TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. CCPA/CPRA Privacy Policy Template
Compliance

CCPA/CPRA Privacy Policy Template

A comprehensive CCPA/CPRA privacy policy template with rights, notices, opt-outs, and implementation steps.

TermsBox Team|November 30, 20258 min read

California privacy law requires clear notices, easy opt-outs, and disciplined rights handling. This 2,000+ word template gives you the structure, examples, and checklists to publish a compliant CCPA/CPRA privacy policy. It reuses your CTA banners and links to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator so your policy stack stays consistent.

Core sections to include

Categories, purposes, and retention

List the categories of personal information you collect, their purposes, and retention periods or criteria. Align these with your data map and vendor list.

Sources and recipients

Describe sources (direct from users, devices, third parties) and recipients (service providers, contractors, and third parties). Clarify if sharing is sale/share for ads.

Sale/share and opt-outs

State whether you sell/share data and provide a Do Not Sell/Share link. Explain Global Privacy Control (GPC) handling and confirm it is honored.

Rights and request handling

Consumer rights

Explain access, deletion, correction, portability, opt-out of sale/share, limit sensitive data use, and non-retaliation.

Request process

Provide at least two contact methods, verification steps, and timelines (45 days plus possible extension). Describe appeal options if you offer them.

Step-by-step drafting workflow

  1. Map data categories, purposes, retention, and recipients.
  2. Update the Privacy Policy structure with CCPA/CPRA disclosures.
  3. Add a Do Not Sell/Share link and preference center; test GPC.
  4. Refresh your Cookie Policy to classify cookies and explain opt-outs.
  5. Cross-link policies in footer, banner, and forms.
  6. Add schema FAQ from this frontmatter and place CTA banners under intro and before the conclusion.
  7. Capture screenshots of the policy, banners, preference center, and opt-out flows.
  8. Train support and marketing on rights handling and approved language.
  9. Log versions, approvers, and evidence.
  10. Review quarterly or after product/vendor changes.

Example data categories table

Category Examples Purpose Retention Sold/Shared?
Identifiers Name, email Accounts, support Account life + 12 mo No
Internet activity Pages viewed, clicks Analytics, performance 13 mo Shared for ads
Geolocation (coarse) Region Localization Session No
Purchase data Transactions Billing, tax 7 years No
Inferences Interest segments Personalization, ads 12 mo Shared for ads

Notice at collection

What to say

State categories, purposes, whether sale/share occurs, retention, and link to your privacy and cookie policies. Include the Do Not Sell/Share link where applicable.

Placement

Use banners, headers, and form-level notices. Ensure mobile visibility and include GPC acknowledgment where users expect it.

Sensitive personal information

Limitation option

If you use sensitive data, provide a “Limit the Use of My Sensitive Personal Information” link or toggle. Explain what changes when users opt out.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Avoid unnecessary collection

Collect only what you need; avoid sensitive data in analytics/ads. Document justifications and safeguards.

Common mistakes to avoid

  • Hiding or omitting the Do Not Sell/Share link.
  • Ignoring GPC signals.
  • Missing retention details or vague statements.
  • Treating ad tech as service providers without proper contracts.
  • Offering only one rights request channel.
  • Failing to log requests and outcomes.

Enforcement examples and lessons

Sephora CPRA settlement (2022)

The California AG’s 1.2 million USD settlement, outlined in the press release, shows the risk of ignoring GPC and opaque tracking.

FTC dark pattern actions

The FTC has penalized deceptive opt-outs. Make flows clear and balanced.

Meta GDPR fine (2023)

Though EU-focused, the 1.2 billion EUR fine reported by Reuters underscores the need for transparent transfers, relevant if you handle both California and EU users.

Operational playbook

Quarterly tasks

  • Re-scan cookies/SDKs and update the Cookie Policy.
  • Refresh data inventories, categories, and retention.
  • Test Do Not Sell/Share links and GPC handling.
  • Audit vendor contracts for CPRA terms.
  • Update privacy policy if categories or purposes change.

Change management

  • Add a privacy checkpoint to product launches with new tracking or data uses.
  • Keep a changelog of policy updates with dates and approvers.
  • Notify users of material changes; require re-acceptance if terms change.

Accessibility and localization

  • Use plain language and clear headings.
  • Make links prominent on mobile.
  • Provide accessible forms for rights requests.
  • Translate notices if you serve multilingual audiences.

Audit and evidence kit

Artifact Purpose Storage
Policy versions with timestamps Prove disclosures Policy archive
Opt-out/GPC logs Prove honoring signals CMP/consent platform
Rights request logs Show SLA compliance Ticketing/CRM
Vendor contracts Show service provider terms Legal/procurement
Screenshots of banners/links Show placement Compliance folder

Metrics to monitor

  • Opt-out and GPC signals processed vs. failed.
  • Rights request volumes and resolution times.
  • Vendor contract coverage.
  • Time from product change to policy/banner updates.
  • Bounce/exit rates on opt-out pages; reduce friction if high.

Example notice at collection (short form)

We collect identifiers (name, email, device data) and internet activity (pages viewed, clicks) to provide and improve our services. We may share certain data for advertising. See our Privacy Policy and Cookie Policy, manage preferences in our Do Not Sell/Share link, and learn how we honor Global Privacy Control signals.

Data map starter for CCPA/CPRA

Category Examples Purpose Sale/Share? Retention Service provider?
Identifiers Name, email Accounts, support No Account life + 12 mo Yes
Internet activity Pages, clicks Analytics, ads Shared 13 mo Some
Inferences Interest segments Personalization/ads Shared 12 mo Some
Location (coarse) City/region Localization No Session Yes
Transaction data Orders Billing, support No 7 years Yes

Governance and ownership

  • Privacy lead: owns policy updates, rights handling, and vendor reviews.
  • Marketing: owns ad tech approvals and opt-out/GPC testing.
  • Engineering: owns banner/preference center behavior and logging.
  • Support: handles rights request intake and verification.
  • Legal: reviews contracts and CPRA clauses; signs off on policy edits.

30-day action plan

  • Week 1: Update privacy/cookie policies with categories, purposes, retention, and sale/share status. Add Do Not Sell/Share links and test GPC.
  • Week 2: Refresh vendor list and contracts; configure preference center and tag manager to honor opt-outs.
  • Week 3: Capture screenshots, consent/opt-out logs, and publish a changelog. Train support/marketing on new language.
  • Week 4: Monitor opt-out metrics, rights request SLAs, and fix any banner/link issues; schedule next quarterly review.

Templates to reuse

Email footer

California residents: manage cookies and opt out of sale/share via our preference center. We honor Global Privacy Control signals.

Do Not Sell/Share page intro

Use the controls below to opt out of sale/share for advertising cookies. We will honor your Global Privacy Control signal automatically. Learn more in our Privacy Policy and Cookie Policy.

Troubleshooting and remediation

  • Opt-outs not honored: pause offending tags, fix CMP/tag manager rules, retest, and log the incident.
  • Missing link on mobile: adjust header/footer layouts and retest on multiple devices.
  • Vendor missing CPRA terms: send contract addendum; disable until compliant if necessary.
  • GPC not detected: update CMP config, test with multiple browsers, and document proof once fixed.

Evidence and audit expansion

  • Store CMP exports showing opt-in/opt-out and GPC signals.
  • Keep copies of notices at collection with effective dates.
  • Retain training records for teams handling rights and opt-outs.
  • Maintain a versioned changelog with approvers and screenshots for every policy/banner update.

Policy text blocks (long form)

  • Sale/Share disclosure: “We share certain internet activity data (for example, pages viewed and interactions with ads) with advertising partners. This may be considered ‘sharing’ under the CPRA. You can opt out anytime via our Do Not Sell/Share link or by using a browser that sends GPC.”
  • Sensitive data limitation: “If you provide sensitive personal information, we use it only for the purposes disclosed and offer a Limit Sensitive Personal Information option where required.”

Extended rights handling workflow

  1. Intake: capture request, identity info, and category of right.
  2. Verify identity proportionally to sensitivity.
  3. Locate data across systems and vendors; initiate vendor requests if needed.
  4. Respond within 45 days (plus extension if necessary) with explanation or denial basis.
  5. Record actions, timestamps, and proof of completion.
  6. Update metrics dashboard and lessons learned.

Publication checklist

  • Privacy policy updated with CPRA content.
  • Do Not Sell/Share link and preference center live.
  • Cookie banner and policy aligned with opt-outs.
  • CTA banners placed; FAQ schema enabled.
  • Screenshots and changelog captured.

Conclusion and next steps

Use this template to publish a compliant CCPA/CPRA privacy policy and keep it updated. Link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator, capture evidence of opt-outs and requests, and review quarterly to maintain trust with California users.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Terms of Service Generator

Create terms of service for your platform

Related Articles

Compliance

Australian Data Protection Laws: A Complete Business Guide

Understand Australian data protection laws including the Privacy Act 1988, state legislation, and compliance requirements for businesses.

April 4, 202612 min read
Compliance

Australian Privacy Act 1988: What Businesses Need to Know

A practical guide to the Australian Privacy Act 1988, covering the 13 APPs, compliance requirements, penalties, and how the Act applies to your business.

April 4, 202616 min read
Compliance

Australian Privacy Legislation: A Complete Guide

Learn about Australian privacy legislation, including the Privacy Act 1988, APPs, and compliance steps for businesses handling personal information.

April 4, 202612 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • Core sections to include
  • Categories, purposes, and retention
  • Sources and recipients
  • Sale/share and opt-outs
  • Rights and request handling
  • Consumer rights
  • Request process
  • Step-by-step drafting workflow
  • Example data categories table
  • Notice at collection
  • What to say
  • Placement
  • Sensitive personal information
  • Limitation option
  • Avoid unnecessary collection
  • Common mistakes to avoid
  • Enforcement examples and lessons
  • Sephora CPRA settlement (2022)
  • FTC dark pattern actions
  • Meta GDPR fine (2023)
  • Operational playbook
  • Quarterly tasks
  • Change management
  • Accessibility and localization
  • Audit and evidence kit
  • Metrics to monitor
  • Example notice at collection (short form)
  • Data map starter for CCPA/CPRA
  • Governance and ownership
  • 30-day action plan
  • Templates to reuse
  • Email footer
  • Do Not Sell/Share page intro
  • Troubleshooting and remediation
  • Evidence and audit expansion
  • Policy text blocks (long form)
  • Extended rights handling workflow
  • Publication checklist
  • Conclusion and next steps
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.