Key Takeaways
| Point |
Summary |
| Update frequency |
At least every 12 months |
| Key sections |
Categories collected, purposes, rights, contact info |
| At-collection notice |
Separate notice required at or before data collection |
| Accessibility |
Must be reasonably accessible, available in languages used |
| Links required |
Opt-out and limit SPI links if applicable |
Quick Answer: CCPA privacy policies must disclose categories of personal information collected, sources, purposes, third parties, consumer rights, retention periods, and contact methods. Updates are required at least annually, and at-collection notices must be provided at or before data collection.
Privacy Policy vs. At-Collection Notice
CCPA requires two distinct types of notices:
| Notice Type |
When Provided |
Purpose |
| Privacy policy |
Always available |
Comprehensive disclosure of all practices |
| At-collection notice |
At or before collection |
Immediate notice of what is being collected and why |
Required Privacy Policy Disclosures
Categories of Personal Information
| Disclosure |
Details |
| What to disclose |
Categories collected in preceding 12 months |
| Format |
List or table of categories |
| Specificity |
Align with statutory categories |
| Update |
Reflect actual collection practices |
CCPA statutory categories:
- Identifiers
- Customer records information
- Protected classifications
- Commercial information
- Biometric information
- Internet or network activity
- Geolocation data
- Sensory data
- Professional or employment information
- Education information
- Inferences
Sensitive Personal Information
For SPI categories, see sensitive personal information guide.
| Disclosure |
Details |
| What to disclose |
SPI categories collected |
| Additional detail |
Whether SPI is used beyond permitted purposes |
| Link |
Limit use link if applicable |
Sources of Personal Information
| Disclosure |
Details |
| Consumer directly |
Information provided by the consumer |
| Consumer indirectly |
Observed behavior, device information |
| Third parties |
Data brokers, partners, public sources |
Business Purposes
| Disclosure |
Details |
| What to disclose |
Why each category is collected |
| Format |
Clear explanation of purposes |
| Alignment |
Match purposes to collection categories |
Common business purposes:
- Providing products/services
- Processing transactions
- Customer support
- Marketing and advertising
- Security and fraud prevention
- Legal compliance
- Research and analytics
- Quality assurance
Third-Party Disclosure
| Disclosure |
Details |
| Categories shared |
What types of data go to third parties |
| Types of third parties |
Who receives data |
| Sale/sharing |
Whether data is sold or shared |
| Business purpose |
Why data is disclosed |
Consumer Rights
For detailed guidance on consumer rights, see CCPA consumer rights.
| Right |
Required Disclosure |
| Right to know |
How to submit requests, what can be requested |
| Right to delete |
How to request deletion, exceptions |
| Right to correct |
How to request corrections |
| Right to opt-out |
Link and instructions for opt-out |
| Right to limit SPI |
Link and instructions (if SPI collected) |
| Non-discrimination |
Statement of equal service |
Contact Information
| Element |
Requirement |
| Email address |
Required for online businesses |
| Toll-free number |
Required for all businesses |
| Mailing address |
Recommended |
| Web form |
Optional but common |
Retention Periods
| Disclosure |
Details |
| Format |
By category or criteria for determination |
| Specificity |
Clear enough to inform consumers |
| CPRA addition |
This disclosure was added by CPRA |
Response Timeline
| Disclosure |
Details |
| Confirmation |
10 business days |
| Response |
45 days (extendable to 90) |
| Extension |
Must explain if needed |
At-Collection Notice Requirements
When Required
| Scenario |
At-Collection Notice Required? |
| Website data collection |
Yes |
| Mobile app data collection |
Yes |
| In-person collection |
Yes |
| Phone collection |
Yes |
| Third-party collection |
Yes |
At-Collection Notice Content
| Element |
Details |
| Categories collected |
What PI is being collected |
| Purposes |
Why it is being collected |
| Sensitive PI |
Whether SPI is collected |
| Link to full policy |
Reference to complete privacy policy |
Placement and Timing
| Requirement |
Details |
| Timing |
At or before collection |
| Visibility |
Conspicuous and easy to find |
| Online |
Link visible before form submission |
| Offline |
Provided before or at time of collection |
Just-In-Time Notices
For specific collection contexts, consider layered notices:
| Context |
Approach |
| Web form |
Short notice above form, link to full policy |
| Mobile app |
In-app disclosure before permission prompts |
| In-store kiosk |
Notice displayed before data entry |
| Phone |
Verbal disclosure before collecting information |
Financial Incentive Notice
If offering incentives for data collection (loyalty programs, discounts):
| Disclosure |
Details |
| Terms |
Clear explanation of the incentive program |
| Value |
Good faith estimate of data value |
| Opt-in |
Instructions for participation |
| Withdrawal |
How to withdraw from the program |
Minors' Notice Requirements
| Age Group |
Additional Requirements |
| Under 13 |
Parental consent required; disclose this process |
| 13-15 |
Opt-in required for sale/sharing; disclose this |
| 16+ |
Standard requirements apply |
Privacy Policy Format and Accessibility
Format Requirements
| Requirement |
Details |
| Length |
Appropriate detail without unnecessary complexity |
| Language |
Plain language, avoid legal jargon |
| Organization |
Clear headings and structure |
| Accessibility |
Compliant with accessibility standards |
Multilingual Requirements
| Requirement |
Details |
| Primary |
English (minimum) |
| Additional |
Languages used on the website |
| Consistency |
Same information in all languages |
Update Requirements
| Requirement |
Details |
| Frequency |
At least every 12 months |
| Timing |
Update when practices change |
| Dating |
Include "Last Updated" date |
| Archives |
Consider maintaining prior versions |
Sample Privacy Policy Structure
A CCPA-compliant privacy policy typically includes:
| Section |
Contents |
| 1. Introduction |
Who you are, policy scope |
| 2. Information We Collect |
Categories, sources, SPI |
| 3. How We Use Information |
Purposes for each category |
| 4. How We Share Information |
Third parties, sale/sharing |
| 5. Your Privacy Rights |
CCPA rights, how to exercise |
| 6. Opt-Out of Sale/Sharing |
Link, instructions |
| 7. Limit Use of SPI |
Link, instructions (if applicable) |
| 8. Data Retention |
Periods or criteria |
| 9. How We Protect Information |
Security overview |
| 10. Contact Us |
Methods to reach you |
| 11. Changes to This Policy |
Update process |
Common Privacy Policy Mistakes
| Mistake |
Correct Approach |
| Generic template language |
Customize to actual practices |
| Missing categories |
Include all collected categories |
| Vague purposes |
Be specific about why data is collected |
| Hidden opt-out link |
Prominent placement on homepage |
| Outdated information |
Update at least annually |
| Missing SPI disclosures |
Include if SPI is collected |
| No retention periods |
Add category-by-category retention |
| No contact methods |
Include email and toll-free number |
Employee Privacy Notice
Since CPRA, employee personal information requires CCPA compliance:
| Disclosure |
Details |
| Scope |
Applies to employees, applicants, contractors |
| Notice |
At-collection notice required at hiring/application |
| Policy |
May be separate or section of main policy |
| Rights |
Same rights as consumer customers |
Verification and Testing
Regularly verify your privacy policy compliance:
| Check |
Action |
| Link functionality |
Test opt-out and limit links |
| Content accuracy |
Match policy to actual practices |
| Update date |
Ensure recent update |
| Contact methods |
Verify email and phone work |
| Accessibility |
Test with screen readers |
| Mobile |
Verify mobile readability |
How Bastion Helps
Creating and maintaining a compliant privacy policy requires ongoing attention.
| Challenge |
How We Help |
| Policy drafting |
Templates and custom policy creation |
| Gap analysis |
Review existing policy for CCPA compliance |
| Update process |
Systematic annual review procedures |
| At-collection notices |
Context-specific notice templates |
| Training |
Staff training on privacy notice requirements |
Need help with your CCPA privacy policy? Talk to our team →
Sources
