CCPA Privacy Policy GeneratorFree California Consumer Privacy Act Compliance
The California Consumer Privacy Act (CCPA) gives California residents specific rights over their personal information. If your website or app collects data from California users, your privacy policy must disclose what you collect, how you use it, and how consumers can exercise their rights.
PolicyGen generates a CCPA-aligned privacy policy draft in minutes — covering data categories, consumer rights, sale opt-out requirements, and contact details for privacy requests. Free, no account needed.
Site also receives EU visitors? Generate a GDPR policy to cover both frameworks.
Six rights your privacy policy must disclose
CCPA (and its amendment, the CPRA) gives California consumers six distinct rights. Your privacy policy should explain each right and describe how users can submit requests to exercise them.
Right to Know
Consumers can request disclosure of the categories and specific pieces of personal information collected about them, the sources, the business purpose, and the third parties it is shared with.
Right to Delete
Consumers can request that businesses delete their personal information, subject to certain exceptions such as completing a transaction or complying with a legal obligation.
Right to Opt Out of Sale
Consumers can direct businesses to stop selling or sharing their personal information to third parties. The policy must include or link to a clear 'Do Not Sell or Share My Personal Information' mechanism.
Right to Correct
Under the CPRA amendment, consumers can request correction of inaccurate personal information held by a business.
Right to Limit Sensitive Data Use
Consumers can limit how businesses use and disclose sensitive personal information such as Social Security numbers, precise geolocation, race, religion, health data, and financial details.
Right to Non-Discrimination
Businesses cannot penalise consumers for exercising their CCPA rights by denying goods, charging higher prices, or providing a lesser level of service.
Personal information categories CCPA covers
CCPA defines personal information broadly. Your policy must list which of these categories you have collected in the past 12 months — and for each category, explain the business or commercial purpose and whether it is sold or shared.
- ✓Identifiers (name, email, IP address, device ID)
- ✓Personal records (address, phone, financial or health information)
- ✓Protected classifications (age, gender, race, religion)
- ✓Commercial information (purchase history, products browsed)
- ✓Internet and network activity (browsing history, search queries, site interactions)
- ✓Geolocation data
- ✓Sensory data (audio, visual, or thermal data from users)
- ✓Professional or employment-related information
- ✓Education information
- ✓Inferences drawn to create a consumer profile
Sensitive personal information — a subset introduced by CPRA — includes Social Security numbers, precise geolocation, racial or ethnic origin, health data, financial account details, and private communications. If you collect these, your policy must include a separate Limit the Use of My Sensitive Personal Information link or section.
How to generate your CCPA privacy policy
The fastest path to a CCPA-ready policy is to match the draft to the data practices your site or app actually follows today, then update it whenever those practices change.
Enter your business and site details
Provide your business name, website URL, and the contact email or web form consumers can use to submit privacy rights requests.
Select the data categories you collect
Choose which categories of personal information your site collects — analytics, marketing, account data, purchases, or third-party integrations.
Indicate whether you sell or share data
If you share data with advertising networks, data brokers, or third-party analytics that constitute a 'sale' under CCPA, select that option to include the required opt-out disclosure.
Generate and publish your policy
PolicyGen creates editable CCPA-aligned privacy policy text. Publish it on a dedicated URL, link it from your footer, and update it whenever your data practices change.
Tip: CCPA requires a clearly visible link titled "Do Not Sell or Share My Personal Information" on your homepage and in your privacy policy if you sell or share personal information. PolicyGen includes this language in the generated draft when you select the data-sharing option.
Build the full compliance stack
Most websites need more than one policy document. A CCPA policy covers California disclosures — but global visitors, cookie consent, and site usage rules each call for additional documents.
GDPR Privacy Policy
If your site has EU or UK visitors, pair your CCPA policy with a GDPR-compliant version covering lawful basis, data subject rights, and cookie disclosures.
Cookie Policy
CCPA treats cookie data as personal information. A standalone cookie policy helps satisfy disclosure requirements for analytics and advertising pixels.
Terms of Service
Terms of service cover site use rules, disclaimers, and limitations of liability — a natural companion to any privacy policy.
General Privacy Policy
Start here for a full-coverage privacy policy that addresses CCPA, GDPR, and general best practices in a single document.
CCPA privacy policy — frequently asked questions
Common questions about California Consumer Privacy Act requirements.
Does my website need a CCPA privacy policy?
You need a CCPA-compliant privacy policy if your business: (1) has annual gross revenues above $25 million, (2) buys or sells personal information of 100,000+ consumers or households per year, or (3) earns more than 50% of annual revenue from selling consumers' personal information. Smaller sites that collect data from California residents still benefit from CCPA-aligned disclosures.
What rights do California consumers have under CCPA?
The CCPA gives California residents the right to know what personal information is collected and how it is used, the right to delete their personal information, the right to opt out of the sale or sharing of their information, the right to correct inaccurate information, and the right to non-discrimination for exercising these rights.
What is the difference between CCPA and GDPR?
Both laws protect consumer privacy, but they differ in scope and approach. GDPR (EU) requires a lawful basis for processing and uses an opt-in consent model. CCPA (California) focuses on disclosure and an opt-out model for data sales. Businesses serving both audiences often need a single policy that satisfies both frameworks.
Does CCPA apply if I am not based in California?
Yes. CCPA applies based on where your consumers are located, not where your business is incorporated. Any business that meets the thresholds above and collects personal information from California residents must comply, regardless of its home state or country.
Does a free privacy policy generator cover CCPA requirements?
For most small and mid-sized websites, yes. A generator can produce the required disclosures about data categories collected, consumer rights, and how to submit requests. If your business is at or near the thresholds above or handles sensitive categories of data, a legal review is advisable in addition to the generated policy.
Generate your CCPA privacy policy now
Create a California-compliant privacy policy that covers consumer rights, data categories, sale opt-out, and contact details for privacy requests — free, in under two minutes.
Start the Generator