CCPA (CPRA) Privacy Policy Template

California's California Consumer Privacy Act (CCPA) has some specific requirements for a Privacy Policy. And it was expanded by the CPRR to include even more requirements.

The good news is, if your Privacy Policy is already compliant with the GDPR and CalOPPA, there will be considerably less footwork involved to become CCPA/CPRA-compliant.

This article will look at what the CCPA (CPRA) requires for Privacy Policies and help you create your own compliant policy or update your existing one today.

Does the CCPA (CPRA) Apply to Your Business?

Unlike CalOPPA, the CCPA (CPRA) does not apply to all businesses that collect personal information from California residents. The CCPA (CPRA) is more specific and will affect any business that meets the following criteria:

• Operates for a profit
• Does business in California
• Collects consumer data

As well as at least one of these additional criteria:

• Makes more than $25 million in annual revenue
• Holds the personal information of 100,000 or more consumers, households, or devices
• Earns more than half of its income by sharing or selling the personal data of consumers

To clarify, a business must meet all of the first three numbered conditions and at least one from the second bulleted list to be considered a part of the CCPA/CPRA's jurisdiction. Here are a few more clarifications:

• "Doing business in California" includes businesses that are located or operated from the state of California, as well as companies who are subject to California taxes or make sales into the state of California.
• Personal data is defined by the CCPA (CPRA) as any information that does or potentially could be used to identify an individual or household, including 'anonymous' data such as IP address, geolocation, and website activity logs.
• When the CCPA (CPRA) refers to "selling" consumer information, this term also includes sharing personal information with third-parties for "valuable consideration." The term valuable consideration has not yet been defined, so it is unclear how this concept might be interpreted in business practices.

In short, the CCPA (CPRA) applies to many businesses in the United States, but not all. It is narrower in scope than many other privacy laws, but no less expansive in its requirements.

What Are the Differences Between the CCPA (CPRA), CalOPPA, and the GDPR?

If your Privacy Policy is already compliant with the GDPR and CalOPPA, then you have already complied with many CCPA (CPRA) stipulations. There are some key differences, however.

Here are some of the differences between the three laws that may directly affect your business:

• Personal information - The CCPA (CPRA) extends the definition of personal data to include anonymous website activity logs, even if they don't involve IP addresses. Neither the GDPR nor CalOPPA defines defines personal information so broadly. There is no special consideration under the CCPA (CPRA) for "special" or "sensitive" categories of data, however, as is the case with the GDPR.
• Children - The GDPR defines a child as an individual under the age of 16 while COPPA's rule is below the age of 13. The CCPA (CPRA) is more specific. For the CCPA (CPRA), an individual under the age of 16 must provide opt-in consent for their personal information to be sold. Children under the age of 13 must provide valid parental consent in order for their information to be sold.
• Legal basis - The CCPA (CPRA) does not require companies to establish a legal basis or obtain consent in order to collect personal data, as does the GDPR, except for when sharing the data of minors or offering financial incentives in exchange for personal information.
• Privacy Policies - When it comes to Privacy Policies, the CCPA (CPRA) requires less information to be disclosed than the GDPR, but the information that must be published is slightly different. Here are some Privacy Policy requirements that differ between regulations:
• The GDPR requires the business to publish contact details and many regulation specifics, such as the right to lodge a complaint. The details that the CCPA (CPRA) requires is far fewer.
• The CCPA (CPRA) requires businesses to disclose which categories of consumer data they have shared within the past 12 months, which is not required by GDPR or CalOPPA.
• CalOPPA states that businesses must post the date of the most recent Privacy Policy update, while the CCPA (CPRA) stipulates that privacy updates must be updated every 12 months.
• Both the GDPR and CCPA (CPRA) require that consumer rights be posted in the Privacy Policy, but the CCPA (CPRA) specifies that the business should also post instructions on how to opt out of third-party data sales, along with a link to do so.
• If no personal data is shared or sold by a business, this disclosure would also need to be included in the Privacy Policy, according to the CCPA (CPRA).
• Right to Erasure - The right to erasure under the CCPA (CPRA) is virtually universal. Where the GDPR allows for businesses to retain consumer data if they have a legal basis to do so, the CCPA (CPRA) allows for very few exceptions. Time constraints also differ slightly between the two regulations.
• Right to Object - The GDPR grants EU consumers the right to object to all data processing, but the CCPA (CPRA) only allows consumers to object to the sale of their personal data to third-parties. However, once a consumer has objected to third-party data sharing, the business must comply without exception, while the GDPR does allow for some exceptions.
• Right to Access - Both the GDPR and CCPA (CPRA) grant consumers the right to know what information has been collected about them. Under the CCPA (CPRA), the business only needs to inform the consumer about the information that has been collected, used, or shared within the past 12 months, however, while the GDPR requires that the business reproduce all consumer data.
• Right not to be subject to discrimination for the exercise of rights - The CCPA (CPRA) is the only regulation that specifies this provision. Under the CCPA (CPRA), businesses may not refuse goods or services to individuals who exercise their consumer rights.
• Other differences - The CCPA (CPRA) does not address some items that are included in the GDPR and CalOPPA, namely the right to rectification, automated processing, and Do Not Track (DNT) signals.

Punitive Implications

If an applicable business doesn't comply, the CCPA (CPRA) makes it possible for the business to be fined up to $7,500 per infraction.

To be clear, per infraction means per person. A business that mishandles the personal data of 1,000 consumers could be fined $7.5 million, just like that. There is no cap on this type of penalty.

Wait, there's more. The CCPA (CPRA) grants citizens the right to seek civil damages from businesses who violate their privacy rights.

In short, if your business falls under CCPA (CPRA) jurisdiction, compliance is a must if you want to avoid potentially enormous financial penalties.

A Privacy Policy that Complies with the CCPA (CPRA)

In order to ensure compliance with the CCPA (CPRA), you'll need to make sure your Privacy Policy follows the guidelines below.

Conduct a privacy law self-audit to make sure you're prepared.

1. Be Transparent

If your Privacy Policy is compliant with the GDPR, then you've already learned a thing or two about transparency. The CCPA (CPRA) also puts an emphasis on transparency, stipulating that businesses must be open about the personal information they collect, process, and share.

When it comes to the consumer data you collect and process, these are the details that the CCPA (CPRA) requires you to include in your Privacy Policy:

• The categories of personal information you have collected in the past 12 months
• The sources for each of those categories of personal information
• Your purposes for collecting each category of personal information
• How each category of personal data is shared and why
• If personal information was sold for monetary gain or valuable consideration, list those categories of data that were sold
• If your business does not sell consumer data, make sure to mention this as well
• You must update your Privacy Policy every 12 months and post the latest effective date within the Policy itself

If you make material changes to the policy, use a Privacy Policy Update Notice to let your users know about the important changes.

You can see how GitHub covers most of these points in its Privacy Policy summary section:

Since GutHub does not sell personal data for monetary gain, it includes this point as well:

Another important consideration is that consumers should be informed of the above data handling practices at the time of or before collecting personal information from them. This means that you must provide consumers with ample opportunity to read your Privacy Policy before or at the time of data collection.

One way to achieve this is to include a link to your Privacy Policy within a pop-up notice or banner, as SeaLights has done here:

Another option is to display the Privacy Policy link within any webform or platform where you collect consumer information. SeaLights covers both bases by including this Privacy Policy link and agreement within its contact forms:

2. List Consumer Rights

Under the CCPA (CPRA), California residents will be granted consumer rights that businesses must be prepared to uphold upon request. A list of these rights should also be disclosed in the Privacy Policy:

• The right to opt out of the processing, selling and sharing of the information
• The right to opt in (for minors)
• The right to data portability
• The right to non-discrimination
• Consumers can stop you disclosing their data to third parties even if you aren't paid for it.
• The right to know what information has been collected/is held
• The right to access the collected/stored information about them
• The right to correct any errors in this information
• The right to opt out of automated decision-making
• The right to limit the use of sensitive personal information
• The right request deletion of data both from the main company as well as any third parties who may have bought the information or had it shared with them

Techbuyer lists these rights in detail within its CCPA Privacy Notice, beginning with the right to access:

The remaining rights are listed below the first, each containing details pertaining to the types of information collected, shared, or processed.

3. Describe How to Exercise Consumer Rights

Beyond listing out consumer rights, the CCPA (CPRA) also requires that you post instructions on how consumers may exercise those rights. It will be necessary to post at least two different contact methods that consumers may use to make requests in regards to their rights.

Again, Techbuyer includes a good example of how this is done:

Notice how Techbuyer also explains that verifiable proof of identity will need to be provided in order to fulfill requests. The CCPA (CPRA) asks that businesses confirm a consumer's identity before fulfilling rights requests; it may not be a bad idea to mention this in the Privacy Policy as Techbuyer has done here.

In addition to the contact methods described above, you must provide a dedicated link for users to opt-out of consumer data sales. Of course, if your business does not sell consumer data for "monetary or other valuable consideration", than you can disregard this step.

For any business that does sell personal information, however, a prominent link must be placed within the Privacy Policy and labelled "Do Not Sell My Personal Information." This link should lead to a webform or portal where the user can opt-out of consumer data sales.

Here is an example of a Do Not Sell link within the Privacy Policy of MarketAxess:

The same link (with the same specific wording) should also be placed on your homepage or within your footer bar.

By following the steps above, your Privacy Policy will be updated to comply with the CCPA (CPRA). But remember, the CCPA (CPRA) does not override other applicable privacy regulations like CalOPPA and COPPA, so make sure your Privacy Policy is built to satisfy all applicable privacy laws for your business, consumer base, and location.