CPRA Privacy Policy Template

If California-based users are accessing your website, then you should have an existing Privacy Policy that complies with the California Consumer Privacy Act (CCPA). But on January 1, 2023, the California Privacy Rights Act amendments to the CCPA (CPRA) take effect.

The CPRA builds on the rights and responsibilities established under the CCPA. As a result, any business that processes the data of California residents will need to revisit and, where necessary, update their Privacy Policy to ensure it complies with the CPRA amendments.

In this article, we'll break down what you'll need to do to update your Privacy Policy for the CPRA. We also provide a CPRA Privacy Policy Template, linked at the end of the article.

Does the CPRA Apply to Your Business?

Key updates in the CPRA include:

• The establishment of the California Privacy Protection Agency to monitor and enforce the CPRA
• Further restrictions on how businesses handle users' personal data
• Enhanced data protection rights for consumers

If the CCPA does not currently apply to your business, then the CPRA won't apply.

Under the CPRA amendments, the CCPA now applies if:

• Your annual gross revenue exceeds $25 million
• You process the personal data of more than 100,000 California residents or households in a year, or
• You generate at least half of your annual revenue by sharing or selling the personal data of California users

If any of these criteria apply to your business, you will need to review and update your Privacy Policy to make sure it's compliant with the CPRA.

How to Create a CPRA-Compliant Privacy Policy

Under the CPRA, if you collect users' personal data you must have a Privacy Policy that includes:

• An explanation of users' rights and your data access request process
• A category-by-category explanation of the data you collect, where you got it, the purpose of collecting it, and who you have shared it with

Your CPRA-compliant Privacy Policy may already contain most of this information. But the CPRA creates several new consumer rights and notification requirements for businesses. You will need to review and, where appropriate, update your Privacy Policy to reflect these changes.

Relevantly, the CPRA amendment creates:

1. A new category for data called sensitive personal information
2. A right to correct personal information
3. A right to opt out of data sharing
4. A requirement for businesses to notify users of their data retention process
5. A requirement for businesses to notify users of automated decision-making

Let's take a closer look at each of these and how to address them in your Privacy Policy.

New Category For Data - Sensitive Personal Information

In addition to the 11 categories of personal information under the CCPA, the CPRA identifies a new category of data called sensitive personal information. If your business collects sensitive personal information, you will need to update your Privacy Policy and website to notify users of this.

What is Sensitive Personal Information?

Sensitive personal information includes:

• Government-issued identifying numbers e.g. drivers license, passport, or social security number
• Financial account details that allow access to an account, such as a credit card number and access code
• Genetic data
• Precise geolocation
• Race or ethnicity
• Religious or philosophical beliefs
• Union membership
• The contents of a user's mail, email, or text messages (unless your business is the intended recipient)
• Biometric data, when collected for the unique identification of a user
• Health data, when collected and analyzed
• Sexual orientation or sex life, when collected and analyzed

If the information is already publicly available, it isn't sensitive personal information.

If your business collects any of the above data, you need to include sensitive personal information as a separate category in your Privacy Policy, explaining where you collected it, the purpose of collecting it, and who you have shared it with.

For example, MicroStrategy's current Privacy Policy includes a separate section for California residents, listing the eight categories of personal information it collects:

Under the CPRA amendment, if MicroStrategy collects sensitive personal information, it will need to add it to this table as a separate category.

User Rights Regarding Sensitive Personal Information

The CPRA amendment allows users to limit the collection and use of their sensitive personal information.

This must be done via a link from your homepage labeled "Limit the Use of My Sensitive Personal Information." This link should direct users to a separate page where they can register their preferences.

If a user exercises their right to limit the use of their sensitive personal information, it can only be used in very limited circumstances including "to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services."

Right to Correct Personal Information

The CPRA amendment gives users the right to correct any inaccuracies in their personal information.

You must explain this in your Privacy Policy and set out the relevant process. You must provide two ways for users to correct their information, for example, via a toll-free number and an email address.

Under this new right, upon receiving a user request you must make "commercially reasonable efforts" to correct the inaccurate personal information within 45 days.

Red Hat's Privacy Policy contains a clause that addresses additional data protection rights under EU, Brazilian, Chinese, and California law, including the right to correct personal data:

It also provides both an online form and toll-free number for users to contact to correct their personal information:

Right to Opt Out of Data Sharing

Under the CPRA amendment, users can opt out of their personal data (including personal sensitive information) being shared with a third party. This expands on the CCPA which allows users to opt out of their data being sold i.e. in exchange for payment.

To ensure compliance with the CPRA, your Privacy Policy must notify users of this right. On your homepage, you should also add a link to a page that allows users to opt out of information sharing.

The Weather Channel's Privacy Policy contains a separate clause explaining users' rights under the CCPA. This includes the right to opt out of the sale of personal information:

The Privacy Policy explains users can opt out of the sale of their data by changing the settings on the website and app. It also provides a contact email address for further assistance.

To make its Privacy Policy CPRA-compliant, The Weather Channel needs to update it to include the right to opt out of data sharing. It also needs to add a link to its homepage to a page where users can opt out of data sharing.

We can see an example of this in Connexity's website footer, concerning the sale of data:

Under the CPRA amendment, Connexity needs to update the link and opt out page to include data sharing.

Data Retention Notification

The CCPA already required businesses to outline the category of data they collect and how they use and share it within their Privacy Policy.

The CPRA expands this obligation and requires you to also explain to users how long you intend to keep their information. This must be explained for each category of data you collect.

In the absence of providing a specific timeframe for the retention of personal information, you must explain the criteria for the disposal of it. You cannot keep information for longer than is reasonably necessary.

This can either be done in your notice at collection or in a clause in your Privacy Policy.

In its Privacy Policy, SaaS company Ermetic has a general data retention clause stating it keeps data for as long as necessary for the purposes in the Privacy Policy. It then lists the five criteria it uses to determine the retention period:

To ensure its Privacy Policy is CPRA-compliant, Ermetic needs to replace this general statement with an explanation of its data retention processes for each category of data it collects.

Automated Decision-Making Notification

Under the CPRA, you must notify users if their data will be used for automated decision-making (or data profiling) and allow them to opt out of the process. This requirement is especially relevant to businesses that use AI to process or analyze users' personal information.

Unlike the requirement for data retention notification, this can be a general statement that applies to all the types of data you collect.

We can see an example of this in Nordea Markets' Privacy Policy (although this clause relates to an equivalent requirement under the General Data Protection Regulation):

Under the CPRA, users can opt out of their data being used to profile:

• Behavior
• Health
• Economic situation
• Location or movements
• Interest
• Personal preferences
• Performance at work
• Reliability

The CPRA tasks the California Privacy Protection Agency with further clarifying and developing regulations around automated decision-making. It will be important to monitor these developments and update your Privacy Policy as necessary.

How to Display a Privacy Policy Under the CPRA

One of the most significant changes under the CPRA is the requirement for businesses to inform users "at or before the point of collection" as to how their data will be used and stored.

At a minimum, you must display an explanation of users' rights under the CPRA, including a category-by-category breakdown of whether you have collected data, where you got it, how you use it, and who you've disclosed it to in the past 12 months.

You must also explain how users can request access to their data.

You can do this by adding a separate webpage to your website detailing the rights of Californian users under the CPRA.

However, the easiest and safest way to ensure compliance with the CPRA amendments is to include this information in your Privacy Policy, which is clearly displayed on your website and easy to navigate to.

Best practice suggests displaying a link to your Privacy Policy in the footer of your webpage or the navigation mention for your site.

For example, GoDaddy's website footer gives users two links to view its Privacy Policy. Firstly, in its About menu, under Legal, and, secondly, via a direct link:

You can also include a link to your Privacy Policy in a pop-up box when a user signs up for your product, subscription, or service.

How to Get Users to Agree to the Privacy Policy

To reinforce your Privacy Policy and its protections, you should ask users to agree to your Privacy Policy. You can do this using a checkbox that users can click to show they agree.

Here's an example from This pop-up can be displayed when a user first navigates to your website, purchases your product, or subscribes to your service.

Here's an example from MeWe:

Summary of a CPRA Privacy Policy

The CPRA amendments to the CCPA will apply as of January 1, 2023. The CPRA expands on the data protection rights and obligations under the CCPA.

Relevantly, the CPRA creates:

1. A new category for data called sensitive personal information
2. A right to correct personal information
3. A right to opt out of data sharing
4. A requirement for businesses to notify users of their data retention process
5. A requirement for businesses to notify users of automated decision-making

It's important you review and update your Privacy Policy to ensure it's compliant with these updates.

Download Sample CPRA Privacy Policy Template

Our Sample CPRA Privacy Policy Template will be available soon.

Generate a Privacy Policy in just a few minutes

More Privacy Policy Templates

More specific Privacy Templates are available on our blog.