CCPA6 min read

CCPA Privacy Policy Requirements: Notice and Disclosure Guide

A CCPA-compliant privacy policy is foundational to California privacy compliance. The law mandates specific disclosures that inform consumers about data practices and their rights.

Key Takeaways

Point Summary
Update frequency At least every 12 months
Key sections Categories collected, purposes, rights, contact info
At-collection notice Separate notice required at or before data collection
Accessibility Must be reasonably accessible, available in languages used
Links required Opt-out and limit SPI links if applicable

Quick Answer: CCPA privacy policies must disclose categories of personal information collected, sources, purposes, third parties, consumer rights, retention periods, and contact methods. Updates are required at least annually, and at-collection notices must be provided at or before data collection.

Privacy Policy vs. At-Collection Notice

CCPA requires two distinct types of notices:

Notice Type When Provided Purpose
Privacy policy Always available Comprehensive disclosure of all practices
At-collection notice At or before collection Immediate notice of what is being collected and why

Required Privacy Policy Disclosures

Categories of Personal Information

Disclosure Details
What to disclose Categories collected in preceding 12 months
Format List or table of categories
Specificity Align with statutory categories
Update Reflect actual collection practices

CCPA statutory categories:

  • Identifiers
  • Customer records information
  • Protected classifications
  • Commercial information
  • Biometric information
  • Internet or network activity
  • Geolocation data
  • Sensory data
  • Professional or employment information
  • Education information
  • Inferences

Sensitive Personal Information

For SPI categories, see sensitive personal information guide.

Disclosure Details
What to disclose SPI categories collected
Additional detail Whether SPI is used beyond permitted purposes
Link Limit use link if applicable

Sources of Personal Information

Disclosure Details
Consumer directly Information provided by the consumer
Consumer indirectly Observed behavior, device information
Third parties Data brokers, partners, public sources

Business Purposes

Disclosure Details
What to disclose Why each category is collected
Format Clear explanation of purposes
Alignment Match purposes to collection categories

Common business purposes:

  • Providing products/services
  • Processing transactions
  • Customer support
  • Marketing and advertising
  • Security and fraud prevention
  • Legal compliance
  • Research and analytics
  • Quality assurance

Third-Party Disclosure

Disclosure Details
Categories shared What types of data go to third parties
Types of third parties Who receives data
Sale/sharing Whether data is sold or shared
Business purpose Why data is disclosed

Consumer Rights

For detailed guidance on consumer rights, see CCPA consumer rights.

Right Required Disclosure
Right to know How to submit requests, what can be requested
Right to delete How to request deletion, exceptions
Right to correct How to request corrections
Right to opt-out Link and instructions for opt-out
Right to limit SPI Link and instructions (if SPI collected)
Non-discrimination Statement of equal service

Contact Information

Element Requirement
Email address Required for online businesses
Toll-free number Required for all businesses
Mailing address Recommended
Web form Optional but common

Retention Periods

Disclosure Details
Format By category or criteria for determination
Specificity Clear enough to inform consumers
CPRA addition This disclosure was added by CPRA

Response Timeline

Disclosure Details
Confirmation 10 business days
Response 45 days (extendable to 90)
Extension Must explain if needed

At-Collection Notice Requirements

When Required

Scenario At-Collection Notice Required?
Website data collection Yes
Mobile app data collection Yes
In-person collection Yes
Phone collection Yes
Third-party collection Yes

At-Collection Notice Content

Element Details
Categories collected What PI is being collected
Purposes Why it is being collected
Sensitive PI Whether SPI is collected
Link to full policy Reference to complete privacy policy

Placement and Timing

Requirement Details
Timing At or before collection
Visibility Conspicuous and easy to find
Online Link visible before form submission
Offline Provided before or at time of collection

Just-In-Time Notices

For specific collection contexts, consider layered notices:

Context Approach
Web form Short notice above form, link to full policy
Mobile app In-app disclosure before permission prompts
In-store kiosk Notice displayed before data entry
Phone Verbal disclosure before collecting information

Financial Incentive Notice

If offering incentives for data collection (loyalty programs, discounts):

Disclosure Details
Terms Clear explanation of the incentive program
Value Good faith estimate of data value
Opt-in Instructions for participation
Withdrawal How to withdraw from the program

Minors' Notice Requirements

Age Group Additional Requirements
Under 13 Parental consent required; disclose this process
13-15 Opt-in required for sale/sharing; disclose this
16+ Standard requirements apply

Privacy Policy Format and Accessibility

Format Requirements

Requirement Details
Length Appropriate detail without unnecessary complexity
Language Plain language, avoid legal jargon
Organization Clear headings and structure
Accessibility Compliant with accessibility standards

Multilingual Requirements

Requirement Details
Primary English (minimum)
Additional Languages used on the website
Consistency Same information in all languages

Update Requirements

Requirement Details
Frequency At least every 12 months
Timing Update when practices change
Dating Include "Last Updated" date
Archives Consider maintaining prior versions

Sample Privacy Policy Structure

A CCPA-compliant privacy policy typically includes:

Section Contents
1. Introduction Who you are, policy scope
2. Information We Collect Categories, sources, SPI
3. How We Use Information Purposes for each category
4. How We Share Information Third parties, sale/sharing
5. Your Privacy Rights CCPA rights, how to exercise
6. Opt-Out of Sale/Sharing Link, instructions
7. Limit Use of SPI Link, instructions (if applicable)
8. Data Retention Periods or criteria
9. How We Protect Information Security overview
10. Contact Us Methods to reach you
11. Changes to This Policy Update process

Common Privacy Policy Mistakes

Mistake Correct Approach
Generic template language Customize to actual practices
Missing categories Include all collected categories
Vague purposes Be specific about why data is collected
Hidden opt-out link Prominent placement on homepage
Outdated information Update at least annually
Missing SPI disclosures Include if SPI is collected
No retention periods Add category-by-category retention
No contact methods Include email and toll-free number

Employee Privacy Notice

Since CPRA, employee personal information requires CCPA compliance:

Disclosure Details
Scope Applies to employees, applicants, contractors
Notice At-collection notice required at hiring/application
Policy May be separate or section of main policy
Rights Same rights as consumer customers

Verification and Testing

Regularly verify your privacy policy compliance:

Check Action
Link functionality Test opt-out and limit links
Content accuracy Match policy to actual practices
Update date Ensure recent update
Contact methods Verify email and phone work
Accessibility Test with screen readers
Mobile Verify mobile readability

How Bastion Helps

Creating and maintaining a compliant privacy policy requires ongoing attention.

Challenge How We Help
Policy drafting Templates and custom policy creation
Gap analysis Review existing policy for CCPA compliance
Update process Systematic annual review procedures
At-collection notices Context-specific notice templates
Training Staff training on privacy notice requirements

Need help with your CCPA privacy policy? Talk to our team →


Sources