Sample CPRA Privacy Policy Template

Last updated on 16 August 2022 by Kate Stacey (Legal writer at TermsFeed)

Sample CPRA Privacy Policy Template

If California-based users are accessing your website, then you should have an existing Privacy Policy that complies with the California Consumer Privacy Act (CCPA). But on January 1, 2023, the new California Privacy Rights Act of 2020 (CPRA) comes into effect.

The CPRA builds on the rights and responsibilities established under the CCPA. As a result, any business that processes the data of California residents will need to revisit and, where necessary, update their Privacy Policy to ensure it complies with the CPRA.

In this article, we'll break down what you'll need to do to update your Privacy Policy for the CPRA. We will also release a CPRA Privacy Policy Template shortly and link it at the end of the article when available.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Does the CPRA Apply to Your Business?

Key updates in the CPRA include:

  • The establishment of the California Privacy Protection Agency to monitor and enforce the CPRA
  • Further restrictions on how businesses handle users' personal data
  • Enhanced data protection rights for consumers

If the CCPA does not currently apply to your business, then the CPRA won't apply.

The CPRA applies if:

  • Your annual gross revenue exceeds $25 million
  • You process the personal data of more than 100,000 California residents or households in a year, or
  • You generate at least half of your annual revenue by sharing or selling the personal data of California users

If any of these criteria apply to your business, you will need to review and update your Privacy Policy to make sure it's compliant with the CPRA.

How to Create a CPRA-Compliant Privacy Policy

How to Create a CPRA-Compliant Privacy Policy

Under the CPRA, if you collect users' personal data you must have a Privacy Policy that includes:

  • An explanation of users' rights and your data access request process
  • A category-by-category explanation of the data you collect, where you got it, the purpose of collecting it, and who you have shared it with

Your CCPA-compliant Privacy Policy may already contain most of this information. But the CPRA creates several new consumer rights and notification requirements for businesses. You will need to review and, where appropriate, update your Privacy Policy to reflect these changes.

Relevantly, the CPRA creates:

  1. A new category for data called sensitive personal information
  2. A right to correct personal information
  3. A right to opt out of data sharing
  4. A requirement for businesses to notify users of their data retention process
  5. A requirement for businesses to notify users of automated decision-making

Let's take a closer look at each of these and how to address them in your Privacy Policy.

New Category For Data - Sensitive Personal Information

In addition to the 11 categories of personal information under the CCPA, the CPRA identifies a new category of data called sensitive personal information. If your business collects sensitive personal information, you will need to update your Privacy Policy and website to notify users of this.

What is Sensitive Personal Information?

Sensitive personal information includes:

  • Government-issued identifying numbers e.g. drivers license, passport, or social security number
  • Financial account details that allow access to an account, such as a credit card number and access code
  • Genetic data
  • Precise geolocation
  • Race or ethnicity
  • Religious or philosophical beliefs
  • Union membership
  • The contents of a user's mail, email, or text messages (unless your business is the intended recipient)
  • Biometric data, when collected for the unique identification of a user
  • Health data, when collected and analyzed
  • Sexual orientation or sex life, when collected and analyzed

If the information is already publicly available, it isn't sensitive personal information.

If your business collects any of the above data, you need to include sensitive personal information as a separate category in your Privacy Policy, explaining where you collected it, the purpose of collecting it, and who you have shared it with.

For example, MicroStrategy's current Privacy Policy includes a separate section for California residents, listing the eight categories of personal information it collects:

MicroStrategy Privacy Policy: California Residents clause and chart excerpt

Under the CPRA, if MicroStrategy collects sensitive personal information, it will need to add it to this table as a separate category.

User Rights Regarding Sensitive Personal Information

The CPRA allows users to limit the collection and use of their sensitive personal information.

This must be done via a link from your homepage labeled "Limit the Use of My Sensitive Personal Information." This link should direct users to a separate page where they can register their preferences.

If a user exercises their right to limit the use of their sensitive personal information, it can only be used in very limited circumstances including "to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services."

Right to Correct Personal Information

The CPRA gives users the right to correct any inaccuracies in their personal information.

You must explain this in your Privacy Policy and set out the relevant process. You must provide two ways for users to correct their information, for example, via a toll-free number and an email address.

Under this new right, upon receiving a user request you must make "commercially reasonable efforts" to correct the inaccurate personal information within 45 days.

Red Hat's Privacy Policy contains a clause that addresses additional data protection rights under EU, Brazilian, Chinese, and California law, including the right to correct personal data:

Red Hat Privacy Policy: Your Rights and Choices clause excerpt - Rectify and correct data section highlighted

It also provides both an online form and toll-free number for users to contact to correct their personal information:

Red Hat Privacy Policy: Your Rights and Choices clause excerpt - Contact information section

While Red Hat's Privacy Policy refers to the CCPA, this clause appears to be compliant with the right to correct requirements under the CPRA.

Right to Opt Out of Data Sharing

Under the CPRA, users can opt out of their personal data (including personal sensitive information) being shared with a third party. This expands on the CCPA which allows users to opt out of their data being sold i.e. in exchange for payment.

To ensure compliance with the CPRA, your Privacy Policy must notify users of this right. On your homepage, you should also add a link to a page that allows users to opt out of information sharing.

The Weather Channel's Privacy Policy contains a separate clause explaining users' rights under the CCPA. This includes the right to opt out of the sale of personal information:

Weather Channel Privacy Policy: CCPA Notice clause - Data Rights - Opt out of sale of personal information section

The Privacy Policy explains users can opt out of the sale of their data by changing the settings on the website and app. It also provides a contact email address for further assistance.

To make its Privacy Policy CPRA-compliant, The Weather Channel needs to update it to include the right to opt out of data sharing. It also needs to add a link to its homepage to a page where users can opt out of data sharing.

We can see an example of this in Connexity's website footer, concerning the sale of data:

Connexity website footer with Do Not Sell My Data link highlighted

Under the CPRA, Connexity needs to update the link and opt out page to include data sharing.

Data Retention Notification

The CCPA already requires businesses to outline the category of data they collect and how they use and share it within their Privacy Policy.

The CPRA expands this obligation and requires you to also explain to users how long you intend to keep their information. This must be explained for each category of data you collect.

In the absence of providing a specific timeframe for the retention of personal information, you must explain the criteria for the disposal of it. You cannot keep information for longer than is reasonably necessary.

This can either be done in your notice at collection or in a clause in your Privacy Policy.

In its Privacy Policy, SaaS company Ermetic has a general data retention clause stating it keeps data for as long as necessary for the purposes in the Privacy Policy. It then lists the five criteria it uses to determine the retention period:

Ermetic Privacy Policy: Data Retention clause

To ensure its Privacy Policy is CPRA-compliant, Ermetic needs to replace this general statement with an explanation of its data retention processes for each category of data it collects.

Automated Decision-Making Notification

Under the CPRA, you must notify users if their data will be used for automated decision-making (or data profiling) and allow them to opt out of the process. This requirement is especially relevant to businesses that use AI to process or analyze users' personal information.

Unlike the requirement for data retention notification, this can be a general statement that applies to all the types of data you collect.

We can see an example of this in Nordea Markets' Privacy Policy (although this clause relates to an equivalent requirement under the General Data Protection Regulation):

Nordea Markets Privacy Policy: Automated Decision-making clause

Under the CPRA, users can opt out of their data being used to profile:

  • Behavior
  • Health
  • Economic situation
  • Location or movements
  • Interest
  • Personal preferences
  • Performance at work
  • Reliability

The CPRA tasks the California Privacy Protection Agency with further clarifying and developing regulations around automated decision-making. It will be important to monitor these developments and update your Privacy Policy as necessary.

How to Display a Privacy Policy Under the CPRA

How to Display a Privacy Policy Under the CPRA

One of the most significant changes under the CPRA is the requirement for businesses to inform users "at or before the point of collection" as to how their data will be used and stored.

At a minimum, you must display an explanation of users' rights under the CPRA, including a category-by-category breakdown of whether you have collected data, where you got it, how you use it, and who you've disclosed it to in the past 12 months.

You must also explain how users can request access to their data.

You can do this by adding a separate webpage to your website detailing the rights of Californian users under the CPRA.

However, the easiest and safest way to ensure compliance with the CPRA is to include this information in your Privacy Policy, which is clearly displayed on your website and easy to navigate to.

Best practice suggests displaying a link to your Privacy Policy in the footer of your webpage or the navigation mention for your site.

For example, GoDaddy's website footer gives users two links to view its Privacy Policy. Firstly, in its About menu, under Legal, and, secondly, via a direct link:

GoDaddy website footer with Legal and Privacy Policy links highlighted

You can also include a link to your Privacy Policy in a pop-up box when a user signs up for your product, subscription, or service.

How to Get Users to Agree to the Privacy Policy

How to Get Users to Agree to the Privacy Policy

To reinforce your Privacy Policy and its protections, you should ask users to agree to your Privacy Policy. You can do this using a checkbox that users can click to show they agree.

Here's an example from This pop-up can be displayed when a user first navigates to your website, purchases your product, or subscribes to your service.

Here's an example from MeWe:

MeWe registration form with checkboxes highlighted

Summary of a CPRA Privacy Policy

The CPRA will apply as of January 1, 2023. The CPRA expands on the data protection rights and obligations under the CCPA.

Relevantly, the CPRA creates:

  1. A new category for data called sensitive personal information
  2. A right to correct personal information
  3. A right to opt out of data sharing
  4. A requirement for businesses to notify users of their data retention process
  5. A requirement for businesses to notify users of automated decision-making

It's important you review and update your Privacy Policy to ensure it's compliant with these updates.

Download Sample CPRA Privacy Policy Template

Our Sample CPRA Privacy Policy Template will be available soon.

Generate a Privacy Policy in just a few minutes

More Privacy Policy Templates

More specific Privacy Templates are available on our blog.

Sample Privacy Policy Template A Privacy Policy for all sorts of businesses.
Sample Mobile App Privacy Policy Template A Privacy Policy for mobile apps on Apple App Store or Google Play Store.
Sample GDPR Privacy Policy Template A Privacy Policy for businesses that need to comply with GDPR.
Sample CCPA Privacy Policy Template A Privacy Policy for businesses that need to comply with CCPA.
Sample California Privacy Policy Template A Privacy Policy for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA).
Sample Virginia CDPA Privacy Policy Template A Privacy Policy for businesses that need to comply with Virginia's CDPA.
Sample PIPEDA Privacy Policy Template A Privacy Policy for businesses that need to comply with Canada's PIPEDA.
Sample Ecommerce Privacy Policy Template A Privacy Policy for ecommerce businesses.
Small Business Privacy Policy Template A Privacy Policy for small businesses.
Privacy Policy for Google Analytics (Sample) A Privacy Policy for businesses that use Google Analytics.
Sample CalOPPA Privacy Policy Template A Privacy Policy for businesses that need to comply with California's CalOPPA.
Sample SaaS Privacy Policy Template A Privacy Policy for SaaS businesses.
Sample COPPA Privacy Policy Template A Privacy Policy for businesses that need to comply with California's COPPA.
Blog Privacy Policy Sample A Privacy Policy for blogs.
Sample Email Marketing Privacy Policy Template A Privacy Policy for businesses that use email marketing.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

Kate Stacey

Kate Stacey

Legal writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.