Generate a California Consumer Privacy Act compliant privacy notice for your website. Covers opt-out rights, do-not-sell requirements, sensitive personal information, and CPRA updates. 100% free, no signup.
No paywalls. No subscriptions. Just instant, professional legal documents.
Includes 2023 CPRA amendments — right to correct, sensitive personal information opt-out, and sharing restrictions — not just the original 2020 CCPA text.
Generates the correct "Do Not Sell or Share My Personal Information" link language and opt-out mechanism required for all covered businesses.
No legal jargon to parse. Just fill in your business details, toggle what applies, and get a clean HTML policy ready to publish on your website.
Everything you need to know about CCPA Privacy Policies
Go deeper on this topic with our free guide.
California has 39 million residents. Chances are, some of them visit your website.
The California Consumer Privacy Act went into effect in January 2020. The California Privacy Rights Act expanded it in January 2023. Together they form one of the most comprehensive privacy frameworks in the United States, and they apply to a lot more businesses than people think.
The California AG can fine businesses $2,500 per unintentional violation and $7,500 per intentional violation. "Per violation" means per affected consumer. If your site collected data from 10,000 California residents without proper disclosures, that's up to $75 million in intentional violation fines. Even if enforcement is selective, those numbers make compliance extremely worthwhile.
The official thresholds for CCPA applicability are: annual gross revenue over $25 million, buying or selling personal data of 100,000 or more California consumers per year, or deriving 50% or more of revenue from selling personal information. But here's what nobody tells you: even if you're under all three thresholds today, getting your policy in place now costs nothing and protects you as you grow. And the "100,000 consumers" number is closer than you think if you run any kind of analytics on a mid-size website.
The 2023 CPRA update made things stricter. It created a whole new category called "sensitive personal information" that includes things like social security numbers, financial account data, precise geolocation, racial or ethnic origin, health data, and biometric information. This category gets extra protections. If you handle any of it, you have additional disclosure and opt-out obligations beyond the standard CCPA requirements.
The "Do Not Sell My Personal Information" link is probably the most visible CCPA requirement. If you sell or share personal data with third parties for cross-context behavioral advertising (which includes many ad networks), you need that link prominently on your homepage. Missing it is an easy target for enforcement, and privacy advocacy groups actively look for non-compliant sites to report.
Businesses meeting any one of the three CCPA thresholds that handle California residents' data. Which, practically speaking, includes any US business with meaningful web traffic.
AG enforcement actions, private rights of action for data breaches involving unprotected personal info, and reputational damage from being named in privacy enforcement notices.
Clear consumer rights disclosures, a documented opt-out mechanism, and a solid foundation for handling consumer requests within the mandatory 45-day window.
Every disclosure the law requires, written in language your users will actually read.
A clear list of the categories of personal information you collect, using the CCPA's own defined categories like identifiers, commercial information, and internet activity.
For each category of data, an explanation of why you collect it. CCPA requires you to disclose both the categories and their business purposes.
Categories of third parties you disclose personal information to, such as analytics services, advertising partners, payment processors, and cloud infrastructure providers.
Instructions for consumers on how to submit a request to know what personal information you have about them, with the 45-day response timeline clearly stated.
Consumers can request deletion of their personal information. Your policy explains how to make that request and which legal exceptions may allow you to retain certain data.
The "Do Not Sell or Share My Personal Information" disclosure, including a description of what counts as selling and how consumers can exercise this right.
Businesses cannot penalize consumers for exercising their CCPA rights. Your policy confirms you won't deny service, charge different prices, or provide a different level of service based on a privacy request.
CCPA requires you to disclose data collection practices covering the preceding 12 months. Your policy includes this temporal framing for all collection disclosures.
At minimum two methods for submitting consumer requests: a toll-free phone number and a web form or email address. The policy includes your designated contact information.
Answers to the questions that come up every time someone reads about CCPA
CCPA compliance tools shouldn't cost more than the fines they help you avoid at your scale.
| Feature | FreeTOS | Termly | TermsFeed |
|---|---|---|---|
| Price | Free | $14/mo | $9/mo |
| CCPA Core Rights Coverage | Full | Full | Full |
| CPRA Updates (2023) | Yes | Yes | Yes |
| Sensitive Personal Info Section | Yes | Paid plan | Paid plan |
| No Signup Required | Yes | No | No |
| PDF Download | Free | Paid plan | Paid plan |
| 12-Month Lookback Language | Yes | Yes | Yes |
Where to put it, what links to add, and how to set up consumer request handling.