January 19, 2024

California Resident Privacy Rights: Privacy Policy for CCPA, CPRA, and COPPA Compliance [Free Template]

Understand the essentials of California privacy policies for businesses processing personal information of residents. Learn about CCPA, CPRA, and COPPA, and download a free privacy policy template to ensure compliance.

If you process the personal information of California residents, you must publish a California privacy policy on your website.

If you don't have one, the template at the bottom of this article, in combination with the content here, will help you draft one for yourself. We recommend you use our free privacy policy generator to get a privacy policy, however. But first, read more about California privacy policies and what they need to contain.

Get Your Privacy Policy Template

California privacy policy: the essentials for all businesses

It may sound strange, but three Californian laws require you to publish a privacy policy on your website. At least one of them applies to you.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act of 2018 is the first-ever comprehensive data privacy law in the United States. It made California the first US state to pass legislation protecting consumer data.

It applies to for-profit businesses that process the personal information of California residents and:

  • Has annual gross revenues over $25 million

AND

  • Buys, receives, or sells the personal information of 50,000 or more California consumers, households, devices, or
  • It derives 50% or more of its annual revenues from selling consumers’ personal information.

The CCPA requires businesses to inform consumers about the processing of their personal information. They can do it through an up-to-date CCPA privacy policy.

The CCPA also granted consumers the right to opt out of the sale of their personal information.

Click here for our article on CCPA Privacy Policy Checklist.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act of 2020 (CPRA) amended the CCPA. It expanded on the previously passed California law by granting more privacy rights to consumers.

It kept the requirements related to privacy notices and privacy policies. It also expanded the opt-out right to the sale and sharing of personal data.

Click here for our article on CPRA Compliance Checklist.

California Online Privacy Protection Act (COPPA)

The California Online Privacy Protection Act (COPPA) is California's oldest privacy law. It was passed in 2003.

It was also the first-ever law in the United States requiring businesses to publish a privacy policy on their websites. Aside from this one, there are no other significant requirements for businesses operating online.

Unlike the CCPA and CPRA, the COPPA applies to every single business processing the personal data of California residents. There is no revenue processing volume threshold. It requires every business to have a privacy policy.

California privacy policy: essential elements

If you process the personal data of California residents, you must publish a privacy policy. And that privacy policy must contain the essential elements to make it compliant with the laws.

In the following paragraphs, we will show you all the necessary elements that a California privacy policy must contain. We will take into account the requirements of every single California law and merge them into one comprehensive privacy policy that will make you compliant with all of them at once.

In the end, you can download a California privacy policy template and adjust it to your business before publishing it on your website. We always recommend using our free privacy policy generator, but if you want to go the DIY way, we also have you covered.

Your California privacy policy needs to contain the following:

  • Categories of information processed
  • The purposes of collecting personal information
  • The categories of information sold to third parties or shared with them, if any
  • The consumer rights under the CCPA and CPRA
  • How consumers can exercise their rights under the CCPA and CPRA amendments
  • Compliance with universal opt-out signals
  • Your contact information so that consumers can reach out to you with any questions or concerns

Categories of personal information collected

Under the CCPA, your business must disclose a comprehensive list of all types of personal information collected from any source over the past 12 months.

This obligation is directly tied to the annual update of your privacy policy. Each time you revise your privacy policy, it's imperative to include a detailed account of the various categories of personal data your business has accumulated in the preceding year.

You also have to include the sources from which you obtained the data. That could be your website contact forms, cookies, web beacons, email lists gotten from lead generation services, and so on.

The processing purposes

To align your privacy policy with CCPA standards, it's essential to transparently communicate to your consumers the purposes behind your data collection. You need to articulate the specific uses of this data clearly.

Common purposes for data collection by businesses encompass:

  • Confirming identity and authenticity
  • Enhancing the quality of service provision
  • Tailoring consumer experiences
  • Website analytics
  • Marketing and promotional activities
  • Compliance with legal and regulatory requirements
  • Facilitating communication with customers

Furthermore, the CCPA mandates the disclosure of categories of user information that have been shared for business-related objectives over the last year.

Categories of Data Sold or Shared

Businesses have to specify the types of personal information that are being sold or shared. Selling information means exchanging it for money or other benefits. Sharing it means simply disclosing the data to service providers, such as when you share email addresses with Mailchimp.

Moreover, you have to explain the reasons behind selling or sharing this data.

Should your business not engage in the sale of personal information, this fact must be explicitly stated in your privacy policy.

This information should also include the categories of third parties to whom the data is sold or shared.

Information on the Use of Sensitive Personal Information

Businesses processing sensitive personal information, such as biometric data or data revealing ethnic or racial origin, children's data, or another category of sensitive data, have to disclose that in their privacy policies.

Businesses do not have to include this part in their privacy policy if they disclose the data for any of the following purposes:

  • Performance of a contract with the consumer
  • To verify and maintain the quality and safety of products
  • Fraud prevention
  • Prevention of security incidents
  • Physical safety of natural persons
  • Short-term use for non-personalized advertising purposes, as long as the data is not used for profiling,
  • To collect or process sensitive personal information where the collection or processing is not for inferring characteristics about a consumer.

Consumer Rights of California Residents

California consumers are granted the following rights:

  • Know about the processing
  • Access the data.
  • Deletion of data
  • Data portability
  • Opt out of the sale or sharing of data, or limit the use of sensitive data.
  • Correction of inaccurate data.

Businesses must inform consumers in plain language about their rights. They also must inform them about the designated methods for submitting consumer requests.

Statement on Children's Data Processing

The business is required to state in its privacy policy whether it intentionally collects and processes the personal information of children.

Furthermore, if the business does not deliberately process data about children, this fact must be distinctly articulated in the privacy policy.

Compliance with Universal Opt-Out Signals

You have to comply with the universal opt-out signals, such as the Global Privacy Controls, anyway, but you also must inform consumers about that in your privacy policy.

Contact Information (Contact Us)

Finally, the privacy policy must contain information about how the business processes their personal information and how consumers can contact you.

California privacy policy-free template

We recommend you use our free privacy policy generator to generate a California privacy policy in a few minutes. However, if you still want to go the DIY way and do it manually, you can download our free California privacy policy template.

Get Your Privacy Policy Template