Skip to Content Skip to Navigation

Is your business required to have a GDPR compliant privacy policy?

Whether it’s your first time creating a privacy policy, or you want to bring an existing one into line with the latest regulations, there are a number of distinct compliance requirements outlined in the General Data Protection Regulation (GDPR).

The California Consumer Privacy Act (CCPA) is a set of data privacy regulations that came into effect in 2020. It applies to any organisation that does “business” in California that meets certain criteria.

At its core, the CCPA was created to give Californian citizens more control and protection over their personal information. It includes tighter regulations around the collection and sale of personal information, particularly for the Internet age.

To understand what the new law means for your existing privacy policy, let’s start by unpacking what the CCPA considers “personal information”.

What is “personal information” under the CCPA?

Under the CCPA, personal information is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Beyond people’s names, addresses, emails, and social security numbers, information such as geolocation data or IP addresses are also considered personal information (you can view a more exhaustive list of the different types of personal information here).

To achieve CCPA compliance, you should start by reviewing your current privacy practices to see if all types of personal information that you collect about customers are being accounted for.

What needs to be disclosed in a CCPA policy?

In addition to your standard privacy policy clauses, a CCPA policy should disclose your business’ practices around the following:

  • Cookies and pixels.
    Cookies and pixels are online tracking tools that collect information about visitors to your site that is often used for retargeting and other online advertising purposes.You might already have these covered off with a cookie banner on your website, but you’ll need to ensure that your website has a link or other mechanism that allows visitors to opt-out of tracking.You will also need to disclose exactly what and how many types of cookies are being used on your website, and why, so that users can make an informed choice on opting out or not.
  • Do Not Track.
    “Do Not Track” refers to a browser setting that users can use to signal that they don’t want their information tracked, while visiting a certain website.Under the CCPA, users have the ‘Right to Opt-Out’ of the sale of their personal information to third parties. Here, “sale” also covers sharing information that benefits your business in any way. For instance, you could be tracking users through a Facebook pixel on your site and disclosing that information to Facebook to fuel your next advertising campaign.While you aren’t legally obligated to acknowledge a user’s Do Not Track request, you must disclose whether or not your business will recognise these requests.
  • The Right to Know and Delete.
    The Right to Know refers to users’ right to request for a business to disclose any personal information that is collected about them, and the Right to Delete enables users to request the deletion of this information.Your policy will need to include explanations of what these rights mean for users and how they can exercise them.You’ll also need to inform users upfront about your data collection and deletion practices.For example, the CCPA states that organisations must respond to a deletion request within 45 days, which should be reflected in your policy.
  • Shine the Light.
    Originally passed in 2003, “Shine the Light” is another Californian privacy law that was intended to provide more transparency on business’ data sharing practices.
    To demonstrate compliance with the law, you’ll need to disclose whether you share information with any third parties, and, upon a customer’s request, list the types of information that has been shared and the third parties it was shared with.

    Again, you will have to explain to users how they can submit a request for the above information.

These are just some of the CCPA-specific clauses that should be included in your policy. You can check out our comprehensive CCPA privacy policy template here for more detail.

As with any legal document, it’s important to speak to a legal professional to determine the specific regulations that apply to your business; what is required for you to achieve compliance; and how to customise your privacy policy to suit.

Generate a CCPA privacy policy with

Create a custom CCPA-ready privacy policy for your business with

Generate Your Privacy Policy Now