Does CCPA apply to my business?

CCPA applies to for-profit businesses that collect California residents' personal information AND meet at least one of: $25M+ annual gross revenue, buy/sell/share data of 100,000+ consumers, or derive 50%+ revenue from selling personal data. Most small businesses are below these thresholds, but if you process any California data, voluntary compliance is good practice.

What is the difference between CCPA and CPRA?

CPRA (California Privacy Rights Act) is an amendment to CCPA that took full effect January 2023. It expanded CCPA with additional rights, established the California Privacy Protection Agency, and created a new category of "sensitive personal information." Most references to "CCPA" today actually mean "CCPA as amended by CPRA."

What does "Do Not Sell My Personal Information" mean?

CCPA gives California consumers the right to opt out of having their personal information sold or shared. If your business sells data (which CCPA defines broadly to include sharing for advertising), you must display a "Do Not Sell My Personal Information" link in your footer.

CCPA Privacy Policy — California Compliance Made Simple

Last updated: April 20266 min readLegal Tools

The California Consumer Privacy Act (CCPA) is the strictest US state privacy law and the model for similar laws in Virginia, Colorado, Connecticut, and other states. If you process data from California residents and meet the size thresholds, CCPA applies to you regardless of where your business is based.

Does CCPA Apply to You?

CCPA applies to for-profit businesses that:

Collect personal information of California residents
Determine the purposes and means of processing
Do business in California (which includes selling to California customers from outside the state)

AND meet at least ONE of these thresholds:

Annual gross revenue over $25 million
Buy, sell, or share personal information of 100,000+ California residents annually
Derive 50% or more of annual revenue from selling personal information

Most small businesses do not meet these thresholds and are technically exempt. However, voluntary compliance is recommended because (a) similar state laws apply elsewhere, (b) thresholds may be expanded, and (c) compliance is good practice for user trust.

What CCPA Requires in a Privacy Policy

Your privacy policy must include:

Categories of personal information collected in the past 12 months
Sources of that information (directly from users, from third parties, etc.)
Business purposes for collecting the information
Third parties with whom you share the information
Whether you sell or share personal information
The categories of personal information sold in the past 12 months (or that none was sold)
California consumer rights and how to exercise them
Contact methods for privacy requests (must include at least two — email, web form, toll-free number, etc.)
Date of last update

The free privacy policy generator includes all of these when you enable the CCPA option.

Generate a CCPA-compliant policy in 2 minutes.

Open Privacy Policy Generator →

California Consumer Rights

CCPA gives California residents specific rights:

Right	What it means	How to exercise
Right to know	See what data you collect about them	Privacy request form
Right to delete	Request deletion of their data	Privacy request form
Right to correct	Fix inaccurate data (added by CPRA)	Privacy request form
Right to opt-out of sale	Stop you from selling their data	"Do Not Sell" link in footer
Right to limit use	Restrict use of sensitive data (CPRA)	Privacy request form
Right to non-discrimination	Same service whether or not they exercise rights	Built into your practices
Right to data portability	Get their data in a portable format	Privacy request form

Your privacy policy must explain each right and how to exercise it. Best practice: provide a dedicated email ([email protected]) and a web form for privacy requests.

"Do Not Sell My Personal Information" Link

If your business "sells" or "shares" personal information (under CCPA's broad definition), you must:

Display a "Do Not Sell or Share My Personal Information" link clearly visible in your footer
Provide a mechanism for opting out (typically a form or toggle)
Process opt-out requests within 15 business days
Honor the opt-out for at least 12 months before asking again

CCPA defines "sale" broadly to include sharing data with third parties for cross-context behavioral advertising — which means using Facebook Pixel, Google Ads remarketing, or similar technologies counts as "selling" under CCPA.

Sensitive Personal Information (CPRA Addition)

CPRA created a new category of "sensitive personal information" with additional protections:

Government IDs (SSN, driver's license, passport)
Account login credentials
Precise geolocation
Racial or ethnic origin
Religious beliefs
Union membership
Genetic data
Biometric data
Health information
Sexual orientation
Communications content (mail, email, text)

If you collect any of these, your policy must specifically mention them and California users have the right to limit your use of sensitive data to specific purposes.

Notice at Collection

CCPA requires a "notice at collection" — an upfront disclosure when you collect personal information. The privacy policy fulfills this requirement, but you must:

Make the notice accessible at or before the point of collection
Explain what categories you collect
State the purposes for which categories will be used
Indicate whether each category is sold or shared
Specify retention periods for each category

The privacy policy linked from every signup form, checkout page, and footer satisfies this for most websites.

Categories of Personal Information Under CCPA

CCPA defines 11 categories your policy should address:

Identifiers (name, alias, IP address, email)
Customer records (phone, address, payment info)
Protected classifications (age, race, gender)
Commercial information (purchase history, products considered)
Biometric information
Internet/network activity (browsing history, search history, interactions)
Geolocation data
Sensory data (audio, visual, thermal, olfactory)
Professional or employment information
Education information (non-public)
Inferences drawn from the above to create a profile

For each category you collect, your policy should disclose the source and the business purpose.

Penalties

CCPA penalties:

$2,500 per unintentional violation
$7,500 per intentional violation
$2,500-$7,500 per affected consumer in private actions for data breaches

"Per consumer" matters: a single non-compliance issue affecting 10,000 California users could mean millions in fines.

Other State Laws Following CCPA

Several US states have passed similar privacy laws:

Virginia (VCDPA) — effective 2023
Colorado (CPA) — effective 2023
Connecticut (CTDPA) — effective 2023
Utah (UCPA) — effective 2023
Texas (TDPSA) — effective 2024
Oregon, Montana, and others — effective 2024-2025

A CCPA-compliant privacy policy generally satisfies these other state laws too. Adding GDPR compliance on top covers most international requirements.

Compliance Checklist

Generate a CCPA-enabled privacy policy
List all 11 CCPA personal information categories you collect (or those that don't apply)
Add a "Do Not Sell or Share My Personal Information" link in footer (if applicable)
Set up a privacy request process (email + form)
Train your team on responding to data requests within 45 days
Update annually or when practices change

Get California-compliant in 5 minutes.