CCPA Consumer Privacy Policy Template - California

# CCPA Consumer Privacy Policy Template - California **Prepared by:** [COMPANY NAME] **Effective Date:** [DATE] **Document Version:** 1.0 **Classification:** CONFIDENTIAL / INTERNAL USE ONLY --- ## Table of Contents - [1.0 Purpose and Scope](#10-purpose-and-scope) - [2.0 Definitions and Interpretive Guidance](#20-definitions-and-interpretive-guidance) - [3.0 Categories of Personal Information Collected](#30-categories-of-personal-information-collected) - [4.0 Consumer Rights Under the CCPA and CPRA](#40-consumer-rights-under-the-ccpa-and-cpra) - [5.0 Business Obligations and Compliance Requirements](#50-business-obligations-and-compliance-requirements) - [6.0 Data Sale, Sharing, and Opt-Out Mechanisms](#60-data-sale-sharing-and-opt-out-mechanisms) - [7.0 Data Security and Breach Response Protocols](#70-data-security-and-breach-response-protocols) - [8.0 Third-Party Service Providers, Contractors, and Vendors](#80-third-party-service-providers-contractors-and-vendors) - [9.0 Appendices](#90-appendices) - [10.0 Document Control](#100-document-control) - [Legal Disclaimer](#legal-disclaimer) --- ## 1.0 Purpose and Scope ### 1.1 Purpose This California Consumer Privacy Act ("CCPA") Consumer Privacy Policy ("Policy") has been prepared by [COMPANY NAME] ("Company," "we," "us," or "our") to establish comprehensive, enforceable standards governing the collection, use, disclosure, retention, and deletion of personal information pertaining to California consumers. This Policy is designed to ensure full compliance with the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100–1798.199.100), as amended and expanded by the California Privacy Rights Act of 2020 ("CPRA"), which became operative on January 1, 2023, and is enforced by the California Privacy Protection Agency ("CPPA") pursuant to Cal. Civ. Code § 1798.199.40. This Policy supersedes all prior privacy notices, data handling procedures, and consumer disclosure documents issued by [COMPANY NAME] with respect to California consumers, to the extent of any conflict. Nothing in this Policy shall be construed to limit the Company's obligations under any other applicable federal, state, or local law, including but not limited to the Health Insurance Portability and Accountability Act ("HIPAA"), the Gramm-Leach-Bliley Act ("GLBA"), the Children's Online Privacy Protection Act ("COPPA"), or the California Online Privacy Protection Act ("CalOPPA"). ### 1.2 Scope of Application This Policy applies to: **(a)** All California residents, as defined under Cal. Civ. Code § 1798.140(d), from whom [COMPANY NAME] collects personal information, whether directly or indirectly, in the context of a commercial transaction, service relationship, or incidental data collection event; **(b)** All business units, departments, subsidiaries, and affiliates of [COMPANY NAME] operating within the State of California or that collect personal information from California residents regardless of where such collection occurs; **(c)** All employees, contractors, third-party service providers, and agents acting on behalf of [COMPANY NAME] who access, process, transmit, store, or otherwise handle California consumer personal information; **(d)** All digital properties, platforms, mobile applications, physical locations, call centers, and data collection touchpoints operated by or on behalf of [COMPANY NAME]. ### 1.3 Threshold Applicability Pursuant to Cal. Civ. Code § 1798.140(d), this Policy applies because [COMPANY NAME] meets one or more of the following statutory thresholds: - Has annual gross revenues in excess of twenty-five million dollars ($25,000,000); - Annually buys, sells, receives, or shares, for commercial purposes, the personal information of 100,000 or more consumers or households; or - Derives 50% or more of its annual revenues from selling consumers' personal information. *[IMPLEMENTATION NOTE: Confirm applicable threshold(s) and delete inapplicable provisions prior to finalization and publication. If none of the above thresholds are met, voluntary compliance with this Policy is recommended as a best practice.]* ### 1.4 Policy Governance This Policy is governed and administered by the [COMPANY NAME] Privacy Compliance Officer ("PCO") in coordination with the Legal Department and Information Security team. Questions, concerns, or requests relating to this Policy should be directed to: **Privacy Compliance Officer** [COMPANY NAME] [Street Address], [City], [State] [ZIP Code] Email: privacy@[companydomain].com Toll-Free: [XXX-XXX-XXXX] --- ## 2.0 Definitions and Interpretive Guidance ### 2.1 Statutory Definitions For purposes of this Policy, the following terms shall have the meanings ascribed to them under the CCPA and CPRA, as set forth in Cal. Civ. Code § 1798.140, unless context clearly requires otherwise: **2.1.1 "Personal Information"** means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. (Cal. Civ. Code § 1798.140(v)(1).) **2.1.2 "Sensitive Personal Information"** means personal information that reveals a consumer's social security, driver's license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of a consumer's mail, email, and text messages unless the business is the intended recipient; genetic data; biometric information processed to uniquely identify a consumer; personal information collected and analyzed concerning a consumer's health; and personal information collected and analyzed concerning a consumer's sex life or sexual orientation. (Cal. Civ. Code § 1798.140(ae).) **2.1.3 "Consumer"** means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations. (Cal. Civ. Code § 1798.140(i).) **2.1.4 "Sale"** means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration. (Cal. Civ. Code § 1798.140(ad)(1).) **2.1.5 "Sharing"** means communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. (Cal. Civ. Code § 1798.140(ah).) **2.1.6 "Service Provider"** means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract. (Cal. Civ. Code § 1798.140(ag).) **2.1.7 "Business Purpose"** means the use of personal information for the business's or a service provider's operational purposes, or other notified purposes, or for the purposes as defined in regulations or guidelines issued by the California Privacy Protection Agency. (Cal. Civ. Code § 1798.140(e).) **2.1.8 "Contractor"** means a person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract bet