How to Create a CCPA Privacy Policy: Required Disclosures, Structure, and Common Pitfalls

Introduction: why the privacy policy matters under the CCPA

The California Consumer Privacy Act (CCPA) places transparency at the center of consumer protection. One of the main ways businesses are expected to provide that transparency is through a clear and accurate privacy policy.

In practice, many CCPA enforcement issues are tied not to hidden data processing, but to privacy policies that are incomplete, outdated, or disconnected from how data is actually handled. Businesses often rely on generic templates or assume that publishing a policy once is sufficient. Regulators, however, evaluate whether a privacy policy meaningfully describes current data practices and connects properly to other required disclosures.

Does the CCPA require a privacy policy?

Yes. Businesses subject to the CCPA are required to make a privacy policy available to consumers.

This obligation is set out in California Civil Code section 1798.130(a)(5), which requires businesses to describe their data practices and explain how consumers can exercise their rights.

If a business is covered by the CCPA, it must provide a privacy policy as part of the law’s disclosure framework. Whether the law applies depends on statutory thresholds and data practices, not on whether a business chooses to publish a policy. For a detailed explanation of scope, see our CCPA applicability guide.

What is a CCPA privacy policy (and what it is not)

A CCPA privacy policy is a centralized disclosure document that explains how a business handles personal information over time.

It is not:

• A one‑time legal form
• A generic “California privacy notice” copied from a template
• A substitute for other required notices

Importantly, a privacy policy is different from a notice at collection. A notice at collection is shown at the moment personal information is collected, while a privacy policy provides ongoing, comprehensive disclosures. Relying on a privacy policy alone does not satisfy collection‑stage obligations, which are explained in our guide to the notice at collection.

In practice, many websites use short privacy notices or cookie banners to surface key information and then link users to the full privacy policy for additional detail. This layered approach helps distinguish moment‑specific disclosures from the broader explanations contained in the policy itself.

What must be included in a CCPA privacy policy

At a minimum, a CCPA privacy policy must describe:

• The categories of personal information collected
• The sources from which that information is collected
• The business or commercial purposes for collecting or using the information
• The categories of third parties with whom personal information is shared or sold
• Consumer rights under the CCPA and how to exercise them

These requirements apply regardless of whether personal information is sold or shared.

Following amendments introduced by the CPRA, businesses must also include additional disclosures, such as:

• Retention periods for each category of personal information, or the criteria used to determine retention
• Explanations related to sensitive personal information, where applicable
• Disclosures about sharing for cross‑context behavioral advertising

These additions are intended to give consumers clearer visibility into how long their information remains in use and for what purposes.

Completion checklist (based on the CPRA-era regulations)

To help your policy match the CPRA-era requirements more closely (and reduce gaps that show up in reviews), it helps to confirm that your privacy policy also covers:

• A 12‑month lookback for key disclosures (for example, categories collected, categories disclosed for a business purpose, and categories sold or shared, or a clear statement that a given activity did not occur during that period)
• Separate disclosures for “sold” vs. “shared” (because sharing for cross‑context behavioral advertising can trigger different consumer choices than selling)
• How consumers can submit requests and what to expect (including how identity verification works at a high level)
• Authorized agent instructions (how an agent submits a request on someone’s behalf)
• How opt‑out preference signals are processed (where applicable, such as whether signals apply by browser/device and how they interact with account‑based settings)
• A contact method for privacy questions
• The date the privacy policy was last updated

If you treat these as a checklist during drafting, it becomes easier to keep the privacy policy aligned with the rest of your notice framework.

Selling, sharing, and opt‑out disclosures in the privacy policy

If a business sells or shares personal information, the privacy policy must explain:

• That selling or sharing occurs
• The categories of personal information involved
• The purposes for selling or sharing
• How consumers can exercise their right to opt-out

This section of the policy should align with the business’s Do Not Sell or Share link and opt‑out workflows. Inconsistencies between policy language and actual opt‑out behavior are a frequent enforcement issue.

For a deeper explanation of how selling and sharing are defined, see our overview of what counts as a sale or share under the CCPA.

Where the privacy policy must be made available

Under the CCPA, the privacy policy must be made available in a way that is reasonably accessible to consumers.

In practice, this usually means:

• A persistent, easy-to-find link that includes the word “privacy” (commonly in a website footer and accessible from the homepage)
• Availability through app settings for mobile applications
• Clear references from notices at collection and preference interfaces

If your privacy policy is presented online, it also helps to publish it in a format visitors can read and print, and to avoid burying it behind multiple clicks.

When businesses operate multiple domains or subdomains, regulators assess whether the policy accurately reflects data practices across those properties or whether separate disclosures are needed.

Accessibility and readability (often overlooked)

A privacy policy works best when it is readable, easy to navigate, and usable for visitors with disabilities. Practical ways to support that include:

• Clear headings and short sections
• Plain language explanations for legal terms
• Link text that makes sense out of context (for screen readers)
• A page layout that works with keyboard navigation and assistive technology

This is also helpful for SEO, because it improves on-page structure and engagement.

How often must a CCPA privacy policy be updated

A CCPA privacy policy is not a static document. It should be reviewed and updated whenever data practices change.

Common triggers for updates include:

• Introducing new tracking or advertising technologies
• Expanding data collection purposes
• Changing retention practices
• Beginning to sell or share personal information

Outdated privacy policies are a recurring enforcement risk, particularly when disclosures no longer match real‑world data use.

Annual review rule (baseline)

In addition to change-driven updates, businesses commonly schedule a periodic review (at least annually) and update the “last updated” date when changes are published.

Common mistakes businesses make with CCPA privacy policies

Regulatory reviews frequently identify similar problems, including:

• Using generic templates that do not reflect actual practices
• Failing to update policies after operational changes
• Inconsistent terminology across notices
• Missing or unclear explanations of consumer rights

Additional gaps that often come up in practice include:

• Not clearly separating selling from sharing disclosures (or not stating when a given activity did not occur)
• Leaving out how authorized agents submit requests
• Not explaining how opt‑out preference signals are processed (where relevant)
• Omitting the “last updated” date

Many of these issues arise when privacy policies are treated as isolated documents rather than part of a connected disclosure system.

How a CCPA privacy policy fits into the broader notice framework

The privacy policy works alongside other required CCPA notices, including:

• Notices at collection
• Do Not Sell or Share disclosures
• Sensitive personal information limitation notices
• Confirmation and response notices after consumer requests

For a complete overview of how these notices interact, see our hub article on CCPA notices and disclosures.

How Clym supports privacy policy management

Maintaining an accurate CCPA privacy policy becomes more complex as businesses add new features, expand into new regions, or operate multiple domains and subdomains. Policies that are created once and then manually copied across pages often fall out of sync with how data is actually collected and used.

Clym supports privacy policy management by allowing businesses to add their privacy policy content once through the Clym Control Center and then display it consistently across their website. This helps teams avoid duplicating updates and reduces the risk of different pages showing different versions of the same disclosures.

Businesses can manage multiple versions of their privacy policy, including policies in different languages, and display them dynamically based on visitor location. For example, a CCPA‑specific privacy policy can be shown to visitors from California based on geo‑settings that are configured by default and can be adjusted if needed. This allows disclosures to align more closely with regional legal requirements without requiring separate manual implementations.

For businesses starting from scratch, Clym also provides a structured way to generate a privacy policy by guiding users through a questionnaire in the Control Center. This approach helps teams think through their data practices and document them in a consistent format, while still allowing customization and review.

These policy management capabilities connect with Clym’s broader privacy and cookie policy management features.