Sample California Privacy Policy Template

Sample California Privacy Policy Template

California has the strictest privacy laws in the United States. And it's also a huge, tech-savvy market. You must not do anything that compromises your operations in this important state.

Several California laws that require website operators to create a Privacy Policy. These laws have very specific requirements about what a Privacy Policy must contain.

To avoid legal trouble with the California Attorney General, you must ensure your Privacy Policy complies with all relevant California laws.


California Privacy Policy Laws

In this article, we'll be taking you through four important California-specific laws that you may have to comply with if you have users in California (no matter where you're based).

The laws are:

We're not going into too much detail about any of these laws in this article. We're going to focus on:

  • The main purpose of the laws
  • Whether the laws apply to you
  • What is "personal information" under the laws
  • Any specific requirements for your Privacy Policy

If you want to know more about any of these laws, we have articles about all of them. Just click the relevant link above.

FAQ: California Privacy Policy

Here is a list of frequently asked questions that you may find useful.

The laws in California that require a Privacy Policy are:

Yes, if you do business with people located in California.

When it comes to privacy laws, the laws work to protect people in a region. Because of this, when it comes to compliance, it matters more where your customers are located rather than where your business is located.

Each of the California privacy laws require different content for your California-compliant Privacy Policy. Here's a breakdown by law:

CalOPPA:

  • The effective date of your Privacy Policy
  • How you'll notify users of updates to your Privacy Policy
  • The categories of personal information you collect
  • The categories of third parties that you may (or do) share personal information with
  • A disclosure about whether third parties may collect the users' personal information across other websites once they've used your website or app
  • A description of any system you use that allows your users to review or request changes to their personal information
  • How you respond to "Do Not Track" signals

"Shine the Light" law:

  • A disclosure of what rights users have under this law
  • Instructions on how users can exercise these rights

CCPA:

  • A list of the CCPA consumer rights and how users can exercise these rights
  • What categories of personal information you've collected in the last 12 months
  • What categories of personal information you've sold in the last 12 months
  • What categories of personal information you've disclosed for business purposes in the last 12 months

"Online Eraser" law:

  • A method for minors to remove or request removal of their personal information from your website or app

Update your existing Privacy Policy to include the following California-specific requirements.

You can add the information to your general Privacy Policy, create a separate California Privacy Policy, or make a section of your Privacy Policy be for "California Users:"

  • The effective date of your Privacy Policy
  • How you'll notify users of updates to your Privacy Policy
  • The categories of personal information you collect
  • The categories of third parties that you may (or do) share personal information with
  • A disclosure about whether third parties may collect the users' personal information across other websites once they've used your website or app
  • A description of any system you use that allows your users to review or request changes to their personal information
  • How you respond to "Do Not Track" signals
  • A disclosure of what rights users have under this law
  • Instructions on how users can exercise these rights
  • A list of theCCPA consumer rights and how users can exercise these rights
  • What categories of personal information you've collected in the last 12 months
  • What categories of personal information you've sold in the last 12 months
  • What categories of personal information you've disclosed for business purposes in the last 12 months
  • A method for minors to remove or request removal of their personal information from your website or app

Make sure to display your Privacy Policy link conspicuously, such as in your website footer and in your mobile app "About" or "Legal" menu.

California privacy laws require that you provide a "conspicuous" link to your California-compliant Privacy Policy. Put this link in your website footer along with other important legal agreements like your Terms and Conditions agreement.

You should also add a link to your California-compliant Privacy Policy at areas of your website where you request to collect personal information.

For example:

  • Email newsletter sign-up forms
  • Contact forms
  • Account sign-up forms
  • Ecommerce checkout pages

For mobile apps, the same concept applies. Add a link to your California-compliant Privacy Policy in a menu within your app, such as an "About" or "Legal" menu. Also add the link to other areas of your app where you request personal information, such as when a user creates an account or provides a telephone number for app notifications.

Make your California-compliant Privacy Policy enforceable by having your users click an unticked checkbox next to a statement that says something similar to "I have read and agree to the terms of the Privacy Policy."

You can also have users click a button that says something like "I Agree" next to a statement like the above if you don't want to use a checkbox.


California Online Privacy Protection Act (CalOPPA)

California Online Privacy Protection Act (CalOPPA)

First, we're going to look at California's original, most widely applicable, and simplest privacy law, the California Online Privacy Protection Act (CalOPPA).

CalOPPA first passed in 2003 and got an update in 2013. It was the first US law requiring people to create and display a Privacy Policy on their website, identifying the personal information they collect about visitors to their website or users of their app.

Does CalOPPA Apply to Me?

CalOPPA applies to any "commercial website owner [who] collects and maintains personally identifiable information from a consumer residing in California."

This means that CalOPPA applies to virtually any company operating website or app.

What is Personal Information Under CalOPPA?

CalOPPA uses the term "personally identifiable information." Most other privacy laws use the term "personal information" or "personal data." We're going to stick with the term "personal information" throughout this article.

Compared to many other privacy laws, such as the EU General Data Protection Regulation (GDPR) and the California Online Privacy Protection Act (CCPA), CalOPPA gives quite a narrow definition of personal information.

CalOPPA gives the following examples of personal information:

  • A first and last name
  • A home or other physical address, including street name and name of a city or town
  • An email address
  • A telephone number
  • A social security number
  • Any other identifier that allows the contacting of a specific individual
  • Information concerning a user that the website or online service collects online from the user and maintains in a personally identifiable form together with one of the identifiers above

What Must a CalOPPA Privacy Policy Contain?

A CalOPPA Privacy Policy must contain the following information:

  • The categories of personal information you collect via your website or app.
  • The categories of third parties with whom you may share that personal information.
  • If you have any system that allows your users to review or request changes to their personal information, a description of that system.
  • Information about how you'll inform users of when you make changes to your Privacy Policy.
  • The effective date of your Privacy Policy.
  • Information about how you respond to browser "Do Not Track" signals.
  • A disclosure regarding whether other parties may collect the user's personal information across other websites once they've used your website or app (i.e. whether your website or app allows behavioral tracking).

Here's an excerpt from Primaris' Privacy Policy that covers many of these requirements (others are covered elsewhere in Primaris' Privacy Policy):

Primaris Privacy Policy: CalOPPA section

California "Shine the Light" Law

California

California's "Shine the Light" law gives California residents the right, once per year, to request certain information about what kind of personal information your company has collected about them and then shared with third parties for direct marketing purposes.

Does the "Shine the Light" Law Apply to Me?

You must comply with California's "Shine the Light" law if all of the following three things apply.

Your business:

  • Has 20 or more employees
  • Has users who are California residents
  • Has shared personal information from any of your users with a third party for direct marketing purposes within the past 12 months

There are exemptions to the law. You can read more about these on our full article about the "Shine the Light" law, linked above.

What is Personal Information Under the "Shine the Light" Law?

The "Shine the Light" law lists 27 categories of personal information. If you share these categories of personal information with third parties for direct marketing purposes, you must disclose this to your users on request.

  • Name and address
  • Email address
  • Age or date of birth
  • Names of children
  • Email or other addresses of children
  • Number of children
  • Age or gender of children
  • Height
  • Weight
  • Race
  • Religion
  • Occupation
  • Telephone number
  • Education
  • Political party affiliation
  • Medical condition
  • Drugs, therapies, or medical products or equipment used
  • Kind of product the customer purchased, leased or rented
  • Real property purchased, leased, or rented
  • Kind of service provided
  • Social Security number
  • Bank account number
  • Credit card number
  • Debit card number
  • Bank or investment account, debit card or credit card balance
  • Payment history
  • Information about the customer's creditworthiness, assets, income, or liabilities

What Must a "Shine the Light" Law Privacy Policy Contain?

The first page of your Privacy Policy must describe your users' rights under the law and provide a mailing address and email address via which they can exercise those rights.

Here's how Newscorp does this:

Newscorp Privacy Policy: California Shine the Light Law clause

The "Shine the Light" law also requires that you display a link to your Privacy Policy on your website's home page. The link must contain the phrase "Your Privacy Rights" or "Your California Privacy Rights."

Here's how the Walt Disney company does this:

Walt Disney website homepage with California Privacy Rights link highlighted

Make this link accessible with your other legal agreements such as your Terms and Conditions agreement and general Privacy Policy.

California Consumer Privacy Act (CCPA)

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is the most extensive California privacy law but applies to a narrow range of companies. It grants California residents new consumer rights and focuses on allowing them to opt out of the sale of their personal information.

Does the CCPA Apply to Me?

The CPPA mostly covers big businesses and "data brokers" - businesses that trade in personal information.

If your business operates for profit in California, and it fulfills at least one of these following characteristics, the CPPA might apply to you:

  • You raise gross annual revenues of at least $25 million
  • You (alone or in combination) buy, sell, receive (for commercial purposes), and/or share (for commercial purposes) personal information from at least 50,000:

    • Consumers
    • Households
    • Devices
  • You earn at least half of your gross annual revenues by selling personal information

What is Personal Information Under the CCPA?

The CCPA provides 11 specific categories of personal information. These categories are important because you'll need to make specific reference to them in your Privacy Policy. The categories are as follows:

  1. Identifiers
  2. Personal information as defined in the California Customer Records Statute
  3. Characteristics of protected classifications under California or federal law
  4. Commercial information
  5. Biometric information
  6. Internet or other electronic network activity information
  7. Geolocation data
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Professional or employment-related information
  10. Education information
  11. Inferences drawn from personal information to create a profile about a consumer

What Must a CCPA Privacy Policy Contain?

A CPPA Privacy Policy must contain information about the consumer rights granted by the CCPA, and information about how your business treats consumers' personal information.

For more information about the CCPA's consumer rights, and about terms such as "selling personal information," your "Do Not Sell My Personal Information" page, and "disclosing personal information for business purposes," see our article CCPA Privacy Policy Checklist.

Here's what you need for your CCPA Privacy Policy:

  • A list of the CCPA consumer rights:

    • The right to access

      • How consumers can exercise their right to access
    • The right to deletion

      • How consumers can exercise their right to access
    • The right to non-discrimination
    • If you sell personal information: the right to opt-out

      • A link to your "Do Not Sell My Personal Information" page
  • Disclosure of business practices over the past 12 month period:

    • Which categories of personal information you've collected in the past 12 months
    • Which categories of personal information you've sold in the past 12 months, or:

      • A disclosure that you haven't sold any personal information in the past 12-months
    • Which categories of personal information you've disclosed for business purposes in the past 12 months, or:

      • A disclosure that you haven't disclosed any personal information for business purposes in the past 12-months

Your Privacy Policy must be updated every 12 months. Even if you don't need to make any other changes to your Privacy Policy, we recommend you change the "effective date" each year.

California "Online Eraser" Law

California

The California "Online Eraser" law allows California minors (under 18 years of age) to remove content or personal information from your website or app if your website or app is aimed at minors. It also prohibits certain types of advertising to minors.

Does the Online Eraser Law Apply to My Business?

The "Online Eraser" law could apply to you if:

  • You operate a website or app
  • You direct your website or app to specifically to California residents under 18 (minors), or:

    • You have "actual knowledge" that a minor is using your website or app (you don't need to keep records or actively check)
  • You use the minors' personal information for ad personalization

The "Online Eraser" law imposes some rules on your company even if it uses a third-party advertiser.

Under the "Online Eraser" law, you must inform your advertising partners of their obligations under the law.

What Must a California "Online Eraser" Law Privacy Policy Contain?

Your Privacy Policy must explain how minors can remove (or request removal of) their personal information from your website or app.

Here's an example from the American Licorice Company:

The American Licorice Company Privacy Policy: California Privacy Rights for Minor Users: The Minor Eraser Law clause

The American Licorice Company offers three ways for minors to erase their personal information from its site:

  • Log in using their username and password
  • Send the company an email
  • Send the company a letter

Other Privacy Laws You May Need to Obey

Other Privacy Laws You May Need to Obey

There are many other privacy laws you may need to obey that are not specific to California. These include:

There are two main reasons why you need a Privacy Policy:

✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Excerpt from TermsFeed Testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P.
Generated a Privacy Policy

Generate a Privacy Policy, 2020 up-to-date, for your business (web, mobile and others) with the Privacy Policy Generator from TermsFeed.

Throughout this article, we've talked you through some California-specific laws. You can integrate the required information into your general Privacy Policy. Or, you can create a California-specific Privacy Policy, as Pearson has done:

Pearson Supplemental Privacy Statement for California Residents: Screenshot of intro

As long as you provide the required content and have appropriate linking to your California privacy information, you can take either approach.

Conspicuously Posting Your Privacy Policy

Conspicuously Posting Your Privacy Policy

A major aspect of California privacy law is "conspicuously posting" your Privacy Policy on your website and/or app.

Note that the California "Shine the Light" law has some specific requirements that go above and beyond the information presented below.

How Do I Display My Privacy Policy On My Website?

To "conspicuously post" your Privacy Policy on your website, you could place a link using larger type than the other text on the page. You could also use a contrasting color or use arrows to draw attention to it.

You don't have to call your Privacy Policy a "Privacy Policy." Some companies use "Privacy Statement" or "Privacy Notice." Just make sure that the purpose of the document is obvious and make sure you use the word "privacy."

Post a conspicuous link like this on every page of your website where you collect personal information, such as where you have mailing list signups, registration forms, payment pages, etc.

Here's an example of the link to Amazon's Privacy Policy on its homepage, in the footer:

Amazon homepage and footer with Privacy Notice link highlighted

Amazon also presents its Privacy Policy when asking users to give their personal information at signup:

Amazon Create Account form with Privacy Notice highlighted

Take every opportunity to present your users with your Privacy Policy at points when it would be relevant (such as when you're requesting personal information from the user).

How Do I Display My Privacy Policy On My App?

To conspicuously post your Privacy Policy on your mobile app, first of all, you need to link to it in the Apple App Store and/or Google Play Store. For further information, see our articles: Privacy Policy for iOS Apps and Privacy Policy for Android Apps.

You can link to your Privacy Policy in the "Settings" or "About" menus of your app.

Here's how the Amazon Fire TV app presents its Privacy Policy within an in-app menu:

Amazon Fire TV app menu with Privacy Notice highlighted

You should also link to your Privacy Policy whenever you collect personal information within the app itself, e.g., at account creation screens, payment screens, etc.

Here's an example of how Monzo provides its Privacy Policy during installation:

Monzo app installation screen with Privacy Policy highlighted

The most important principle is to ensure that your users have easy access to your Privacy Policy within your app itself and not just on your website.

Your California Privacy Policy Template

Your California Privacy Policy Template

Here's some of the information you'll need to include in your Privacy Policy to ensure you comply with the major California-specific privacy laws:

CalOPPA California "Shine the Light" law The CCPA California "Online Eraser" law
The categories of personal information you collect via your website or app. Your users' rights under the law. A list of the CCPA consumer rights and information about how consumers can access those rights. A method by which minors can remove (or request removal of) their personal information from your website or app.
The categories of third parties with whom you may share that personal information. A method by which your users can exercise their rights under the law. Disclosure of which categories of personal information you've collected in the past 12 months.
If you have any system that allows your users to review or request changes to their personal information, a description of that system. Disclosure of which categories of personal information you've sold in the past 12 months (or a declaration that you haven't done so).
Information about how you'll inform users of when you make changes to your Privacy Policy. A disclosure of which categories of personal information you've disclosed for business purposes in the past 12 months (or a declaration that you haven't done so).
The effective date of your Privacy Policy.
Information about how you respond to browser "Do Not Track" signals.
A disclosure regarding whether other parties may collect the user's personal information across other websites once they've used your website or app.

Remember to conspicuously post a link to your Privacy Policy on your website and/or app such as on your home page, within in-app menus and wherever you collect personal information.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.