CCPA Privacy Policy: What California Law Requires

What Is the CCPA?

The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA) in 2023, gives California residents significant control over their personal information. It requires covered businesses to be transparent about their data collection practices through their privacy policy.

The CCPA is one of the strongest consumer privacy laws in the United States and has influenced similar legislation in other states including Virginia, Colorado, Connecticut, and Utah.

Does the CCPA Apply to Your Business?

The CCPA applies to for-profit businesses that collect personal information from California residents and meet any one of these thresholds:

• Annual gross revenue exceeding $25 million.
• Data volume — You buy, sell, or share the personal information of 100,000 or more California consumers, households, or devices annually.
• Revenue from data — You derive 50% or more of annual revenue from selling or sharing California consumers' personal information.

Even if you don't meet these thresholds, having a CCPA-compliant privacy policy is good practice. California's population means many websites have California visitors, and other state privacy laws have similar requirements with different thresholds.

Consumer Rights You Must Disclose

Under the CCPA, California consumers have specific rights that your privacy policy must explain:

• Right to know — Consumers can request what personal information you've collected about them, where it came from, what you use it for, and who you share it with.
• Right to delete — Consumers can request deletion of their personal information, with some exceptions (such as completing a transaction or detecting security incidents).
• Right to opt-out — Consumers can opt out of the sale or sharing of their personal information. If you sell data, you must provide a clear "Do Not Sell or Share My Personal Information" link.
• Right to non-discrimination — You cannot deny services, charge different prices, or provide a different quality of service because a consumer exercised their CCPA rights.
• Right to correct — Added by CPRA, consumers can request correction of inaccurate personal information.
• Right to limit use of sensitive data — Also added by CPRA, consumers can limit how you use sensitive personal information like social security numbers, financial accounts, precise geolocation, and health data.

What Your Privacy Policy Must Contain

To comply with the CCPA, your privacy policy must specifically include:

• Categories of personal information collected in the past 12 months
• The sources of that personal information
• Your business purpose for collecting or selling it
• Categories of third parties with whom you share personal information
• The specific pieces of personal information collected about a consumer (available upon request)
• A description of consumer rights and how to exercise them
• Contact information for submitting requests (toll-free number and/or web form)

Your policy must be updated at least once every 12 months and include the date it was last updated.

How CCPA Differs From GDPR

While both laws protect consumer privacy, they differ in important ways:

• Scope — GDPR applies to all businesses processing EU residents' data. CCPA applies only to for-profit businesses meeting specific thresholds.
• Legal basis — GDPR requires a legal basis before processing data. CCPA allows collection but gives consumers the right to opt out and delete.
• Consent model — GDPR uses opt-in (consent before collection). CCPA uses opt-out (collect, but allow consumers to stop sales/sharing).
• Penalties — GDPR fines reach 4% of global revenue. CCPA penalties are up to $7,500 per intentional violation, with consumers able to sue for data breaches ($100-$750 per incident).
• Data subject rights — Both provide access and deletion rights, but GDPR includes data portability and the right to restrict processing, while CCPA focuses on the right to opt out of data sales.

If you serve both EU and California audiences, your privacy policy should address the requirements of both regulations.