July 24, 2024

CCPA Checklist: Privacy Policy and Notices

table of contents

Creating a CCPA-compliant privacy policy and other required notices will take advantage of all the work you’ve done in the previous steps, effectively translating your data map into a public document. Use the following checklist to make sure your privacy notices meet the CCPA’s requirements.

Update current privacy policy
‍Most businesses already have a privacy policy; this is a good time to make any necessary updates based on your CCPA preparations.
Create a CCPA addendum
This will be an addition to your business’s current policy, with everything needed to meet the CCPA’s notice requirements. some text
- Inform consumers of their CCPA privacy rights
  ‍Consumers have a right to know, right to delete, right to opt out, and right to non-discrimination.
- Instructions on how to make a verifiable request
  ‍Different requests must be verified to different degrees based on the personal information involved. The CCPA addendum should cover these verification procedures.
- Inform consumers they can make requests through an agent
  ‍Consumers may make privacy requests through an authorized agent, though the business may also need to verify their permission to act on the consumer’s behalf.
- What personal information is collected, from what source, and for what purposes
  ‍Refer to your business's data map.
- What sensitive personal information is collected, for what purposes, and whether it sold or shared
  ‍Refer to your business's data map.
- What personal information is disclosed to third parties, contractors, and service providers, as well as the categories of those parties
  ‍Refer to your business's data map.
- How long your business intends to retain each category of personal information
  ‍Your business will need to create a data retention policy.
- What personal information is sold to or shared with third parties, and the categories of such third parties
  Refer to your business's data map.
- At least two methods for contacting the business and making privacy requests
  ‍These contact methods should reflect the means by which a business normally interacts with consumers. For example, a business that mostly interacts with consumers online must provide at least one online contact method.
Additional privacy notices
- Employees and job applicants
  Employees and job applicants have the same rights as anyone else, so you'll need to include privacy disclosures in application and employment paperwork.
- "Do Not Sell or Share My Personal Information" page
  ‍Businesses that sell or share consumers’ personal information must provide a “Do Not Sell or Share My Personal Link” on their homepage which goes to either a separate web page or section of the privacy policy which informs consumers of the selling/sharing practices and their opt-out rights.
- Financial incentives
  ‍Though businesses may not discriminate against consumers who exercise their CCPA rights, in some circumstances they may offer financial incentives to consumers for opting in to the sale or sharing of their personal information. If they do so, they must provide an additional notice that covers the details of those incentives.
- High volumes of personal information
  ‍Businesses that annually buy, sell, share, or receive the personal information of 10 million or more consumers must compile and disclose additional data in their privacy policy.
- Notices regarding minors under 18
  ‍If your business has knowledge that it sells or shares the personal information of consumers under the age of 16, it must make additional disclosures regarding the special rules for obtaining their consent.
- Brick-and-mortar store requirements
  ‍If a business collects and uses personal information at its physical store locations, it must disclose this in its online privacy policy, provide a notice at the point of collection, and designate a toll-free number for making CCPA privacy requests.
Placement at points of collection
Links to the privacy policy should be placed at every point where personal information is collected.
General principles
- Plain, straightforward language
- Format draws reader's attention to the notice
- Readable on small screens
- Available in languages normally used by business
- Reasonable accessible to users with disabilities

‍

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

previous chapter

next chapter

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.

May 4, 2026

The real lessons of the European Wax Center settlement

A national consumer brand just paid $5 million because their website ran tracking pixels the way almost every website runs tracking pixels. The plaintiffs' bar has automated the process of finding the next defendant.

April 16, 2026

Alabama’s Quirky Take on Data Privacy

The Alabama Personal Data Protection Act is a strange blend of playing it safe and introducing new rules that may leave businesses scratching their heads.

April 25, 2025

Looking for a OneTrust Alternative? See How TrueVault Compares

Looking for a OneTrust alternative built for simplicity, speed, and e-commerce compliance? This feature comparison shows how TrueVault stacks up.

CCPA Checklist: Privacy Policy and Notices

Other related blog posts