Privacy Policy
(CCPA and CPRA Compliant)
Summary
This privacy policy form is an external, customer-facing data privacy policy intended for entities covered by the disclosure and transparency requirements of the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). This template includes practical guidance, drafting notes, and alternate clauses. The purpose of the privacy policy is to provide consumers with a comprehensive description of a business's personal information practices, to inform consumers about their rights about their personal information, and to provide any information necessary for them to exercise those rights. Cal. Code Regs. tit. 11, § 7011(a). Privacy policies can vary depending on unique factors (e.g., the nature of the data collected, industry-specific regulatory obligations, and protections for certain types of consumers), and should be tailored to account for your organization's specific business objectives and intended audience. Before drafting a privacy policy, it is crucial to perform a data mapping exercise. You will need to know what personal data is collected (categories of personal information and sensitive personal information), the purposes for which it is being collected, the sources of collection, and the third parties to whom personal data is disclosed, before you can provide the information required by this policy. You will also need to know where the information is stored to comply with individual requests to exercise their rights under the CCPA/CPRA. All statutory references in this document are to sections in effect on Jan. 1, 2023. At the time of publication, the California Privacy Protection Agency (CPPA) had not finalized the CPRA regulations. This article is based on the plain language of the CPRA. The final regulations may modify some of the CPRA's requirements discussed in the drafting notes of this template. For additional content related to the CCPA and CPRA, see Data Privacy and Cybersecurity State Law Compliance Resource Kit (CA). For a full listing of related California consumer privacy content, see California Consumer Privacy Resource Kit (CCPA and CPRA). For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For general information on drafting a privacy policy, see Privacy Policies: Drafting a Policy. For more information on California privacy policies, see CCPA/CPRA Regulations Compliance: Notice Requirements, CCPA/CPRA Compliance: Updating a Privacy Policy Checklist, Privacy Policy Clause: How to Exercise Your Rights (CCPA and CPRA Compliant), and Privacy Policy Clause: Description of Consumer Rights (CCPA and CPRA Compliant). For a short video on the topic, see Privacy Policy Fundamentals: Preliminary Considerations for Drafting a Privacy Notice Video. For guidance on complying with the CCPA/CPRA, see Data Privacy and Cybersecurity State Law Compliance Resource Kit (CA). For a list of statutes related to privacy, see Labor & Employment in California § 7-3. For caselaw on the topic, see People v Sephora United States, 2022 Cal. Super. Lexis 79250.