Generate a California Consumer Privacy Act compliant privacy notice for your website. Covers opt-out rights, do-not-sell requirements, sensitive personal information, and CPRA updates. 100% free, no signup.
No paywalls. No subscriptions. Just instant, professional legal documents.
Includes 2023 CPRA amendments — right to correct, sensitive personal information opt-out, and sharing restrictions — not just the original 2020 CCPA text.
Generates the correct "Do Not Sell or Share My Personal Information" link language and opt-out mechanism required for all covered businesses.
No legal jargon to parse. Just fill in your business details, toggle what applies, and get a clean HTML policy ready to publish on your website.
Everything you need to know about CCPA Privacy Policies
Go deeper on this topic with our free guide.
California has 39 million residents. Chances are, some of them visit your website.
The California Consumer Privacy Act went into effect in January 2020. The California Privacy Rights Act expanded it in January 2023. Together they form one of the most comprehensive privacy frameworks in the United States, and they apply to a lot more businesses than people think.
The California AG can fine businesses $2,500 per unintentional violation and $7,500 per intentional violation. "Per violation" means per affected consumer. If your site collected data from 10,000 California residents without proper disclosures, that's up to $75 million in intentional violation fines. Even if enforcement is selective, those numbers make compliance extremely worthwhile.
The official thresholds for CCPA applicability are: annual gross revenue over $25 million, buying or selling personal data of 100,000 or more California consumers per year, or deriving 50% or more of revenue from selling personal information. But here's what nobody tells you: even if you're under all three thresholds today, getting your policy in place now costs nothing and protects you as you grow. And the "100,000 consumers" number is closer than you think if you run any kind of analytics on a mid-size website.
The 2023 CPRA update made things stricter. It created a whole new category called "sensitive personal information" that includes things like social security numbers, financial account data, precise geolocation, racial or ethnic origin, health data, and biometric information. This category gets extra protections. If you handle any of it, you have additional disclosure and opt-out obligations beyond the standard CCPA requirements.
The "Do Not Sell My Personal Information" link is probably the most visible CCPA requirement. If you sell or share personal data with third parties for cross-context behavioral advertising (which includes many ad networks), you need that link prominently on your homepage. Missing it is an easy target for enforcement, and privacy advocacy groups actively look for non-compliant sites to report.
Businesses meeting any one of the three CCPA thresholds that handle California residents' data. Which, practically speaking, includes any US business with meaningful web traffic.
AG enforcement actions, private rights of action for data breaches involving unprotected personal info, and reputational damage from being named in privacy enforcement notices.
Clear consumer rights disclosures, a documented opt-out mechanism, and a solid foundation for handling consumer requests within the mandatory 45-day window.
Every disclosure the law requires, written in language your users will actually read.
A clear list of the categories of personal information you collect, using the CCPA's own defined categories like identifiers, commercial information, and internet activity.
For each category of data, an explanation of why you collect it. CCPA requires you to disclose both the categories and their business purposes.
Categories of third parties you disclose personal information to, such as analytics services, advertising partners, payment processors, and cloud infrastructure providers.
Instructions for consumers on how to submit a request to know what personal information you have about them, with the 45-day response timeline clearly stated.
Consumers can request deletion of their personal information. Your policy explains how to make that request and which legal exceptions may allow you to retain certain data.
The "Do Not Sell or Share My Personal Information" disclosure, including a description of what counts as selling and how consumers can exercise this right.
Businesses cannot penalize consumers for exercising their CCPA rights. Your policy confirms you won't deny service, charge different prices, or provide a different level of service based on a privacy request.
CCPA requires you to disclose data collection practices covering the preceding 12 months. Your policy includes this temporal framing for all collection disclosures.
At minimum two methods for submitting consumer requests: a toll-free phone number and a web form or email address. The policy includes your designated contact information.
Answers to the questions that come up every time someone reads about CCPA
CCPA compliance tools shouldn't cost more than the fines they help you avoid at your scale.
| Feature | FreeTOS | Termly | TermsFeed |
|---|---|---|---|
| Price | Free | $14/mo | $9/mo |
| CCPA Core Rights Coverage | Full | Full | Full |
| CPRA Updates (2023) | Yes | Yes | Yes |
| Sensitive Personal Info Section | Yes | Paid plan | Paid plan |
| No Signup Required | Yes | No | No |
| PDF Download | Free | Paid plan | Paid plan |
| 12-Month Lookback Language | Yes | Yes | Yes |
Where to put it, what links to add, and how to set up consumer request handling.
The California Consumer Privacy Act applies to far more businesses than most people realize.
The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, giving California residents new rights over how businesses collect, use, and sell their personal information. In November 2020, California voters passed Proposition 24 — the California Privacy Rights Act (CPRA) — which significantly expanded and strengthened the CCPA. The CPRA became fully effective on January 1, 2023 and is now the operative law, though most people still refer to it as "CCPA" colloquially.
The law applies to for-profit businesses that collect personal information from California consumers and meet at least one of three thresholds: (a) annual gross revenues over $25 million, OR (b) annually buy, sell, receive, or share the personal information of 100,000 or more California consumers or households, OR (c) derive 50% or more of annual revenues from selling or sharing California consumers' personal information. Critically, these thresholds apply globally — not just to California-based companies. A business headquartered in Germany, the UK, or anywhere else in the world that meets any threshold while handling California residents' data must comply.
California has approximately 39 million residents. If you run Google Analytics on a website with meaningful US traffic, you are almost certainly processing behavioral data from California consumers. If your site receives more than a few hundred thousand visits per year from the US, crossing the 100,000 consumer threshold is not difficult. Many businesses that assume they are "too small" for CCPA are surprised when they count their actual data processing volume.
The 2023 CPRA updates added meaningful new requirements. A new "sensitive personal information" category was created, covering data like Social Security numbers, precise geolocation, health data, biometric identifiers, and racial or ethnic origin — with heightened protections and an additional right to limit use. Consumers gained a new right to correct inaccurate personal information. The opt-out right was expanded from "selling" to also cover "sharing" for cross-context behavioral advertising. And the California Privacy Protection Agency (CPPA) was established as a dedicated enforcement authority, replacing sole reliance on the Attorney General.
It applies to businesses globally that meet the thresholds — not just California-based companies. With 39 million residents and an active enforcement agency, assuming you are exempt is a risk that gets more expensive every year.
Any for-profit business with $25M+ revenue, OR that processes data from 100K+ California consumers per year, OR derives 50%+ of revenue from selling/sharing personal information. Applies globally, not just to US companies.
Right to Know, Right to Delete, Right to Correct (new in CPRA), Right to Opt-Out of Sale/Sharing, Right to Limit Sensitive PI Use (new in CPRA), Right to Non-Discrimination, and Right to Data Portability.
$2,500 per unintentional violation, $7,500 per intentional violation — per affected consumer. A breach affecting 10,000 consumers can trigger $100-$750 per person in statutory damages under the private right of action.
Seven rights your privacy policy must clearly explain to California consumers.
Consumers can request to know what categories of personal information you have collected about them, where it came from, and what business purpose it serves. You have 45 days to respond.
Consumers can request deletion of their personal information. You must also direct service providers with access to the data to delete it. Limited exceptions apply for fraud prevention, legal obligations, and completing transactions.
Consumers can request correction of inaccurate personal information you hold about them. This was added by CPRA and applies to policies that were drafted before January 2023.
Consumers can opt out of the sale or sharing of their personal information. This requires a prominent "Do Not Sell or Share My Personal Information" link on your homepage, honored within 15 business days.
Consumers can direct businesses to limit use of sensitive personal information (health data, precise location, biometrics, etc.) to only what is necessary for providing the requested service.
Businesses cannot penalize consumers for exercising any CCPA right. You cannot deny service, charge different prices, or provide a degraded experience based solely on a consumer exercising their privacy rights.
Consumers can request their personal information in a portable and readily usable format, allowing them to transfer it to another business where technically feasible. Added by CPRA 2023.
Nine required disclosures that every CCPA-compliant privacy policy must contain.
A list of the categories of personal information you collect, using the CCPA's own defined categories: identifiers, commercial information, internet activity, geolocation, and more.
Where you collect personal information from: directly from consumers, automatically from their devices, from third-party partners, or from data brokers.
The specific business or commercial purposes for collecting each category of personal information. Vague statements like "to improve our services" are insufficient.
The categories of third parties to whom you disclose personal information, such as analytics providers, advertising partners, payment processors, and cloud service providers.
A clear disclosure of whether you sell or share personal information, and if so, which categories are sold or shared and to which categories of third parties.
At least two methods for submitting requests: a toll-free number and an email address or web form. Both must be clearly accessible and functional.
You must respond to verifiable consumer requests within 45 days. This can be extended by an additional 45 days (90 total) if you notify the consumer of the extension within the first 45 days.
Consumers must have a mechanism to appeal if you deny their request. Your policy must explain how to submit an appeal and your timeline for responding to appeals.
The policy must show its effective date and be updated at least annually. When you update it, notify consumers via email or a prominent notice on your website.
Answers to the questions that come up when businesses first encounter CCPA
How FreeTOS compares for CCPA-specific features against the leading paid compliance platforms.
| Feature | FreeTOS | Termly | iubenda |
|---|---|---|---|
| Price | Free | $14/mo+ | $27/mo+ |
| CCPA Core Rights Coverage | Full | Full | Full |
| CPRA 2023 Updates | Yes | Yes | Yes |
| Sensitive PI Section | Yes, free | Paid plan | Paid plan |
| No Signup Required | Yes | No | No |
| PDF Download | Free | Paid plan | Paid plan |
| AI-Tailored Output | Yes | Template | Template |
| Consumer Request Management | Policy only | Yes (paid) | Yes (paid) |
FreeTOS generates the complete CCPA privacy policy document including all CPRA updates. For automated consumer request workflows and consent management dashboards, a paid platform may be appropriate for larger businesses. For most small to mid-size websites, FreeTOS covers the essential policy documentation at zero cost.