The California Consumer Privacy Act (CCPA), codified at Cal. Civ. Code sections 1798.100 through 1798.199.100, fundamentally changed how businesses must handle the personal information of California residents. As amended by the California Privacy Rights Act (CPRA) in 2023, the law imposes specific privacy policy requirements that go well beyond what many businesses are accustomed to. If your website collects personal information from California consumers, your privacy policy must meet detailed statutory standards or face significant enforcement action. This guide breaks down exactly what the CCPA requires and how to get your privacy policy into compliance.
Who Must Comply With the CCPA
The CCPA does not apply to every business. It targets for-profit entities that do business in California and meet at least one of three thresholds established under Cal. Civ. Code section 1798.140(d):
1. Annual gross revenue exceeding $25 million. This threshold applies to the business’s worldwide revenue, not just revenue from California operations. If your company generates more than $25 million annually from any source, the CCPA applies to your handling of California consumers’ data.
2. Buying, selling, or sharing the personal information of 100,000 or more consumers or households. This threshold was raised from 50,000 to 100,000 under the CPRA amendments. Given that “personal information” under the CCPA includes IP addresses, device identifiers, and browsing history, many online businesses with moderate California traffic may reach this number without realizing it.
3. Deriving 50% or more of annual revenue from selling or sharing consumers’ personal information. Data brokers and advertising-dependent businesses frequently fall into this category.
Even if your business is not based in California, you must comply if you meet any of these thresholds and collect personal information from California residents. The CCPA’s extraterritorial reach means that an e-commerce business in New York or a SaaS company in London can be subject to California privacy law.
For businesses that also serve European users, understanding the differences between US and EU privacy frameworks is essential. Our comparison of CCPA vs GDPR explores these distinctions in detail.
What Your CCPA Privacy Policy Must Disclose
The CCPA sets out specific disclosure requirements in Cal. Civ. Code sections 1798.100(a) and 1798.130(a). Your privacy policy must include the following elements:
Categories of personal information collected. You must list the categories of personal information you have collected in the preceding 12 months. The CCPA defines 12 categories under section 1798.140(v), including identifiers (name, email, IP address), commercial information (purchase history), internet activity (browsing history, search history), geolocation data, and professional or employment information.
Purposes for collection. For each category of personal information, disclose the business or commercial purpose for which it was collected. Vague statements like “to improve our services” are insufficient. You must be specific: “to process orders and fulfill deliveries,” “to serve targeted advertising based on browsing behavior,” “to detect security incidents.”
Categories of third parties with whom information is shared. If you share personal information with third parties, disclose the categories of recipients: advertising networks, analytics providers, payment processors, cloud hosting services. Under the CPRA amendments, you must also disclose categories of third parties to whom information is sold or shared for cross-context behavioral advertising.
Consumer rights and how to exercise them. Your policy must explain the rights California consumers have under the CCPA: the right to know, the right to delete, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate information, and the right to limit the use of sensitive personal information. You must provide clear instructions for submitting requests, including at least two designated methods (a toll-free number and a website address).
Retention periods. The CPRA added a requirement to disclose the retention period for each category of personal information, or the criteria used to determine retention periods.
“Do Not Sell or Share My Personal Information” link. If your business sells or shares personal information, you must provide a clearly labeled link on your homepage titled “Do Not Sell or Share My Personal Information.” This opt-out mechanism must be functional and easy to use. Under CPRA, this extends to cross-context behavioral advertising, not just traditional data sales. A free cookie consent banner can provide this opt-out functionality alongside GDPR consent management.
Notice of financial incentive. If you offer financial incentives (discounts, loyalty programs) in exchange for the collection, sale, or retention of personal information, your privacy policy must describe the material terms of the incentive program and explain how consumers can opt in or withdraw.
Compliance with §7025 (Global Privacy Control). Under the CCPA Regulations effective January 2026, your privacy policy must disclose how your website honors the Global Privacy Control browser signal as a valid opt-out request. See the dedicated section below for model language.
Disclosing GPC compliance in your privacy policy
Under section 7025 of the CCPA Regulations, every business subject to the CCPA MUST honor browser-level Global Privacy Control (GPC) signals automatically as opt-out of sale or sharing requests. This is a technical compliance mandate: when a visitor’s browser transmits a GPC signal, your website must treat that signal as a valid request to opt the consumer out of the sale or sharing of their personal information, with no further user action required. The privacy policy itself must disclose this technical implementation — silence on the topic is not acceptable.
Why disclosure matters independently. The CPPA and the California Attorney General have made clear that honoring GPC and disclosing that you honor it are two separate obligations. A business that technically processes GPC signals correctly but fails to mention this in its privacy policy can still be cited for inadequate consumer disclosure. Conversely, a business that claims GPC compliance in its policy but does not technically honor the signal is exposed to deceptive-practice claims under both CCPA and California’s Unfair Competition Law.
Model disclosure language. You can adapt the following two paragraphs as a starting point:
Our website honors the Global Privacy Control (GPC) signal as a valid opt-out request under the California Consumer Privacy Act, as required by section 7025 of the CCPA Regulations. When your browser transmits a GPC signal, we automatically treat it as a request to opt out of the sale and sharing of your personal information, including for purposes of cross-context behavioral advertising. You do not need to submit any additional request, click any link, or fill out any form — the GPC signal alone is sufficient.
If you wish to verify that your browser is sending a GPC signal, you can install a privacy-focused browser extension or use a browser that supports GPC natively. Honoring GPC is in addition to — and does not replace — our “Do Not Sell or Share My Personal Information” link, which remains available for consumers who prefer to submit a manual opt-out request or whose browsers do not transmit a GPC signal.
Place this disclosure in a clearly identified subsection of your privacy policy, typically near your “Do Not Sell or Share” or “Your California Privacy Rights” section. The disclosure must remain accurate: if you change your GPC handling logic, update the policy.
Disclosing automated decision-making technology (ADMT)
The CCPA Regulations effective January 2026 also introduced disclosure and opt-out obligations around Automated Decision-Making Technology (ADMT). If your business uses ADMT to make significant decisions about consumers — for example, automated credit scoring, hiring screens, employment monitoring, insurance underwriting, or substantial educational or housing decisions — your privacy policy must disclose this use, describe the logic involved, and explain the consumer’s right to opt out of being subject to ADMT (with limited exceptions for fraud detection and security).
For most general-audience websites that do not perform automated significant decisioning, this section can be brief: a short paragraph confirming that the business does not use ADMT to make decisions of legal or similarly significant effect on consumers. For businesses that do use ADMT, a more detailed disclosure is required, including the right to access information about the logic and to opt out. See our complete analysis of the seven 2026 CCPA changes for the full technical requirements.
For dual-jurisdiction operators, our CCPA vs GDPR comparison explains how the new GPC and ADMT obligations align with — and diverge from — equivalent GDPR concepts (Article 22 on automated decision-making, GDPR Article 21 on objection to processing).
Sensitive Personal Information Under the CPRA
The CPRA introduced the concept of “sensitive personal information,” which includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, contents of mail or text messages, genetic data, biometric information, health information, and sexual orientation.
If your business collects sensitive personal information, your privacy policy must disclose this and provide consumers with the right to limit its use to purposes necessary for providing the requested goods or services. You must also include a separate link on your homepage: “Limit the Use of My Sensitive Personal Information.”
This elevated protection for sensitive data categories echoes similar provisions in the GDPR (Article 9) and Brazil’s LGPD (Article 11), reflecting a global trend toward stricter handling of high-risk personal information.
Common Compliance Mistakes
Many businesses fall short of CCPA compliance not through deliberate negligence but through misunderstanding the law’s requirements. Here are the most frequent mistakes:
Using a GDPR-only privacy policy. While the GDPR and CCPA overlap in some areas, a privacy policy designed exclusively for GDPR compliance will not satisfy CCPA requirements. The CCPA has its own specific disclosure categories, consumer rights framework, and opt-out mechanisms that differ substantially from European law. For a detailed comparison, see our analysis of CCPA vs GDPR key differences.
Failing to update annually. Cal. Civ. Code section 1798.130(a)(5) requires businesses to update their privacy policy at least once every 12 months. The date of last update must be displayed prominently. Many businesses create a policy once and never revisit it, leaving it out of date as their data practices evolve.
Incomplete category disclosures. Listing “personal information” as a single category is not sufficient. The CCPA requires granular disclosure across its 12 enumerated categories. Review your actual data flows, including analytics tools, advertising pixels, CRM integrations, and payment processors, to ensure every category is captured.
No functional opt-out mechanism. Having a “Do Not Sell” link that leads to a broken form, an unmonitored email address, or a generic contact page is a violation. The opt-out must work, and you must process requests within 15 business days.
Ignoring service providers and contractors. The CCPA distinguishes between “service providers” (who process data on your behalf under contract) and “third parties” (who receive data for their own purposes). Your privacy policy must accurately characterize these relationships, and your contracts must include CCPA-compliant data processing terms.
CCPA Enforcement and Penalties
The California Attorney General’s office has been actively enforcing the CCPA since July 2020. Under Cal. Civ. Code section 1798.155, penalties include:
- Up to $2,500 per unintentional violation. Given that each consumer record can constitute a separate violation, fines accumulate rapidly. A data breach affecting 10,000 California consumers could theoretically result in $25 million in penalties.
- Up to $7,500 per intentional violation. Knowing violations of the CCPA or violations involving the personal information of minors under 16 carry the higher penalty.
- Private right of action for data breaches. Under section 1798.150, consumers can sue businesses directly for data breaches resulting from the business’s failure to implement reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
The California Privacy Protection Agency (CPPA), established by the CPRA, now shares enforcement authority with the Attorney General and has been actively issuing regulations and conducting investigations — including the seven new 2026 CCPA rules covering automated decision-making, GPC signals and cybersecurity audits. For more details on enforcement risks, read our article on CCPA penalties and what happens if you don’t comply. For a broader comparison of US and EU frameworks, see our CCPA vs GDPR guide.
Four Approaches to CCPA Privacy Policy Compliance
Hiring a privacy attorney
Cost: $3,000 to $8,000 for a comprehensive CCPA privacy policy and opt-out infrastructure. Timeline: 2 to 6 weeks.
A California privacy attorney will conduct a detailed data mapping exercise, review your vendor agreements, and draft a policy tailored to your specific data practices. This is recommended for businesses with complex data flows, high data volumes, or operations in multiple US states with their own privacy laws (Virginia, Colorado, Connecticut, and others).
Using a generic AI tool
Apparent cost: $0. Real cost: potentially significant in enforcement risk.
General-purpose AI chatbots can produce text that looks like a privacy policy but often misses CCPA-specific requirements: the 12 statutory categories, the opt-out link requirement, the sensitive personal information disclosures, and the required update cadence. A policy that appears compliant but lacks mandatory elements creates a false sense of security.
Copying a free template
Cost: $0. Risk: high.
Free CCPA templates found online are typically generic, outdated (many predate the CPRA amendments), and not adapted to your specific business. They rarely include proper opt-out mechanisms or service provider disclosures. Using a template without significant customization is unlikely to satisfy CCPA requirements.
Using a specialized legal document generator
Cost: €19.90 to €49.90 (≈ $16 to $54 USD). Timeline: under 10 minutes.
A purpose-built legal document generator asks specific questions about your business activities, data collection practices, and third-party relationships, then produces a privacy policy that addresses CCPA requirements. This approach balances compliance rigor with accessibility and cost-effectiveness for the majority of online businesses.
Conclusion
The CCPA imposes detailed and specific requirements on privacy policies that go beyond general good practices. If your business meets any of the three applicability thresholds, your privacy policy must enumerate the categories of personal information you collect, explain your purposes, disclose third-party sharing, describe consumer rights and how to exercise them, and provide functional opt-out mechanisms.
Start by running a free compliance scan to see where your site stands today. With the CPPA actively enforcing the law and penalties accumulating per violation, the cost of non-compliance far exceeds the cost of getting your privacy policy right. Whether you engage a privacy attorney for complex situations or use a specialized generator for straightforward compliance needs, the important step is to act now. Every day without a compliant CCPA privacy policy is a day of unnecessary legal exposure.
