Privacy Policy
(CCPA/CPRA)

Summary

This privacy policy template is an external, customer-facing data privacy policy intended for entities covered by the disclosure and transparency requirements of the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). This template includes practical guidance, drafting notes, and optional and alternate clauses. The purpose of the privacy policy is to provide consumers with a comprehensive description of a business's personal information practices, to inform consumers about their rights concerning their personal information, and to provide any information necessary for them to exercise those rights. 11 CCR 7011(a). Privacy policies can vary depending on unique factors (e.g., the nature of the data collected, industry-specific regulatory obligations, and protections for certain types of consumers), and should be tailored to account for your organization's specific business objectives and intended audience. Formatting and Appearance The privacy policy must comply with 11 CCR 7003(a) and (b), which requires consumer disclosures to be: • Easy to read and understandable (use plain, straightforward language and avoid technical or legal jargon) • Readable on smaller screens • Available in the languages in which the business ordinarily communicates with customers • Reasonably accessible to consumers with disabilities (for notices provided online, follow generally recognized industry standards) 11 CCR 7011 also requires that the privacy policy be: • Available in a format that allows a consumer to print it out as a document • Posted online and accessible through a conspicuous link that complies with 11 CCR 7003(c) and (d), using the word "privacy" on the business's website homepage(s) or on the download or landing page of a mobile application. If the business has a California-specific description of consumers' privacy rights on its website, then the privacy policy must be included in that description. A business that does not operate a website must make the privacy policy conspicuously available to consumers. A mobile application may include a link to the privacy policy in the application's settings menu. Data Mapping Before drafting a privacy policy, it is crucial to perform a data mapping exercise. You will need to know: • What personal data is collected • Why it is collected, sold/shared, and/or disclosed • The sources it is collected from –and– • The third parties it is sold to, shared with for cross-contextual behavioral advertising, or disclosed to for a business purpose You will also need to know where the information is stored to comply with individual requests to exercise CCPA/CPRA rights. For additional content related to California consumer privacy, see California Consumer Privacy Resource Kit (CCPA and CPRA). For a full listing of related California content, see Data Privacy and Cybersecurity State Law Compliance Resource Kit (CA). For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For general information on drafting a privacy policy, see Privacy Policies: Drafting a Policy.