What is CCPA and how is it different from CPRA?

CCPA = California Consumer Privacy Act, effective 2020. CPRA = California Privacy Rights Act, effective 2023, which amended and expanded CCPA. Most current references use "CCPA / CPRA" together to mean the current California privacy law. The 2026 regulations added ADMT (Automated Decision-Making Technology) disclosures.

Does CCPA apply to my business?

CCPA applies to for-profit businesses that do business in California AND meet one of three thresholds: (1) gross revenue ≥ $25m, (2) buy/sell/share personal info of ≥ 100k California residents annually, (3) derive ≥ 50% of revenue from selling/sharing personal info. Even if you don't meet these thresholds, CCPA-like disclosure is best practice and many vendors require it in DPAs.

What is the difference between "selling" and "sharing" under CCPA?

CCPA "sale" means exchanging personal info for monetary or other valuable consideration. CPRA added "sharing" to cover cross-context behavioral advertising — using personal info to show ads to the consumer based on inferences about them across different services. Both trigger the opt-out requirement.

Do I need to honor Global Privacy Control?

Yes for businesses subject to CCPA. The California Attorney General has issued multiple enforcement letters about GPC, treating browser-sent GPC signals as valid "Do Not Sell or Share" opt-out requests. The privacy policy should commit to honoring GPC explicitly.

Home / Privacy Policy / CCPA Privacy Policy Generator

CCPA Privacy Policy Generator

A privacy policy with the CCPA / CPRA disclosures California regulators expect — categories of PI, sale / sharing opt-out, the 2026 ADMT and sensitive-PI updates.

Generate my CCPA privacy policy → Free preview · No signup · 2 minutes

Categories of personal information enumerated per §1798.130(a)(5)
Sale / sharing opt-out and Global Privacy Control respected
CPRA 2026 ADMT + sensitive-PI subsection covered

CCPA and its successor CPRA are the strictest US privacy regulations and the most actively enforced. The 2026 amendments added automated-decision-making transparency disclosures and tightened the sensitive-personal-information subsection — both of which most "CCPA compliant" templates have not been updated for. A real CCPA policy enumerates the categories of personal information collected (not just "personal data"), describes the sale / sharing opt-out mechanism, names sensitive PI handling, and addresses the new 2026 ADMT disclosure. This page generates one calibrated for current California enforcement.

What CCPA / CPRA requires

Disclosures grounded in the actual statutory text.

Categories of personal information collected

CCPA §1798.130(a)(5)(B) requires specific enumeration: identifiers, customer records, characteristics of protected classes, commercial information, biometrics, internet activity, geolocation, sensory data, professional info, education info, inferences. "Personal data" as a single bucket fails.

Right to Know, Right to Delete, Right to Correct

Three primary consumer rights. The policy must describe each, the methods to exercise them (two methods required for businesses meeting certain thresholds), and the response window.

Sale and sharing opt-out

Required if you "sell" or "share" personal information — CPRA expanded "sharing" to include cross-context behavioral advertising via cookies / pixels. Need a "Do Not Sell or Share My Personal Information" link and a Global Privacy Control honor commitment.

Sensitive Personal Information (CPRA 2023+)

Subsection for sensitive PI: SSN, driver's license, account credentials, precise geolocation, racial / ethnic origin, religious beliefs, union membership, mail / email / text contents, genetic / biometric data, health, sex life / orientation. Right to limit use applies.

ADMT — Automated Decision-Making Technology (2026)

CPRA 2026 regulations require disclosure when automated decision-making technology produces legal or similarly significant effects on consumers. Most policies have not been updated for this.

Retention statements

CPRA 2023+ requires retention periods or the criteria used to determine them, per category of personal information. Generic "as long as necessary" is no longer sufficient.

Common mistakes

Where CCPA / CPRA templates usually go wrong.

Generic "personal data" categorization

CCPA requires the specific categories from §1798.130(a)(5). Most templates skip this and use the GDPR-style single bucket.
No GPC honor commitment

Global Privacy Control signals are now treated as valid opt-out requests by California AG. Policies that don't commit to honoring GPC have attracted enforcement letters.
No ADMT disclosure

CPRA 2026 added ADMT transparency. Templates from 2023 / 2024 don't cover this. Worth updating before California enforcement starts treating it as expected.

Ready to generate your CCPA / CPRA privacy policy?

A 2-minute wizard with the CCPA / CPRA jurisdiction pre-selected. Free preview shows the first three sections — pay $2 only if you want to unlock the full document.

Generate my CCPA privacy policy →

FAQ