CCPA/CPRA Privacy Policy Template
A comprehensive CCPA/CPRA privacy policy template with rights, notices, opt-outs, and implementation steps.
California privacy law requires clear notices, easy opt-outs, and disciplined rights handling. This 2,000+ word template gives you the structure, examples, and checklists to publish a compliant CCPA/CPRA privacy policy. It reuses your CTA banners and links to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator so your policy stack stays consistent.
Core sections to include
Categories, purposes, and retention
List the categories of personal information you collect, their purposes, and retention periods or criteria. Align these with your data map and vendor list.
Sources and recipients
Describe sources (direct from users, devices, third parties) and recipients (service providers, contractors, and third parties). Clarify if sharing is sale/share for ads.
Sale/share and opt-outs
State whether you sell/share data and provide a Do Not Sell/Share link. Explain Global Privacy Control (GPC) handling and confirm it is honored.
Rights and request handling
Consumer rights
Explain access, deletion, correction, portability, opt-out of sale/share, limit sensitive data use, and non-retaliation.
Request process
Provide at least two contact methods, verification steps, and timelines (45 days plus possible extension). Describe appeal options if you offer them.
Step-by-step drafting workflow
- Map data categories, purposes, retention, and recipients.
- Update the Privacy Policy structure with CCPA/CPRA disclosures.
- Add a Do Not Sell/Share link and preference center; test GPC.
- Refresh your Cookie Policy to classify cookies and explain opt-outs.
- Cross-link policies in footer, banner, and forms.
- Add schema FAQ from this frontmatter and place CTA banners under intro and before the conclusion.
- Capture screenshots of the policy, banners, preference center, and opt-out flows.
- Train support and marketing on rights handling and approved language.
- Log versions, approvers, and evidence.
- Review quarterly or after product/vendor changes.
Example data categories table
| Category | Examples | Purpose | Retention | Sold/Shared? |
|---|---|---|---|---|
| Identifiers | Name, email | Accounts, support | Account life + 12 mo | No |
| Internet activity | Pages viewed, clicks | Analytics, performance | 13 mo | Shared for ads |
| Geolocation (coarse) | Region | Localization | Session | No |
| Purchase data | Transactions | Billing, tax | 7 years | No |
| Inferences | Interest segments | Personalization, ads | 12 mo | Shared for ads |
Notice at collection
What to say
State categories, purposes, whether sale/share occurs, retention, and link to your privacy and cookie policies. Include the Do Not Sell/Share link where applicable.
Placement
Use banners, headers, and form-level notices. Ensure mobile visibility and include GPC acknowledgment where users expect it.
Sensitive personal information
Limitation option
If you use sensitive data, provide a “Limit the Use of My Sensitive Personal Information” link or toggle. Explain what changes when users opt out.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowAvoid unnecessary collection
Collect only what you need; avoid sensitive data in analytics/ads. Document justifications and safeguards.
Common mistakes to avoid
- Hiding or omitting the Do Not Sell/Share link.
- Ignoring GPC signals.
- Missing retention details or vague statements.
- Treating ad tech as service providers without proper contracts.
- Offering only one rights request channel.
- Failing to log requests and outcomes.
Enforcement examples and lessons
Sephora CPRA settlement (2022)
The California AG’s 1.2 million USD settlement, outlined in the press release, shows the risk of ignoring GPC and opaque tracking.
FTC dark pattern actions
The FTC has penalized deceptive opt-outs. Make flows clear and balanced.
Meta GDPR fine (2023)
Though EU-focused, the 1.2 billion EUR fine reported by Reuters underscores the need for transparent transfers, relevant if you handle both California and EU users.
Operational playbook
Quarterly tasks
- Re-scan cookies/SDKs and update the Cookie Policy.
- Refresh data inventories, categories, and retention.
- Test Do Not Sell/Share links and GPC handling.
- Audit vendor contracts for CPRA terms.
- Update privacy policy if categories or purposes change.
Change management
- Add a privacy checkpoint to product launches with new tracking or data uses.
- Keep a changelog of policy updates with dates and approvers.
- Notify users of material changes; require re-acceptance if terms change.
Accessibility and localization
- Use plain language and clear headings.
- Make links prominent on mobile.
- Provide accessible forms for rights requests.
- Translate notices if you serve multilingual audiences.
Audit and evidence kit
| Artifact | Purpose | Storage |
|---|---|---|
| Policy versions with timestamps | Prove disclosures | Policy archive |
| Opt-out/GPC logs | Prove honoring signals | CMP/consent platform |
| Rights request logs | Show SLA compliance | Ticketing/CRM |
| Vendor contracts | Show service provider terms | Legal/procurement |
| Screenshots of banners/links | Show placement | Compliance folder |
Metrics to monitor
- Opt-out and GPC signals processed vs. failed.
- Rights request volumes and resolution times.
- Vendor contract coverage.
- Time from product change to policy/banner updates.
- Bounce/exit rates on opt-out pages; reduce friction if high.
Example notice at collection (short form)
We collect identifiers (name, email, device data) and internet activity (pages viewed, clicks) to provide and improve our services. We may share certain data for advertising. See our Privacy Policy and Cookie Policy, manage preferences in our Do Not Sell/Share link, and learn how we honor Global Privacy Control signals.
Data map starter for CCPA/CPRA
| Category | Examples | Purpose | Sale/Share? | Retention | Service provider? |
|---|---|---|---|---|---|
| Identifiers | Name, email | Accounts, support | No | Account life + 12 mo | Yes |
| Internet activity | Pages, clicks | Analytics, ads | Shared | 13 mo | Some |
| Inferences | Interest segments | Personalization/ads | Shared | 12 mo | Some |
| Location (coarse) | City/region | Localization | No | Session | Yes |
| Transaction data | Orders | Billing, support | No | 7 years | Yes |
Governance and ownership
- Privacy lead: owns policy updates, rights handling, and vendor reviews.
- Marketing: owns ad tech approvals and opt-out/GPC testing.
- Engineering: owns banner/preference center behavior and logging.
- Support: handles rights request intake and verification.
- Legal: reviews contracts and CPRA clauses; signs off on policy edits.
30-day action plan
- Week 1: Update privacy/cookie policies with categories, purposes, retention, and sale/share status. Add Do Not Sell/Share links and test GPC.
- Week 2: Refresh vendor list and contracts; configure preference center and tag manager to honor opt-outs.
- Week 3: Capture screenshots, consent/opt-out logs, and publish a changelog. Train support/marketing on new language.
- Week 4: Monitor opt-out metrics, rights request SLAs, and fix any banner/link issues; schedule next quarterly review.
Templates to reuse
Email footer
California residents: manage cookies and opt out of sale/share via our preference center. We honor Global Privacy Control signals.
Do Not Sell/Share page intro
Use the controls below to opt out of sale/share for advertising cookies. We will honor your Global Privacy Control signal automatically. Learn more in our Privacy Policy and Cookie Policy.
Troubleshooting and remediation
- Opt-outs not honored: pause offending tags, fix CMP/tag manager rules, retest, and log the incident.
- Missing link on mobile: adjust header/footer layouts and retest on multiple devices.
- Vendor missing CPRA terms: send contract addendum; disable until compliant if necessary.
- GPC not detected: update CMP config, test with multiple browsers, and document proof once fixed.
Evidence and audit expansion
- Store CMP exports showing opt-in/opt-out and GPC signals.
- Keep copies of notices at collection with effective dates.
- Retain training records for teams handling rights and opt-outs.
- Maintain a versioned changelog with approvers and screenshots for every policy/banner update.
Policy text blocks (long form)
- Sale/Share disclosure: “We share certain internet activity data (for example, pages viewed and interactions with ads) with advertising partners. This may be considered ‘sharing’ under the CPRA. You can opt out anytime via our Do Not Sell/Share link or by using a browser that sends GPC.”
- Sensitive data limitation: “If you provide sensitive personal information, we use it only for the purposes disclosed and offer a Limit Sensitive Personal Information option where required.”
Extended rights handling workflow
- Intake: capture request, identity info, and category of right.
- Verify identity proportionally to sensitivity.
- Locate data across systems and vendors; initiate vendor requests if needed.
- Respond within 45 days (plus extension if necessary) with explanation or denial basis.
- Record actions, timestamps, and proof of completion.
- Update metrics dashboard and lessons learned.
Publication checklist
- Privacy policy updated with CPRA content.
- Do Not Sell/Share link and preference center live.
- Cookie banner and policy aligned with opt-outs.
- CTA banners placed; FAQ schema enabled.
- Screenshots and changelog captured.
Conclusion and next steps
Use this template to publish a compliant CCPA/CPRA privacy policy and keep it updated. Link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator, capture evidence of opt-outs and requests, and review quarterly to maintain trust with California users.