The California Consumer Privacy Act (CCPA), codified at Cal. Civ. Code sections 1798.100 through 1798.199.100, fundamentally changed how businesses must handle the personal information of California residents. As amended by the California Privacy Rights Act (CPRA) in 2023, the law imposes specific privacy policy requirements that go well beyond what many businesses are accustomed to. If your website collects personal information from California consumers, your privacy policy must meet detailed statutory standards or face significant enforcement action. This guide breaks down exactly what the CCPA requires and how to get your privacy policy into compliance.
Who Must Comply With the CCPA
The CCPA does not apply to every business. It targets for-profit entities that do business in California and meet at least one of three thresholds established under Cal. Civ. Code section 1798.140(d):
1. Annual gross revenue exceeding $25 million. This threshold applies to the business’s worldwide revenue, not just revenue from California operations. If your company generates more than $25 million annually from any source, the CCPA applies to your handling of California consumers’ data.
2. Buying, selling, or sharing the personal information of 100,000 or more consumers or households. This threshold was raised from 50,000 to 100,000 under the CPRA amendments. Given that “personal information” under the CCPA includes IP addresses, device identifiers, and browsing history, many online businesses with moderate California traffic may reach this number without realizing it.
3. Deriving 50% or more of annual revenue from selling or sharing consumers’ personal information. Data brokers and advertising-dependent businesses frequently fall into this category.
Even if your business is not based in California, you must comply if you meet any of these thresholds and collect personal information from California residents. The CCPA’s extraterritorial reach means that an e-commerce business in New York or a SaaS company in London can be subject to California privacy law.
For businesses that also serve European users, understanding the differences between US and EU privacy frameworks is essential. Our comparison of CCPA vs GDPR explores these distinctions in detail.
What Your CCPA Privacy Policy Must Disclose
The CCPA sets out specific disclosure requirements in Cal. Civ. Code sections 1798.100(a) and 1798.130(a). Your privacy policy must include the following elements:
Categories of personal information collected. You must list the categories of personal information you have collected in the preceding 12 months. The CCPA defines 12 categories under section 1798.140(v), including identifiers (name, email, IP address), commercial information (purchase history), internet activity (browsing history, search history), geolocation data, and professional or employment information.
Purposes for collection. For each category of personal information, disclose the business or commercial purpose for which it was collected. Vague statements like “to improve our services” are insufficient. You must be specific: “to process orders and fulfill deliveries,” “to serve targeted advertising based on browsing behavior,” “to detect security incidents.”
Categories of third parties with whom information is shared. If you share personal information with third parties, disclose the categories of recipients: advertising networks, analytics providers, payment processors, cloud hosting services. Under the CPRA amendments, you must also disclose categories of third parties to whom information is sold or shared for cross-context behavioral advertising.
Consumer rights and how to exercise them. Your policy must explain the rights California consumers have under the CCPA: the right to know, the right to delete, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate information, and the right to limit the use of sensitive personal information. You must provide clear instructions for submitting requests, including at least two designated methods (a toll-free number and a website address).
Retention periods. The CPRA added a requirement to disclose the retention period for each category of personal information, or the criteria used to determine retention periods.
“Do Not Sell or Share My Personal Information” link. If your business sells or shares personal information, you must provide a clearly labeled link on your homepage titled “Do Not Sell or Share My Personal Information.” This opt-out mechanism must be functional and easy to use. Under CPRA, this extends to cross-context behavioral advertising, not just traditional data sales. A free cookie consent banner can provide this opt-out functionality alongside GDPR consent management.
Notice of financial incentive. If you offer financial incentives (discounts, loyalty programs) in exchange for the collection, sale, or retention of personal information, your privacy policy must describe the material terms of the incentive program and explain how consumers can opt in or withdraw.
Sensitive Personal Information Under the CPRA
The CPRA introduced the concept of “sensitive personal information,” which includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, contents of mail or text messages, genetic data, biometric information, health information, and sexual orientation.
If your business collects sensitive personal information, your privacy policy must disclose this and provide consumers with the right to limit its use to purposes necessary for providing the requested goods or services. You must also include a separate link on your homepage: “Limit the Use of My Sensitive Personal Information.”
This elevated protection for sensitive data categories echoes similar provisions in the GDPR (Article 9) and Brazil’s LGPD (Article 11), reflecting a global trend toward stricter handling of high-risk personal information.
Common Compliance Mistakes
Many businesses fall short of CCPA compliance not through deliberate negligence but through misunderstanding the law’s requirements. Here are the most frequent mistakes:
Using a GDPR-only privacy policy. While the GDPR and CCPA overlap in some areas, a privacy policy designed exclusively for GDPR compliance will not satisfy CCPA requirements. The CCPA has its own specific disclosure categories, consumer rights framework, and opt-out mechanisms that differ substantially from European law. For a detailed comparison, see our analysis of CCPA vs GDPR key differences.
Failing to update annually. Cal. Civ. Code section 1798.130(a)(5) requires businesses to update their privacy policy at least once every 12 months. The date of last update must be displayed prominently. Many businesses create a policy once and never revisit it, leaving it out of date as their data practices evolve.
Incomplete category disclosures. Listing “personal information” as a single category is not sufficient. The CCPA requires granular disclosure across its 12 enumerated categories. Review your actual data flows, including analytics tools, advertising pixels, CRM integrations, and payment processors, to ensure every category is captured.
No functional opt-out mechanism. Having a “Do Not Sell” link that leads to a broken form, an unmonitored email address, or a generic contact page is a violation. The opt-out must work, and you must process requests within 15 business days.
Ignoring service providers and contractors. The CCPA distinguishes between “service providers” (who process data on your behalf under contract) and “third parties” (who receive data for their own purposes). Your privacy policy must accurately characterize these relationships, and your contracts must include CCPA-compliant data processing terms.
CCPA Enforcement and Penalties
The California Attorney General’s office has been actively enforcing the CCPA since July 2020. Under Cal. Civ. Code section 1798.155, penalties include:
- Up to $2,500 per unintentional violation. Given that each consumer record can constitute a separate violation, fines accumulate rapidly. A data breach affecting 10,000 California consumers could theoretically result in $25 million in penalties.
- Up to $7,500 per intentional violation. Knowing violations of the CCPA or violations involving the personal information of minors under 16 carry the higher penalty.
- Private right of action for data breaches. Under section 1798.150, consumers can sue businesses directly for data breaches resulting from the business’s failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
The California Privacy Protection Agency (CPPA), established by the CPRA, now shares enforcement authority with the Attorney General and has been actively issuing regulations and conducting investigations. For more details on enforcement risks, read our article on CCPA penalties and what happens if you don’t comply. For a broader comparison of US and EU frameworks, see our CCPA vs GDPR guide.
Four Approaches to CCPA Privacy Policy Compliance
Hiring a privacy attorney
Cost: $3,000 to $8,000 for a comprehensive CCPA privacy policy and opt-out infrastructure. Timeline: 2 to 6 weeks.
A California privacy attorney will conduct a detailed data mapping exercise, review your vendor agreements, and draft a policy tailored to your specific data practices. This is recommended for businesses with complex data flows, high data volumes, or operations in multiple US states with their own privacy laws (Virginia, Colorado, Connecticut, and others).
Using a generic AI tool
Apparent cost: $0. Real cost: potentially significant in enforcement risk.
General-purpose AI chatbots can produce text that looks like a privacy policy but often misses CCPA-specific requirements: the 12 statutory categories, the opt-out link requirement, the sensitive personal information disclosures, and the required update cadence. A policy that appears compliant but lacks mandatory elements creates a false sense of security.
Copying a free template
Cost: $0. Risk: high.
Free CCPA templates found online are typically generic, outdated (many predate the CPRA amendments), and not adapted to your specific business. They rarely include proper opt-out mechanisms or service provider disclosures. Using a template without significant customization is unlikely to satisfy CCPA requirements.
Using a specialized legal document generator
Cost: $14.90 to $49.90. Timeline: under 10 minutes.
A purpose-built legal document generator asks specific questions about your business activities, data collection practices, and third-party relationships, then produces a privacy policy that addresses CCPA requirements. This approach balances compliance rigor with accessibility and cost-effectiveness for the majority of online businesses.
Conclusion
The CCPA imposes detailed and specific requirements on privacy policies that go beyond general good practices. If your business meets any of the three applicability thresholds, your privacy policy must enumerate the categories of personal information you collect, explain your purposes, disclose third-party sharing, describe consumer rights and how to exercise them, and provide functional opt-out mechanisms.
Start by running a free compliance scan to see where your site stands today. With the CPPA actively enforcing the law and penalties accumulating per violation, the cost of non-compliance far exceeds the cost of getting your privacy policy right. Whether you engage a privacy attorney for complex situations or use a specialized generator for straightforward compliance needs, the important step is to act now. Every day without a compliant CCPA privacy policy is a day of unnecessary legal exposure.