Written by

Robert Bateman

Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.

Twitter LinkedIn Website

Robert Bateman

On this page

The California Consumer Privacy Act (CCPA/CPRA) requires businesses under its scope to provide a number of notices addressing a variety of issues.

In this article, we're going to look at what the CCPA (CPRA) specifically requires, how businesses are providing CCPA-compliant notice and how you can create your own notices to stay compliant with the CCPA (CPRA).

Note that the CCPA was updated, amended and expanded by the CPRA. This expansion took effect on Jan. 1 2023.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



CCPA (CPRA): A Brief Introduction

Since the CCPA passed in 2018, businesses have been working hard to provide appropriate notice to consumers regarding the collection and use of their personal information.

But the definition of "consumer" in the current CCPA (CPRA) is broader than many people realize. Any California resident can be a consumer: not just the public (e.g. your customers and users of your website), but also your employees.

Let's look more specifically at this and at some other relvant terminology under the CCPA (CPRA).

Which Businesses are Covered by the CCPA (CPRA)?

The CCPA (CPRA) applies if a business is "doing business in California" (regardless of where the business itself is located), and one or more of the following characteristics apply to it:

  • It has annual gross revenues of $25 million or more
  • It buys, sells, shares for commercial purposes, or receives for commercial purposes, the personal information of more than 100,000 California consumers, devices, or households per year
  • It derives at least 50 percent of its annual revenues from the selling or sharing of consumers' personal information

What is "Doing Business in California?"

The CCPA (CPRA) applies to businesses all over the world. If you want to "do business" in California, and you fall under the CCPA/CPRA's scope, you must comply with the act.

Doing business in California might include the following:

  • Selling goods or services to California consumers
  • Hiring California consumers as contractors or employees
  • Buying, selling, sharing, or receiving the personal information of California consumers

What is a "Consumer?"

The CCPA (CPRA) defines a consumer as a "natural person" (i.e. not a "legal person" such as a corporation) who is a California resident. The CCPA (CPRA) takes its definition of "California resident" from another law, 18 CCR § 17014.

18 CCR Section 17104: Definition of Resident

This includes not only your customers but any California resident whose personal information your business collects, including employees.

What is "Personal Information?"

Different privacy laws define "personal information" in different ways. The CCPA (CPRA) defines personal information more broadly than any other U.S. privacy law. Here's the definition of personal information in the CCPA (CPRA):

CCPA Section 1798-140: Definition of Personal Information

The CCPA gives many examples of personal information, including:

  • Full name
  • Alias/username
  • IP address
  • Browsing history

Try not to think of personal information only as information that describes or identifies a consumer. If a piece of information could be reasonably linked to a consumer, it's personal information.

The CPRA amendment introduces the concept of sensitive personal information under the CCPA.

What are the CCPA (CPRA) Consumer Notices?

What are the CCPA Consumer Notices?

Under the CCPA (CPRA), consumers have a "right to notice." This means they have the right to a variety of information, including information about what personal information your business collects, uses, shares, and sells, and what their other rights are regarding this.

The following principles apply when you are creating your consumer notices:

  • Use clear and plain language.
  • Make your notices clear and conspicuous, even on small screens.
  • Use whatever language you normally use to communicate with consumers.
  • Provide your notices in alternative formats for consumers with disabilities.
  • If you're collecting personal information on paper, you must provide a hard copy of your notices.

Let's look at what notices you must provide under the CCPA (CPRA).

Notice at Collection

You must ensure that your notice at collection is presented to consumers before you collect their personal information.

Your Notice at Collection must:

  • Identify the types of personal information you're collecting
  • Explain the business or commercial purposes for which you collect personal information
  • How long you plan to retain this information for
  • Provide a link to your "Do Not Sell My Personal Information" page (if you have one)
  • Provide a link to your Privacy Policy

Here's an excerpt from a Notice at Collection created by Central Valley Community Bank:

Central Valley Community Bank: CCPA Notice at Collection - Category and Intended Use excerpt

The table shows a list of categories of personal information that the business collects, together with its intended uses of the personal information.

Further down, the business offers to provide the notice in alternative formats and provides a link to its Privacy Policy:

Central Valley Community Bank: CCPA Notice at Collection - Other Important Information section

Here's an excerpt from Master and Dynamic's notice at collection:

Master and Dynamic Notice at Collection: Excerpt of chart for categories of personal information collected and for what business or commercial purposes

The same applies for employee notices.

Here's an example of a Notice at Collection that Pyrotek provides to job applicants:

Pyrotek CCPA Notice for Applicants: Professional or Employment Related Information clause

Privacy Policy

Amending your Privacy Policy is one of the most important parts of CCPA (CPRA) compliance. A Privacy Policy is mandatory for all businesses that collect personal information.

We've broken this requirement down into seven sections and provided some examples from businesses that are meeting these requirements.

The Right to Know

In the first section of your CCPA (CPRA) Privacy Policy, you should:

  • Explain the right to know, including that consumers may ask what personal information you collect, use, disclose for business purposes, and/or sell.
  • Explain how consumers can make a request. If you provide a web form that enables them to make a request, provide a link to this form.
  • Explain your process for verifying a consumer's identity, including any information you will ask them for.

Here's how Technicolor's CCPA Privacy Notice explains the right to know:

Technicolor CCPA Privacy Policy: Right to know clause excerpt

You'll also need to:

  • Explain how you have processed personal information over the past 12 months:

    • Provide a list of each category of personal information you have collected.

    • For each category of personal information on the list, explain:

      • Where you obtained it (the "categories of sources")
      • Your business or commercial purposes for collecting it
      • Any third parties with whom you share it

Here's an example from Weatherbit, disclosing the categories of personal information the business has collected over the past 12 months:

Weatherbit CCPA Privacy Notice: Information We Collect - Category chart excerpt

  • Explain how you have disclosed and/or sold personal information over the past 12 months:

    • Disclose whether you have sold or disclosed personal information for business purposes.
    • Provide a list of each category of personal information you have sold or disclosed for business purposes.
    • State whether your business has "actual knowledge" of having sold the personal information of minors.

Here's part of the Privacy Policy of IrvingGQ. It explains the categories of personal information that the company has disclosed for business purposes and the categories of recipients to whom the business disclosed it:

IrvingGQ CCPA Privacy Notice: Sharing Personal Information clause

The Right to Delete

  • Explain the right to delete: That consumers may request that you delete personal information you have collected about them.
  • Explain how consumers can make a request under the right to delete. If you provide a web form that enables them to make a request, provide a link to this form.
  • Explain your process for verifying a consumer's identity, including any information you will ask them for.

Here's how Oreck covers the first two points above:

Oreck CCPA Terms and Privacy Policy: Right to Delete clause

The Right to Opt Out

You must provide Notice of the Right to Opt Out (also known as a "Do Not Sell My Personal Information" page) if you sell consumers' personal information.

Here's how Thomson Reuters does this:

Thomson Reuters Privacy Statement: Do Not Sell My Personal Information clause

You'll need to do the following to facilitate the right to opt out:

  • Explain the right to opt out
  • Provide an opt out form
  • Inform consumers of any alternative opt-out methods
  • Describe any verification requirements you have for authorized agents
  • Display a link to your Privacy Policy

You should provide Notice of the Right to Opt Out via a clear and conspicuous link that reads "Do Not Sell My Personal Information" or "Do Not Sell My Info."

Here's an excerpt from a Notice of the Right to Opt Out from Publisher's Clearing House (PCH):

PCH Notice of the Right to Opt Out

Note that PCH allows consumers to provide their account number, but does not require them to do so. This is good. You must not require consumers to create an account with your business in order for them to be able to exercise their CCPA (CPRA) rights.

The Right to Non-Discrimination

Explain the right to non-discrimination.

Here's how CooperSurgical does this:

CooperSurgical CCPA Privacy Policy: Non-Discrimination clause

Note that you may not need to go into this much detail to comply with the CCPA (CPRA). In particular, the section about financial incentive schemes (in the red box) is not required unless you operate such a scheme.

Authorized Agent

Explain how an authorized agent can make a CCPA (CPRA) request on a consumer's behalf.

Here's how Ironwood Pharmaceuticals does this:

Ironwood Pharma California Consumer Privacy Policy: Authorized Agents clause

Note how the business uses clear and straightforward language in its explanation.

Contact Information

Provide contact details via which a consumer can request further information.

Here's an example from eHealthInsurance:

eHealthInsurance Privacy Policy: Contact clause - Updated

Note how this business provides a broad range of contact options for consumers.

Date of Last Update

Disclose the date you last updated your Privacy Policy.

Here's how Salt Edge does this:

Salt Edge Privacy Policy: Date Last Revised section

Note that you must update your Privacy Policy once every 12 months under the CCPA (CPRA). Even if nothing changes, simply add a "Last Updated" date or something similar to show you have reviewed it.

Notice of Financial Incentive

You only need to provide a Notice of Financial Incentive if you operate a financial incentive scheme.

The CCPA (CPRA) allows a business to offer consumers discounts or other benefits in exchange for their personal information, so long as the business meets certain conditions.

Your Notice of Financial Incentive must:

  1. Summarize the scheme
  2. Provide the terms of the scheme and the categories of personal information you collect
  3. Explain how to opt in
  4. Explain how to withdraw

  5. Provide:

    1. An estimate of the value of participating consumers' personal information
    2. An explanation of how you calculated this value

Here's an extract of a Notice of Financial Incentive from Prodege:

Prodege Notice of Financial Incentive

In this excerpt, Prodege sets out the terms of its scheme and explains how consumers can opt in and opt out.

For more information about this notice, please see our "CCPA (CPRA) Notice of Financial Incentives" article.

Additional Requirements

You only need to provide this information if your business buys, sells, receives, and/or shares the personal information of more than 4 million consumers per year.

  • With respect to the past 12 months, disclose:

    • The number of "right to know" requests you received
    • The number of "right to delete" requests you received
    • The number of "right to opt out" requests you received

  • For each item above, disclose:

    • How many requests you fulfilled (in whole or in part), how many requests you rejected, and your average response time (the median number of days)

Summary

To fulfill the right to notice, all businesses covered by the CCPA (CPRA) must provide up to four types of consumer notice:

  • Notice at Collection
  • Privacy Policy
  • Notice of the Right to Opt Out
  • Notice of Financial Incentive

Each of these types of notices have more nuanced requirements, but the key is being transparent and disclosing your privacy practices as well as the rights that consumers have.

This can be accomplished by updating your Privacy Policy and creating the required notices and appropriately displaying them on your business website.