TermsDock

May 28, 2026

CCPA Privacy Policy Requirements for California Businesses

If your business has California users, the CCPA requires specific disclosures in your privacy policy. Here's exactly what you must include — and how to generate a CCPA-compliant policy free.

What Is the CCPA?

The California Consumer Privacy Act (CCPA), effective January 1, 2020, and strengthened by the CPRA in 2023, gives California residents broad rights over their personal data. Unlike GDPR (which applies to EU residents), the CCPA applies to California residents — meaning any business with California users may be subject to it.

Who Must Comply With the CCPA?

The CCPA applies to for-profit businesses that:

  • Have annual gross revenues over $25 million, OR
  • Buy, sell, receive, or share the personal information of 100,000 or more consumers or households per year, OR
  • Derive 50% or more of their annual revenues from selling consumers' personal information

Even if you don't meet these thresholds, it's best practice to comply, since many users expect CCPA-style protections.

What Must Your CCPA Privacy Policy Include?

Required Disclosures

Your privacy policy must disclose:

  • Categories of personal information collected (e.g., identifiers, commercial information, internet activity, geolocation)
  • Business or commercial purposes for collecting each category
  • Categories of third parties you share data with
  • Whether you "sell" or "share" personal information (under CCPA, "share" now includes sharing for cross-context behavioral advertising)

Consumer Rights You Must Honor

California residents have the right to:

  • Know what personal information you collect, use, disclose, and sell
  • Delete their personal information (with some exceptions)
  • Opt out of the sale or sharing of their personal information
  • Non-discrimination for exercising their privacy rights
  • Correct inaccurate personal information (added by CPRA)
  • Limit use of sensitive personal information

Required Rights Mechanisms

Your website must include:

  • A "Do Not Sell or Share My Personal Information" link if you sell or share data
  • An opt-out mechanism for targeted advertising
  • A clear process for submitting data requests (email or web form)

Sensitive Personal Information

The CPRA created a new category: "sensitive personal information," which includes Social Security numbers, precise geolocation, race/ethnicity, health data, biometric data, and financial account credentials. If you collect this, you must provide a separate "Limit the Use of My Sensitive Personal Information" option.

Generating a CCPA-Compliant Privacy Policy

TermsDock's Privacy Policy Generator includes CCPA and CPRA disclosures. Select "California" as your governing law for state-specific language covering consumer rights, opt-out mechanisms, and the required disclosure categories.

Free Legal Document Tools

🔒Privacy Policy Generator📜Terms of Service Generator🤝NDA Generator💼Freelance ContractCease & Desist Letter🍪Cookie Policy Generator↩️Return & Refund Policy💿EULA Generator⚠️Disclaimer Generator
← Back to Blog