casemark/ccpa-policy

CCPA/CPRA Privacy Policy

Generates a California Consumer Privacy Act / California Privacy Rights Act compliant privacy policy with all required statutory disclosures.

Quick Start

Gather before drafting:

• Applicability trigger — ≥$25M revenue, ≥100K consumer records bought/sold/shared, or ≥50% revenue from selling/sharing PI
• Data inventory — categories collected (per § 1798.140), sources, retention periods
• Purpose map — business/commercial purpose per data category
• Third-party sharing — service providers, contractors, ad networks, affiliates; distinguish business-purpose disclosure from sale/sharing
• SPI flag — whether sensitive personal information (§ 1798.121) is collected and right-to-limit applies
• Children's data — actual knowledge of collection from consumers under 16
• Request channels — minimum two methods (toll-free number + web URL required)
• Contact details — legal name, mailing address, privacy contact, DPO/CPO if appointed

Policy Sections

Draft each section in order:

1. Introduction

Effective date, scope (California residents), applicable threshold, governing law (CCPA as amended by CPRA + CPPA regulations).

2. Personal Information Collected

| Statutory Category (§ 1798.140) | Examples | Sources | |---|---|---| | Identifiers | Name, email, IP, account ID | Direct, automated | | Commercial information | Purchase history, preferences | Direct, transaction systems | | Internet/network activity | Browsing, search, interactions | Automated (cookies, pixels) | | Geolocation | Precise physical location | App/device | | Professional/employment | Job title, employer | Direct | | Inferences | Profiles, characteristics | Internal analytics | | Sensitive PI | SSN, financial, health, biometric | Per § 1798.121 |

Populate from data inventory. Omit inapplicable rows.

3. Use Purposes

Map each purpose to its data categories:

• Transaction fulfillment and services
• Customer service / account management
• Payment processing
• Fraud detection and security
• Debugging and error repair
• Research, analytics, improvement
• First-party marketing
• Cross-context behavioral advertising (triggers sale/sharing opt-out)
• Legal compliance

4. Sharing Disclosures

| Recipient Type | Categories Shared | Purpose | |---|---|---| | Service providers / contractors | [list] | Business purposes; contractually restricted | | Ad networks | [list] | Behavioral advertising (= "sharing" under CPRA) | | Analytics providers | [list] | Performance analytics | | Affiliates | [list] | [specify] | | Government / law enforcement | [list] | Legal process |

If selling/sharing for cross-context behavioral advertising: include conspicuous "Do Not Sell or Share My Personal Information" link (§ 1798.135). State whether business has actual knowledge of selling/sharing PI of consumers under 16.

5. Consumer Rights

| Right | Basis | Key Detail | |---|---|---| | Know | § 1798.110 | Categories + specific pieces; 12-month lookback | | Delete | § 1798.105 | Subject to statutory exceptions | | Correct | § 1798.106 | Inaccurate PI | | Opt-Out of Sale/Sharing | § 1798.120 | Cross-context behavioral advertising | | Limit SPI Use | § 1798.121 | Sensitive PI only | | Data Portability | § 1798.110(d) | Machine-readable format | | Non-Discrimination | § 1798.125 | No denial/differential pricing |

6. Request Procedures

• Methods (≥2 required): toll-free number, web form, email (optional)
• Verification: match consumer-provided info against records; no account creation required
• Timelines: acknowledge within 10 business days; respond within 45 calendar days (extendable +45 with notice)
• Authorized agents: signed written permission or POA; may verify directly with consumer
• Frequency: two free Right-to-Know requests per 12 months

7. Children's Privacy

| Age | Requirement | |---|---| | Under 13 | Parent/guardian opt-in (§ 1798.120(d)) | | 13–15 | Consumer opt-in |

If no knowing collection from under-16 consumers, state explicitly with safeguards.

8. Policy Updates

Specify revision triggers, notice method for material changes, effective date, and version archiving commitment.

9. Contact Information

Legal name, mailing address, privacy email, toll-free number, DPO/CPO (if applicable), request portal URL.

Pitfalls

• Accuracy over aspiration — policy must reflect actual practices; material discrepancies risk Cal. Bus. & Prof. Code § 17200 liability
• Statutory terms of art — use "service provider," "sell," "share" exactly as CCPA defines them; plain language everywhere else
• CPRA alignment — right to correct, right to limit SPI, and CPPA rulemaking must be current; verify latest CPPA regulations
• Conspicuous posting — homepage-accessible, accessibility-compliant
• Cross-document coordination — align with cookie policy, employee privacy notice, vendor DPAs
• Annual review — minimum annually and upon material practice or legal changes
• Legal review required — qualified California privacy counsel must review before publishing