TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. California Privacy Act (CCPA/CPRA) Overview
Compliance

California Privacy Act (CCPA/CPRA) Overview

A comprehensive overview of the California Consumer Privacy Act and CPRA updates, with practical compliance steps.

TermsBox Team|November 30, 20259 min read

The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), require clear disclosures, rights handling, and opt-outs for sale or sharing of data. This guide delivers a full overview with H2 and H3 sections, tables, step-by-step actions, common mistakes, and enforcement examples. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator to keep your compliance pages synchronized.

Core requirements

Notice at collection

Inform users at or before collection about categories, purposes, retention, and sharing. Link to your privacy policy and include a clear Do Not Sell/Share option if applicable.

Rights handling

Support access, deletion, correction, portability, and opt-out of sale/share. Provide at least two request methods (for example, web form and email) and verify identity.

Selling, sharing, and ad tech

What triggers opt-outs

Cross-context behavioral advertising often counts as sharing. Selling includes exchanging data for value. If you run ad pixels, treat them as sale/share unless exempt.

Implementing opt-outs

Add a Do Not Sell/Share link and honor Global Privacy Control signals. Update your Cookie Policy to explain how opt-outs work.

Step-by-step compliance plan

  1. Map data categories, purposes, and recipients.
  2. Update your Privacy Policy with CPRA-required disclosures, retention, and rights.
  3. Configure a Do Not Sell/Share link and preference center; honor GPC.
  4. Update your Cookie Policy to classify ad/analytics cookies and link opt-outs.
  5. Implement request intake, verification, and tracking.
  6. Train teams on response timelines and exemptions.
  7. Maintain contracts with service providers and contractors that meet CPRA requirements.
  8. Review sensitive data handling and offer limitation options where required.
  9. Add CTA banners under intro and near conclusion for consistent UX.
  10. Archive policies, request logs, and opt-out evidence.

Table: rights and timelines

Right Timeline Notes Owner
Access/Deletion 45 days (extendable) Verify identity and log requests Privacy
Correction 45 days Apply across systems Privacy/IT
Opt-out sale/share Immediate Honor GPC; update cookies Marketing/Privacy
Limit sensitive data Promptly Offer clear toggle Product
No retaliation Ongoing Do not reduce service for exercising rights All teams

Data transfers and processors

Contracts and service providers

Use CPRA-compliant contracts with service providers and contractors. Limit use to specified purposes and require assistance with rights requests.

International considerations

If you also serve the EU/UK, align CPRA notices with GDPR disclosures and SCCs. Keep a single, clear privacy notice where possible.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Common mistakes to avoid

  • Treating ad tech as exempt from sale/share.
  • Missing or hard-to-find Do Not Sell/Share links.
  • Ignoring GPC signals.
  • Vague retention statements without timeframes.
  • Untrained teams causing delayed responses.
  • Missing service provider language in contracts.

Enforcement examples and lessons

Sephora CPRA settlement (2022)

The 1.2 million USD settlement described in the AG press release shows the risk of ignoring GPC and hiding Do Not Sell links.

FTC actions on dark patterns

The FTC warns against deceptive opt-outs. Make your links and banners clear and balanced.

Meta GDPR fine (2023)

While under GDPR, the 1.2 billion EUR fine reported by Reuters reinforces scrutiny on transfers, relevant if California and EU data share infrastructure.

Publication QA

  • Privacy policy updated with CPRA sections.
  • Do Not Sell/Share link live and tested.
  • Cookie banner aligned and honors GPC.
  • CTA banners placed.
  • FAQ schema enabled.
  • Screenshots and logs stored.

Metrics to monitor

  • Number of opt-out requests and GPC signals processed.
  • Request response times.
  • Bounce rates after banner updates.
  • Contract coverage with service providers/contractors.

Notice templates

At collection notice example

We collect personal information (identifiers, usage data, and device data) to provide and improve our services. We may share certain data for cross-context advertising. See our Privacy Policy for categories, purposes, retention, and your rights. Manage cookies and opt-outs in our Cookie Policy and Do Not Sell/Share link.

Do Not Sell/Share link language

“Do Not Sell or Share My Personal Information” – opens preference center with advertising/sharing toggle and GPC acknowledgment.

Data inventory starter table

Category Example data Purpose Shared/sold? Retention
Identifiers Email, device ID Account, security No sale/share Account life + 12 mo
Internet activity Pages viewed, clicks Analytics, product improvement Sharing for ads 13 months
Geolocation (coarse) Region Content localization No sale/share Session
Purchase data Transaction history Billing, support No sale/share 7 years
Inferences Interest segments Personalization Sharing for ads 12 months

Service provider and contractor contracts

  • Include CPRA-required terms: limited use, assistance with rights requests, subprocessor controls, and deletion on request.
  • Require notification before adding subprocessors and maintain a public list when possible.
  • Verify data security commitments and breach notification timelines.

Sensitive personal information

  • Identify SPI (for example, precise geolocation, health data).
  • Offer “Limit the Use of My Sensitive Personal Information” where applicable.
  • Avoid using SPI for cross-context advertising without explicit alignment to user expectations.

Expanded common mistakes

  • Assuming legitimate interest-like reasoning applies; CPRA requires explicit opt-outs for sale/share.
  • Failing to classify ad tech partners correctly as service providers or third parties.
  • Not updating privacy notices with retention schedules.
  • Ignoring employee/applicant data if covered by your scope.
  • Overlooking offline collection notices for events or phone sales.

Evidence and audit kit

Artifact Purpose Owner
Policy versions and timestamps Show what users saw Legal/Privacy
Opt-out/GPC logs Prove compliance Engineering/Privacy
Request tickets and timelines Demonstrate SLA adherence Support/Privacy
Service provider contracts Show required clauses Legal/Procurement
Banner/preference screenshots Prove link placement Marketing/Privacy

Enforcement workflow

  • Intake complaints via support or privacy email.
  • Triage whether it is a rights request, opt-out issue, or general complaint.
  • Respond within statutory timelines; document actions taken.
  • Escalate systemic issues (for example, missing GPC honoring) to engineering with a fix SLA.
  • Record remediation and verify with regression tests.

Review cadence

  • Monthly: test Do Not Sell/Share links and GPC handling.
  • Quarterly: refresh data inventories and retention schedules; audit vendors.
  • Semiannual: legal review of notices and contracts.
  • After product changes: confirm new data uses are disclosed and covered by contracts.

Alignment with other laws

  • If you serve EU/UK users, ensure GDPR notices and SCCs align with CPRA disclosures.
  • If you use HIPAA-covered data, keep it segregated with separate BAAs.
  • For children’s data, assess COPPA requirements and avoid sale/share without proper consent.

Sensitive data handling table

SPI type Use Allowed? Controls
Precise geolocation Personalization/ads Generally avoid without clear user intent Opt-in, easy opt-out, short retention
Health-related data Product features Limit to necessary features Encryption, access control, explicit notice
Financial data Payments Yes, for transactions PCI-compliant processors, minimize storage
Government IDs Verification Only if required Secure storage, strict access

Testing and validation plan

  • Run monthly GPC tests from multiple browsers and regions.
  • Test Do Not Sell/Share link on desktop and mobile; capture screenshots.
  • Verify that opt-outs propagate to ad platforms and that cookies are suppressed.
  • Conduct mock rights requests to ensure SLAs are met.

Communication templates

  • Rights request confirmation: “We received your request regarding your personal information. We will respond within 45 days. For details, see our Privacy Policy.”
  • Opt-out confirmation: “We have recorded your Do Not Sell/Share preference and will honor GPC signals on this browser.”
  • Policy update notice: “We updated our privacy and cookie policies to clarify categories, retention, and opt-out options. Review the changes here.”

KPIs and reporting

  • Rights request volume by type and completion time.
  • Opt-out and GPC signals processed vs. failed.
  • Percentage of vendors with current CPRA-compliant contracts.
  • Time from policy change to site update (banner, links, preference center).
  • Number of complaints related to sale/share or opt-out placement.

Service provider vs. third party decisions

  • Classify vendors carefully: if they use data beyond your purposes, they may be third parties requiring opt-outs.
  • For service providers, ensure contracts forbid secondary use, combining data, and sale/share.
  • Update your public vendor list or policy disclosures when classifications change.

Consumer education tips

  • Add a short explainer next to the Do Not Sell/Share link describing what it does.
  • Include visuals or tooltips in the preference center to show which tags are disabled.
  • Provide a mini FAQ about rights and expected response timelines.
  • Remind users in confirmation emails that preferences can be updated anytime.

Quick checklist

  • Privacy policy updated with categories, purposes, retention, rights, and opt-out links.
  • Do Not Sell/Share link live; GPC honored.
  • Cookie banner aligned with opt-outs and preference center.
  • Contracts updated with CPRA language for service providers and contractors.
  • Logs and screenshots saved for requests, banners, and preferences.

Key takeaways

  • Provide notice at collection, clear rights instructions, and visible Do Not Sell/Share links.
  • Honor GPC and align cookie preferences with opt-outs.
  • Keep CPRA-ready contracts and vendor classifications up to date.
  • Log requests, opt-outs, and banner states for evidence.
  • Review inventories, policies, and banners on a set schedule.

Post-release review

  • Test Do Not Sell/Share links and GPC handling after each update.
  • Verify that privacy and cookie pages reflect the latest data categories and retention.
  • Confirm preference center toggles match tag manager behavior.
  • Save screenshots and changelog entries for the release.
  • Remind support teams of any wording or process changes.
  • Set a reminder for the next CPRA audit so opt-outs and notices stay current.
  • Record any contract updates or vendor classification changes in your compliance log.

Conclusion and next steps

CPRA compliance depends on clear notices, opt-outs, and disciplined request handling. Use this guide to update your privacy and cookie pages with the Privacy Policy Generator and Cookie Policy Generator, align terms with the Terms of Service Generator, and log every change. Continuous tuning keeps you ready for audits and user trust intact.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Terms of Service Generator

Create terms of service for your platform

Related Articles

Compliance

Australian Data Protection Laws: A Complete Business Guide

Understand Australian data protection laws including the Privacy Act 1988, state legislation, and compliance requirements for businesses.

April 4, 202612 min read
Compliance

Australian Privacy Act 1988: What Businesses Need to Know

A practical guide to the Australian Privacy Act 1988, covering the 13 APPs, compliance requirements, penalties, and how the Act applies to your business.

April 4, 202616 min read
Compliance

Australian Privacy Legislation: A Complete Guide

Learn about Australian privacy legislation, including the Privacy Act 1988, APPs, and compliance steps for businesses handling personal information.

April 4, 202612 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • Core requirements
  • Notice at collection
  • Rights handling
  • Selling, sharing, and ad tech
  • What triggers opt-outs
  • Implementing opt-outs
  • Step-by-step compliance plan
  • Table: rights and timelines
  • Data transfers and processors
  • Contracts and service providers
  • International considerations
  • Common mistakes to avoid
  • Enforcement examples and lessons
  • Sephora CPRA settlement (2022)
  • FTC actions on dark patterns
  • Meta GDPR fine (2023)
  • Publication QA
  • Metrics to monitor
  • Notice templates
  • At collection notice example
  • Do Not Sell/Share link language
  • Data inventory starter table
  • Service provider and contractor contracts
  • Sensitive personal information
  • Expanded common mistakes
  • Evidence and audit kit
  • Enforcement workflow
  • Review cadence
  • Alignment with other laws
  • Sensitive data handling table
  • Testing and validation plan
  • Communication templates
  • KPIs and reporting
  • Service provider vs. third party decisions
  • Consumer education tips
  • Quick checklist
  • Key takeaways
  • Post-release review
  • Conclusion and next steps
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.