPRA) mentions security breaches for the first time, it's a good clause to start to include if you haven't already.

You don't have to give the game away. However, it's helpful to make two points:

1. Inform customers that you take appropriate steps to protect their data, and
2. Tell customers how to help keep their own data safe

Converse does both of these in its security clause:

Nike also keeps it short and sweet. It only says that the company uses encryption:

Contact Details

You should have a way for customers to reach you if they have concerns about their privacy or questions about your privacy practices. This applies to both California residents and to customers in general regardless of where they're located. Including contact details allows them to ask questions, but it also gives them a place to go if they suspect a data breach has ocurred.

Consider putting the contact clause at the beginning or end of your policy so it's easy to find and doesn't get lost in a wall of text.

Starbucks adds a 'Contact Us' clause to the end of its Privacy Policy and gives four different options for contacting the privacy team, including a convenient online form:

Use of Google Analytics and Amazon Affiliates

If you use programs like Google Analytics or Amazon Affiliates, then you may need to add clauses that state your participation. Why? Because Google Analytics and others stipulate it as part of the Terms and Conditions of using such services.

All you need to do is say that you use the service/s, and in some cases, link to the program's own Privacy Policy.

Dutch Bros Coffee uses Google Analytics on its site and explicitly says so in its Privacy Policy:

Make sure you keep up-to-date with these programs and any changes to their T&Cs that require you to disclose specific information.

Are You Ready to Meet California Privacy Requirements?

California is a key leader in U.S. privacy laws. Each new law attempts to put control of your data back in your hands by forcing businesses to be honest about how they use it. The latest law, the CCPA (CPRA), gives California residents new rights designed to allow them to protect their data. It also makes it easier for Californians to seek legal remedies when businesses fail to protect their data.

If you have users or customers who reside in California, you'll need to become familiar with these privacy laws, regardless of where your business itself is located.

Remember that the completeness of your Privacy Policy no longer depends solely on the clauses you include. California privacy laws require you to:

• Post the document somewhere customers will find it very easily (such as in the footer of your site) (CalOPPA)
• Write the policy in language that's easy to understand (think 8th to 10th grade reading level) (CalOPPA)
• Add "Privacy" into the name of the document and on the link to the document (CalOPPA)
• Update your Privacy Policy once every 12 months (CCPA/CPRA)
• Get suitable parental consent before collecting data from children in California (COPPA)