# California Consumer Privacy Policy
**Effective Date:** [Effective Date]
**Last Updated:** [Last Updated Date]
This California Privacy Notice ("Notice") supplements the general Privacy Policy of [Company Name] ("Company," "we," "us," or "our") and applies solely to California residents ("consumers" or "you"). We adopt this Notice to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, "CCPA"). Any terms defined in the CCPA have the same meaning when used in this Notice.
---
## 1. Scope of This Notice
This Notice describes how we collect, use, disclose, and share Personal Information about California residents who visit our website at [Website URL], purchase our products, subscribe to our marketing communications, or otherwise interact with us. It also explains the rights California residents have regarding their Personal Information and how to exercise those rights.
---
## 2. Categories of Personal Information We Collect
In the preceding 12 months, we have collected the following categories of Personal Information about California consumers:
- **Identifiers:** Name, email address, shipping and billing address, phone number, IP address, device identifiers, and online identifiers (e.g., cookie IDs).
- **Customer Records (Cal. Civ. Code § 1798.80(e)):** Name, contact information, and payment information (payment card data is collected and processed by our payment processor; we do not store full card numbers).
- **Commercial Information:** Products purchased, products viewed, order history, returns, and purchasing preferences.
- **Internet or Other Electronic Network Activity Information:** Browsing history, search history, clickstream data, pages viewed, referring/exit pages, time spent on pages, and interactions with our website and advertisements (collected via cookies, pixels, and similar technologies, including Meta Pixel).
- **Geolocation Data:** Approximate location derived from IP address or shipping address (we do not collect precise geolocation).
- **Inferences:** Preferences, characteristics, and behavior drawn from the above data to create a consumer profile (e.g., likely skincare interests).
**Sensitive Personal Information:** We do **not** collect Sensitive Personal Information as defined under the CCPA, and we do **not** use or disclose Sensitive Personal Information for purposes that would trigger a right to limit its use.
---
## 3. Sources of Personal Information
We collect Personal Information from the following sources:
- **Directly from you:** When you create an account, make a purchase, subscribe to our newsletter, contact customer service, or interact with us on social media.
- **Automatically from your devices:** Through cookies, web beacons, pixels (including the Meta Pixel), SDKs, and similar technologies when you visit our website.
- **From service providers:** Such as our ecommerce platform (Shopify), email marketing platform (Klaviyo), payment processor, shipping providers, and analytics providers.
- **From advertising partners:** Such as Meta (Facebook/Instagram) and Google, who may share campaign performance and audience information with us.
- **From publicly available sources and other third parties:** Where permitted by law.
---
## 4. Business and Commercial Purposes for Collecting Personal Information
We use Personal Information for the following business and commercial purposes:
- Processing, fulfilling, and shipping orders.
- Creating, maintaining, and securing your account.
- Providing customer service and responding to inquiries.
- Sending transactional communications (e.g., order confirmations, shipping updates).
- Sending marketing communications, with your consent where required.
- Personalizing your experience on our website and recommending products.
- Operating, analyzing, improving, and securing our website and services.
- Conducting advertising and marketing activities, including targeted or "cross-context behavioral" advertising on third-party platforms.
- Detecting, preventing, and responding to fraud, security incidents, and unlawful activity.
- Complying with legal obligations and enforcing our terms.
- Any other purpose disclosed to you at the time of collection or with your consent.
---
## 5. Categories of Third Parties with Whom We Share Personal Information
We disclose Personal Information to the following categories of recipients:
- **Service providers and contractors** who perform services on our behalf, including:
- Ecommerce and hosting providers (e.g., Shopify)
- Email and SMS marketing platforms (e.g., Klaviyo)
- Payment processors
- Shipping and fulfillment partners
- Analytics providers
- Customer service tools
- **Advertising partners and third parties** used for cross-context behavioral advertising (e.g., Meta, Google).
- **Professional advisors**, such as attorneys, auditors, and accountants.
- **Government authorities and law enforcement**, where required by law or legal process.
- **Affiliates and successors** in the event of a merger, acquisition, financing, reorganization, or sale of assets.
---
## 6. Sale or Sharing of Personal Information
We do **not sell** Personal Information in exchange for money.
However, under the CCPA's broad definitions, our use of cookies, pixels (including the Meta Pixel), and similar advertising technologies to deliver targeted advertising may qualify as **"sharing"** (i.e., disclosing Personal Information for cross-context behavioral advertising) or, in some interpretations, as a **"sale."**
The categories of Personal Information that may be "sold" or "shared" in this sense include:
- Identifiers (e.g., IP address, cookie IDs, device identifiers)
- Internet or other electronic network activity information
- Commercial information
- Inferences drawn from the above
These categories may be "shared" with advertising partners such as Meta and Google.
We do **not** knowingly sell or share the Personal Information of consumers under 16 years of age.
You have the right to opt out of this sharing. See **Section 8** below.
---
## 7. Retention of Personal Information
We retain each category of Personal Information for as long as reasonably necessary to fulfill the purposes described in this Notice, unless a longer ret
Create a CCPA-Compliant Privacy Policy Template
Tested prompts for ccpa privacy policy template compared across 5 leading AI models.
BEST BY JUDGE SCORE
GPT-5.4
8/10
If you collect personal information from California residents, you are likely required to post a CCPA-compliant privacy policy. The California Consumer Privacy Act gives consumers rights over their data, including the right to know what is collected, the right to delete it, and the right to opt out of its sale. Failing to disclose these rights in your privacy policy exposes your business to regulatory complaints and civil penalties up to $7,500 per intentional violation.
Most businesses searching for a CCPA privacy policy template are in one of two situations: they have no privacy policy at all, or they have an outdated one that predates the CCPA and its 2023 update under the CPRA. Either way, the goal is the same: get a policy live that satisfies the statutory disclosure requirements without spending thousands on outside legal counsel for a first draft.
This page uses AI to generate a working CCPA privacy policy template you can adapt to your specific business. Below you will find a tested prompt, four model outputs, a side-by-side comparison, and practical guidance on what to customize before you publish. Use this as a strong starting draft, then have qualified legal counsel review it before it goes live on your site.
When to use this
AI-generated CCPA privacy policy templates work best when you need a structured, legally-informed starting point fast. If you are a small-to-mid-size business that collects standard categories of consumer data, such as contact information, purchase history, or website analytics, an AI draft will cover the required disclosures and save hours of blank-page drafting before attorney review.
- A SaaS startup launching its first product and needing a privacy policy before go-live
- An e-commerce business that sells to California customers and has no current CCPA disclosures
- A marketing agency updating a client's outdated 2019 privacy policy to reflect CPRA amendments
- A brick-and-mortar retailer that recently launched an online store and began collecting customer emails and purchase data
- A mobile app developer who needs a privacy policy to satisfy App Store and Google Play submission requirements while also meeting CCPA obligations
When this format breaks down
- Your business handles sensitive categories under CPRA such as precise geolocation, health data, or financial information at scale. These require specific opt-in consent language and additional disclosures that generic templates often get wrong.
- You operate in multiple regulated verticals simultaneously, for example a healthcare company that is also a financial services provider, where CCPA intersects with HIPAA and GLBA exemptions in ways a template cannot reliably navigate.
- Your data practices involve complex third-party data sharing, cross-context behavioral advertising, or data broker activity. The standard template structure will miss material disclosures specific to those flows.
- You have already received a regulatory inquiry or consumer complaint. At that point, you need an attorney drafting or reviewing the document, not an AI template.
The prompt we tested
You are a privacy compliance specialist drafting a CCPA-compliant Privacy Policy template for a business. Use the following rules when drafting the policy: Write in clear, plain English at a professional but accessible reading level. Format with numbered sections and Markdown headings, use bullet points for lists of data categories and rights, and keep the tone neutral and compliance-focused. Ensure the template is comprehensive enough to cover CCPA and CPRA requirements while remaining easy for a non-lawyer to customize. Business details and context provided by the user: We're a US-based direct-to-consumer skincare brand called GlowNest that sells through our Shopify website and collects customer names, emails, shipping addresses, payment info, and browsing behavior via cookies and Meta Pixel. We share data with Shopify, Klaviyo for email marketing, and Meta/Google for advertising, and we ship to California residents. We don't knowingly collect data from anyone under 16 and we don't sell data for money, but we do use targeted advertising that may qualify as 'sharing' under CPRA. Produce a complete, ready-to-customize CCPA Privacy Policy template. Use clear section headings, include bracketed placeholders like [Company Name], [Effective Date], [Contact Email], and [Physical Address] where the business needs to insert its own details. Cover all required CCPA/CPRA disclosures, including: Categories of Personal Information Collected, Sources of Personal Information, Business/Commercial Purposes for Collection, Categories of Third Parties Shared With, Sale or Sharing of Personal Information, Consumer Rights (Right to Know, Delete, Correct, Opt-Out of Sale/Sharing, Limit Use of Sensitive PI, Non-Discrimination), How to Exercise Rights (including authorized agents), Notice of Financial Incentives (if applicable), Retention Periods, Children Under 16, Shine the Light / Do Not Track, Changes to Policy, and Contact Information. End with a brief disclaimer that the template is not legal advice and should be reviewed by qualified counsel.
Model comparison
| Model | Quality | Cost | Latency | Tokens |
|---|---|---|---|---|
| Claude Opus 4.7 | 7 | $0.1643 | 28.0s | 713 / 2048 |
| Claude Haiku 4.5 | 6 | $0.0107 | 19.5s | 460 / 2048 |
| GPT-5.4 | 8 | $0.0317 | 37.6s | 403 / 2048 |
| Grok 4.1 Fast Reasoning | 8 | $0.0008 | 19.6s | 544 / 1467 |
Outputs
# CCPA Privacy Policy Template for GlowNest
**Effective Date:** [EFFECTIVE DATE]
---
## 1. Introduction and Scope
This Privacy Policy describes how **[Company Name]** ("we," "us," "our," or "Company") collects, uses, discloses, and otherwise processes personal information in connection with our website, products, services, and marketing activities. This policy applies to residents of California and incorporates requirements under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
If you are a California resident, this policy explains your privacy rights and how to exercise them. If you are not a California resident, please note that some rights and protections described herein may not apply to you; however, we aim to extend similar protections to all users where practicable.
**Last Updated:** [LAST UPDATED DATE]
---
## 2. Categories of Personal Information We Collect
We collect personal information in the following categories:
### A. Information You Provide Directly
- **Contact Information:** Name, email address, phone number, mailing/shipping address, billing address
- **Account Information:** Username, password, account preferences, wishlist items
- **Payment Information:** Credit/debit card number, expiration date, CVV, billing details (processed securely by [PAYMENT PROCESSOR NAME])
- **Communications:** Messages, feedback, customer service inquiries, survey responses, reviews, testimonials
- **Demographic Information:** Gender, age (where you choose to provide it)
### B. Information Collected Automatically
- **Browsing and Usage Data:** Pages visited, time spent on pages, links clicked, search queries, referral sources
- **Device Information:** IP address, device type, operating system, browser type, device identifiers, mobile advertising IDs
- **Cookie Data:** Information from first- and third-party cookies, web beacons, and similar tracking technologies
- **Location Data:** City/state level location inferred from IP address (we do not collect precise GPS location)
### C. Information from Third-Party Sources
- **Payment Processors:** Information needed to process transactions
- **Marketing Platforms:** Data about your interests and interactions with our advertisements
- **Social Media Platforms:** Information you authorize to share when connecting social accounts
- **Data Brokers/Aggregators:** [If applicable: list any third-party data sources used]
---
## 3. Sources of Personal Information
We obtain personal information from the following sources:
- **You (the Consumer):** Directly through website forms, account registration, purchases, customer service interactions, and surveys
- **Your Browser/Device:** Automatically through cookies, pixels, and similar technologies when you visit our website
- **Third-Party Vendors and Service Providers:**
- Shopify (e-commerce platform and hosting)
- Klaviyo (email marketing platform)
- Meta Platforms, Inc. (Facebook/Instagram advertising and audience tracking)
- Google (Google Ads, Google Analytics)
- [Additional third-party services: insert as applicable]
- **Publicly Available Sources:** Public databases, social media profiles, review sites (where information is publicly available)
- **Business Partners and Affiliates:** Co-marketing partners and affiliate networks [if applicable]
---
## 4. Business and Commercial Purposes for Collection and Use
We collect and use your personal information for the following business and commercial purposes:
### A. Core Business Operations
- Processing and fulfilling orders and shipments
- Processing payments and managing accounts
- Verifying customer identity and preventing fraud
- Customer service and support
- Managing returns, refunds, and warranty claims
- Conducting internal business operations and compliance
### B. Marketing and Communications
- Sending promotional emails and newsletters (with your consent where required)
- Retargeting advertisements on Meta, Google, and other platforms
- Conducting market research and surveys
- Improving our products and services based on customer feedback
- Creating and managing loyalty programs and special offers
### C. Analytics and Improvement
- Analyzing website traffic and user behavior (via Google Analytics and similar tools)
- Testing website features and optimizing user experience
- Understanding which products and features are popular
- Identifying trends and patterns in customer preferences
### D. Legal and Compliance
- Complying with legal obligations and government requests
- Protecting against fraud, security threats, and illegal activity
- Defending our legal rights and interests
- Establishing, exercising, or defending legal claims
### E. Personalization
- Customizing website content and product recommendations
- Personalizing your shopping experience
- Creating targeted advertising audiences
---
## 5. Categories of Third Parties We Share Personal Information With
We disclose personal information to the following categories of third parties:
### A. Service Providers
- **E-Commerce Platform:** Shopify (for website hosting, order processing, payment facilitation)
- **Email Marketing:** Klaviyo (for email campaigns and audience segmentation)
- **Payment Processors:** [Payment processor name] (for payment processing)
- **Shipping and Logistics:** Fulfillment partners and shipping carriers
- **Customer Service:** Support platforms and chat tools
- **Analytics:** Google Analytics, [other analytics platforms]
### B. Advertising and Marketing Partners
- **Meta Platforms, Inc.** (Facebook, Instagram) – for targeted advertising and audience insights via Meta Pixel
- **Google LLC** (Google Ads, Google Analytics) – for search advertising and audience analysis
- **[Other advertising networks as applicable]**
### C. Legal and Compliance
- Law enforcement, government agencies, and courts (when required by law or legal process)
- Professional advisors (accountants, attorneys, auditors) as needed for business purposes
### D. Business Transfer
- Buyers or successors in the event of a merger, acquisition, bankruptcy, or sale of assets
### E. Other Parties
- Affiliates and subsidiary companies (as applicable)
- [Any other regular sharing partners]
**Important Note:** We do not share personal information with third parties for their direct marketing purposes unless we obtain your explicit consent to do so.
---
## 6. Sale or Sharing of Personal Information
### A. "Sale" of Personal Information (CCPA Definition)
We **do not sell personal information** for monetary consideration under the traditional definition of "sale."
**However:** We do engage in activities that may qualify as "selling" or "sharing" under CCPA/CPRA:
**Targeted Advertising Activities:**
We disclose the following categories of personal information to Meta and Google for targeted advertising purposes:
- Email address (hashed/encrypted)
- Device identifiers and cookie data
- Browsing behavior and engagement data
- Purchase history (where available)
- Demographic information (age, gender, interests derived from behavior)
Under CPRA, these disclosures for targeted advertising may be considered "sharing" of personal information, even though we do not receive monetary compensation. This practice allows these advertising partners to create audience segments and show you relevant ads.
### B. Your Right to Opt-Out
**California residents have the right to opt-out of the "sale" or "sharing" of their personal information.** To exercise this right:
1. **Click the "Do Not Sell or Share My Personal Information" link** on our website footer
2. **Fill out our opt-out form** [INSERT LINK]
3. **Contact us directly** using the information in Section 14 below
We will honor opt-out requests within [45 days / SPECIFY TIMEFRAME]. Please note:
- Opt-outs may take up to 45 days to fully process across all systems
- You may need to opt-out separately for each device or browser you use
- Opting out may affect our ability to deliver personalized content and targeted advertising
---
## 7. Consumer Rights Under CCPA and CPRA
California residents have the following rights regarding their personal information:
### A. Right to Know
You have the right to request that we disclose:
- What personal information we have collected about you
- The categories of personal information collected
- The sources of that personal information
- The business purpose for collecting it
- The categories of third parties with whom we share it
### B. Right to Delete
You have the right to request that we delete personal information we have collected from you, subject to certain exceptions. We may deny deletion requests where:
- The information is necessary to complete a transaction
- We need it to detect security incidents or prevent fraud
- We are required by law to retain it
- The information is needed for internal analytics
### C. Right to Correct
You have the right to request that we correct inaccurate personal information we maintain about you.
### D. Right to Opt-Out of Sale/Sharing
You have the right to opt-out of the sale or sharing of your personal information (see Section 6 above).
### E. Right to Limit Use and Disclosure of Sensitive Personal Information
Under CPRA, sensitive personal information includes:
- Social Security numbers and financial account information
- Exact geolocation
- Health information
- Genetic information
- Biometric information
- Information
# California Privacy Notice / CCPA Privacy Policy Template
**Effective Date:** [Effective Date]
**Last Updated:** [Last Updated]
This California Privacy Notice explains how **[Company Name]** ("[Company Name]," "we," "us," or "our") collects, uses, discloses, retains, and otherwise processes Personal Information relating to California residents, including visitors to our website, customers, and others whose Personal Information we collect in a business-to-consumer context.
This Notice is intended to help you understand your rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA").
If you are a California resident, this Notice applies to you.
---
## 1. Scope of This Notice
This Notice applies to Personal Information we collect from California residents through:
- Our website at [Website URL]
- Our Shopify-powered online store
- Email, customer service, and other communications
- Cookies, pixels, analytics tools, and similar tracking technologies
- Advertising and marketing interactions
- Any other online or offline interactions where this Notice is provided or linked
This Notice does not apply to information that is outside the scope of the CCPA, such as certain publicly available information or information otherwise exempt under applicable law.
---
## 2. Categories of Personal Information We Collect
In the last 12 months, we may have collected the following categories of Personal Information about California residents.
### A. Identifiers
Examples may include:
- Real name
- Email address
- Shipping address
- Billing address
- Online identifiers
- IP address
- Device identifiers
- Account name or customer ID
### B. Personal Information Described in California Customer Records Statute
Examples may include:
- Name
- Address
- Telephone number
- Payment card information or other payment details
- Purchase or order information
### C. Commercial Information
Examples may include:
- Products purchased
- Order history
- Shopping cart activity
- Preferences or interests
- Records of products or services considered
### D. Internet or Other Electronic Network Activity Information
Examples may include:
- Browsing behavior on our website
- Pages viewed
- Time spent on pages
- Referring URLs
- Search activity
- Cookie data
- Interactions with advertisements
- Data collected through Meta Pixel, Google tools, or similar technologies
### E. Geolocation Data
Examples may include:
- General location inferred from IP address
- Shipping location
### F. Audio, Electronic, Visual, or Similar Information
Examples may include:
- Customer service communications, where applicable
- Email correspondence
- Chat or message contents if you contact us
### G. Inferences Drawn from Personal Information
Examples may include:
- Preferences
- Product interests
- Marketing audience segments
- Likely purchasing interests
### H. Sensitive Personal Information
Depending on how we operate, we may collect limited Sensitive Personal Information, such as:
- Account login information, if applicable
- Payment card information when necessary to process transactions
- Precise geolocation, **only if collected** [remove if not applicable]
**Important:** We do **not** use Sensitive Personal Information to infer characteristics about consumers, and we only use it for limited purposes permitted by California law, unless otherwise disclosed.
---
## 3. Categories of Sensitive Personal Information Collected
In the last 12 months, we may have collected the following categories of Sensitive Personal Information:
- Payment card or payment account information necessary to process purchases
- Account login credentials, if customers create an account
- [Add any other Sensitive Personal Information collected]
- [Remove this section if no Sensitive Personal Information is collected]
We use Sensitive Personal Information only as reasonably necessary:
- To provide requested products or services
- To process payments and fulfill orders
- To maintain account security
- To detect and prevent fraud or illegal activity
- For other purposes allowed by the CCPA/CPRA
---
## 4. Sources of Personal Information
We collect Personal Information from the following categories of sources:
- **Directly from you**
- When you place an order
- When you sign up for emails or marketing
- When you contact customer support
- When you create an account
- When you submit information through forms on our website
- **Automatically from your devices and browser**
- Through cookies
- Through pixels such as Meta Pixel
- Through analytics technologies
- Through server logs and similar tracking tools
- **From service providers and business partners**
- Shopify
- Klaviyo
- Meta
- Google
- Payment processors
- Fraud prevention providers
- Shipping and fulfillment providers
- **From advertising, analytics, and marketing partners**
- Where permitted by law, we may receive information about your interactions with ads, campaigns, or websites
---
## 5. Purposes for Collecting, Using, and Disclosing Personal Information
We collect, use, and disclose Personal Information for the following business and commercial purposes:
- To operate and administer our website and online store
- To process and fulfill orders
- To process payments and transactions
- To provide customer service and respond to inquiries
- To send transactional messages, such as order confirmations and shipping updates
- To send marketing emails and promotional communications
- To personalize website content and shopping experiences
- To conduct analytics and measure website performance
- To improve our products, services, and website
- To detect, investigate, and prevent fraud, security incidents, and other harmful activity
- To comply with legal obligations
- To maintain records and internal business operations
- To conduct advertising and marketing, including targeted or cross-context behavioral advertising
- To create audience segments and measure advertising effectiveness
- To enforce our terms, policies, and other legal rights
---
## 6. Categories of Third Parties to Whom We Disclose Personal Information
In the last 12 months, we may have disclosed Personal Information to the following categories of third parties:
- **Service providers and contractors**
- Shopify
- Payment processors
- Shipping and logistics providers
- Customer support vendors
- Email service providers, including Klaviyo
- Fraud prevention and security vendors
- Analytics vendors
- **Advertising and marketing partners**
- Meta
- Google
- Other advertising platforms or ad measurement providers [customize if applicable]
- **Professional advisors**
- Lawyers
- Accountants
- Auditors
- Insurers
- **Government entities or others as required by law**
- Courts
- Regulators
- Law enforcement
- Parties involved in legal process
- **Parties involved in a business transaction**
- In connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction
---
## 7. Personal Information We Have Collected, Disclosed, Sold, or Shared in the Last 12 Months
The chart below is a template. Customize it to reflect your actual practices.
| Category of Personal Information | Collected | Disclosed for Business Purpose | Sold | Shared for Cross-Context Behavioral Advertising |
|---|---|---:|---:|---:|
| Identifiers | Yes | Yes | No | Yes |
| Customer records information | Yes | Yes | No | No / [Customize] |
| Commercial information | Yes | Yes | No | Yes |
| Internet/network activity | Yes | Yes | No | Yes |
| Geolocation data (general) | Yes | Yes | No | Yes / [Customize] |
| Audio/electronic communications | Yes / No | Yes / No | No | No |
| Inferences | Yes | Yes | No | Yes |
| Sensitive Personal Information | Yes / No | Yes / No | No | No |
**Notes for customization:**
- If you use cookies, Meta Pixel, Google advertising tools, or similar technologies for targeted advertising, some disclosures may qualify as **"sharing"** under California law.
- If you do **not** exchange Personal Information for monetary consideration, you may still be considered to **"share"** Personal Information for cross-context behavioral advertising.
- Update the chart to accurately reflect your actual practices.
For **GlowNest-style operations**, the following categories may be considered **shared** with advertising partners such as Meta and Google:
- Identifiers
- Internet or electronic network activity
- Commercial information
- Inferences
- General geolocation data
We do **not** knowingly sell Personal Information for monetary compensation.
---
## 8. Sale or Sharing of Personal Information
We do **not** sell Personal Information for money.
However, we may **share** certain Personal Information with advertising and marketing partners, such as **Meta** and **Google**, in ways that may be considered "sharing" under California law for purposes of cross-context behavioral advertising.
This may include sharing:
- Identifiers
- Internet or network activity information
- Commercial information
- Inferences
- General location information inferred from IP address or shipping details
These disclosures may occur through:
- Cookies
- Pixels, including Meta Pixel
- Advertising tags
- Similar website tracking technologies
California residents have the right to direct us to stop selling or sharing their Personal Information. To exercise this right, please see **Section 12: Right to Opt-Out of Sale/Sharing** and **Section 15: How to Exercise Your Rights**.
If required by law, we will also honor opt-out preference signals, such as the **Global Privacy Control (GPC)**, for browser-based opt-out requests relating to sale/sharing and targeted advertising.
---
## 9. Retention of Personal Information
We retain Personal Information only for as long as reasonably necessary for the purposes described in this Notice, including to:
- Provide products and services
- Complete transactions
- Maintain customer accounts
- Send requested communications
- Comply with legal, tax, accounting, and reporting obligations
- Detect and prevent fraud
# Privacy Policy for [Company Name]
**Effective Date: [Effective Date, e.g., MM/DD/YYYY]**
[Company Name] ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information about California residents under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). It applies to consumers who visit our website at [Website URL, e.g., www.glow-nest.com], make purchases, or interact with our services.
If you are a California resident, you have specific rights regarding your personal information. We do not knowingly collect personal information from children under 16. This policy does not apply to our employees, job applicants, or business contacts.
## 1. Categories of Personal Information We Collect
Over the past 12 months, we have collected the following categories of personal information from California consumers:
- **Identifiers**: Name, email address, postal address, phone number.
- **Commercial information**: Products or services purchased, order history.
- **Financial information**: Payment card numbers, billing details.
- **Internet or other electronic network activity**: Browsing history, cookie data, device information, interactions with our website (e.g., pages viewed, time spent).
- **Geolocation data**: Inferred approximate location from IP address (not precise geolocation).
We do not collect sensitive personal information such as health data, racial or ethnic origin, or precise geolocation.
## 2. Sources of Personal Information
We collect personal information from the following sources:
- **Directly from you**: When you create an account, place an order, sign up for emails, or contact us.
- **Automatically through cookies and tracking technologies**: Via our website, including Meta Pixel and Google Analytics.
- **From third parties**: Service providers like Shopify (e-commerce platform) and Klaviyo (email marketing).
## 3. Business or Commercial Purposes for Collection
We collect and use personal information for the following business or commercial purposes:
- To process orders, manage shipments, and provide customer service.
- To communicate with you, including order confirmations and marketing emails.
- To improve our website, products, and services.
- For advertising and analytics, including targeted ads via Meta and Google.
- To prevent fraud and comply with legal obligations.
- For internal operations, such as data analysis and research.
## 4. Categories of Third Parties We Share Personal Information With
We may share personal information with the following categories of third parties:
- **Service providers**: Shopify (e-commerce and payments), Klaviyo (email marketing), shipping carriers.
- **Advertising partners**: Meta (Facebook/Instagram ads), Google (ads and analytics).
- **Legal and compliance partners**: As required by law or to protect our rights.
We do not share personal information with other companies for their own marketing purposes without your consent.
## 5. Sale or Sharing of Personal Information
- **Sale**: We do not sell personal information for monetary consideration.
- **Sharing**: We share personal information (such as identifiers and internet activity) with advertising partners like Meta and Google for cross-context behavioral advertising (e.g., targeted ads on their platforms). This qualifies as "sharing" under CPRA. California residents can opt out of this sharing (see Section 6).
## 6. Your Consumer Rights
As a California resident, you have the following rights:
- **Right to Know/Access**: Request details about the categories of personal information we collected, sold, or shared about you in the past 12 months, including sources, purposes, and third parties.
- **Right to Delete**: Request deletion of your personal information, subject to exceptions (e.g., completing a transaction).
- **Right to Correct**: Request correction of inaccurate personal information.
- **Right to Opt-Out of Sale/Sharing**: Opt out of the sharing of personal information for targeted advertising. [Insert link to opt-out, e.g., "Click here to opt out" or "Visit our Do Not Sell or Share My Personal Information page"].
- **Right to Limit Use of Sensitive Personal Information**: We do not use or disclose sensitive personal information beyond what is necessary for our services, but you may request limits where applicable.
- **Right to Non-Discrimination**: We will not discriminate against you (e.g., deny services or charge different prices) for exercising your rights.
## 7. How to Exercise Your Rights
To exercise your rights:
1. Submit a verifiable request via:
- Email: [Contact Email, e.g., privacy@glow-nest.com]
- Phone: [Phone Number]
- Mail: [Physical Address]
- Website form: [Insert link to rights request form]
2. Provide enough information to verify your identity (e.g., email, order number).
3. We respond within 45 days (extendable by 45 days if needed). We honor valid requests twice per 12-month period.
**Authorized Agents**: You may use an authorized agent to submit requests. The agent must provide proof of authorization (e.g., signed permission), and we may verify directly with you.
**Opt-Out Preference Signals**: We honor Global Privacy Control (GPC) signals for opt-out of sharing.
## 8. Notice of Financial Incentives
We do not offer financial incentives or price differences tied to your personal information. If we introduce any in the future, we will provide a separate notice.
## 9. Retention Periods
We retain personal information only as long as necessary for the purposes described above, or as required by law:
- Order data: 7 years for legal/tax purposes.
- Marketing data: Until you unsubscribe or request deletion.
- Analytics data: 12-24 months.
We securely delete or anonymize data when no longer needed.
## 10. Children Under 16
We do not knowingly collect personal information from children under 16. If we learn we have, we delete it promptly. Parents/guardians: Contact us at [Contact Email] if you believe we have collected your child's data.
## 11. Shine the Light and Do Not Track Disclosures
- **California Shine the Light**: Upon request, we will provide a list of third parties to whom we disclosed personal information for their direct marketing purposes (if any). Email [Contact Email] with "Shine the Light Request."
- **Do Not Track**: We do not currently respond to browser "Do Not Track" signals, as the standard is under development. Use our opt-out tools above.
## 12. Changes to This Privacy Policy
We may update this policy. Changes will be posted here with a revised Effective Date. Significant changes will be notified via email or website notice. Continued use after changes means acceptance.
## 13. Contact Us
For questions or requests:
- Email: [Contact Email, e.g., privacy@glow-nest.com]
- Mail: [Physical Address]
- Phone: [Phone Number]
**Disclaimer**: This is a customizable template for CCPA/CPRA compliance and is not legal advice. Laws change, and your specific situation may require adjustments. Consult qualified legal counsel before using or customizing this policy.
What makes these work
-
01Specify your exact data categories
CCPA lists 11 statutory categories of personal information. Your prompt should tell the AI which ones apply to your business rather than asking for a generic list. Giving specifics like 'we collect device identifiers and browsing history but not biometric data' produces a more accurate policy and prevents the AI from including disclosures for data you do not actually collect.
-
02State explicitly whether you sell or share data
The most consequential CCPA disclosure is whether you sell or share personal information. Include this fact directly in your prompt. If you run third-party advertising or share identifiers with ad networks, tell the AI so it generates the correct opt-out mechanism. If you do not sell data, saying so explicitly gets you the simpler disclosure language.
-
03Name your third-party vendors and tools
Listing the actual tools you use, such as Stripe, Google Analytics, Mailchimp, or AWS, gives the AI enough context to write accurate disclosure language about who receives data and for what purpose. Vague prompts produce vague output. Vendors listed in your prompt also double as a checklist for your data map.
-
04Request the consumer rights section as a standalone block
CCPA requires consumer rights disclosures to be easy to find. Ask the AI explicitly to generate a dedicated 'Your California Privacy Rights' section that can be placed prominently in the policy. This also makes attorney review faster because the compliance-critical section is isolated and easy to verify against the statute.
More example scenarios
#01 · E-commerce retailer selling apparel to California consumers
Input
Generate a CCPA-compliant privacy policy for an online clothing store. We collect names, email addresses, shipping addresses, payment card information (processed by Stripe), and browsing behavior via Google Analytics. We do not sell personal information. We use email marketing through Klaviyo. California residents should be told their rights under CCPA.
Expected output
The AI should produce a full privacy policy with sections covering: categories of personal information collected (identifiers, commercial information, internet activity), purposes of collection, disclosure that no personal information is sold, a 'Your California Privacy Rights' section listing the right to know, delete, correct, and opt out of sale/sharing, a method to submit requests (email or web form), and a response timeline of 45 days.
#02 · B2B SaaS platform collecting business and end-user data
Input
Write a CCPA privacy policy template for a B2B project management SaaS. Our customers are businesses, but we may process personal data of their employees. We collect account registration data, usage logs, and support ticket content. We use AWS for hosting and Intercom for support. We do not sell data. Some employee data from California-based companies may qualify as consumer data under CCPA.
Expected output
The output should acknowledge the B2B context while still addressing CCPA obligations for California-resident end users. It should include a section on data collected through the platform, list subprocessors, clarify that the business customer is the primary data controller for employee data, and include a California-specific rights section with instructions for individuals to contact their employer or submit requests directly.
#03 · Mobile app with in-app advertising and third-party SDKs
Input
Create a CCPA privacy policy for a free mobile game app. We collect device identifiers, IP addresses, and gameplay data. We show ads via Google AdMob and share device identifiers with ad networks for targeted advertising. California users have the right to opt out of the sale or sharing of their personal information. Include an opt-out mechanism.
Expected output
The policy should explicitly state that sharing device identifiers with ad networks for cross-context behavioral advertising constitutes 'sharing' under CPRA. It should include a 'Do Not Sell or Share My Personal Information' section with a clear opt-out link, list the ad network partners by name or category, and describe how users can exercise their opt-out right including through device-level opt-out settings.
#04 · Healthcare-adjacent wellness app not covered by HIPAA
Input
Write a CCPA privacy policy for a meditation and sleep tracking app. We collect user-entered mood data, sleep duration logs, and subscription payment info via Apple In-App Purchase. We are not a covered entity under HIPAA. We share anonymized, aggregated data with research partners. California residents' sensitive personal information includes mental health-related data.
Expected output
The output should flag mood and mental wellness data as sensitive personal information under CPRA Section 1798.121, include a 'Limit the Use of My Sensitive Personal Information' section and corresponding opt-out right, disclose the research data sharing arrangement with aggregation and anonymization details, and note Apple handles payment processing so payment card data is not collected directly.
#05 · Local service business launching a customer loyalty program
Input
Generate a simple CCPA privacy policy for a local restaurant chain launching a loyalty rewards app. We collect names, phone numbers, email addresses, and purchase history. We send SMS and email promotions. We do not sell data. We want a short, plain-language policy that customers can actually understand.
Expected output
The AI should produce a concise policy in plain English, covering the four required CCPA disclosure elements: categories collected, purpose of collection, consumer rights, and how to submit a request. The tone should be conversational but legally complete. It should include opt-out language for SMS marketing consistent with TCPA as well as CCPA rights disclosures, with a simple email address listed for rights requests.
Common mistakes to avoid
-
Using a template without customizing data categories
Publishing a generic template that lists all 11 CCPA data categories regardless of what you actually collect is a compliance problem, not a solution. Regulators and plaintiffs' attorneys compare what your policy says you collect against what your actual data practices show. Overclaiming creates liability for practices you may not have proper safeguards for.
-
Omitting the opt-out of sale or sharing link
If your business shares personal information with ad networks for targeted advertising, CPRA requires a 'Do Not Sell or Share My Personal Information' link on your homepage and in your policy. Many templates skip this because it depends on your specific ad practices. Leaving it out when it applies is a common enforcement trigger.
-
Ignoring the CPRA updates to CCPA
The CPRA, effective January 2023, added new rights including the right to correct personal information and restrictions on sensitive personal information. Templates written before 2023 are missing these requirements. Always verify that the output addresses correction rights and the sensitive personal information category if applicable to your data practices.
-
Not updating the policy when data practices change
A CCPA privacy policy is not a set-and-forget document. If you add a new analytics tool, start a referral program, or launch an ad-supported tier, your disclosures must reflect the updated practices within a reasonable time. Businesses that publish an AI-generated policy and never revisit it create growing gaps between their stated and actual data practices.
-
Skipping attorney review before publishing
An AI draft is a starting point, not a final legal document. CCPA compliance requires accurate characterization of your specific data flows, and errors can result in civil penalties or private right of action for data breaches. Budget for at least one hour of attorney review to confirm the template accurately reflects your practices before the policy goes live.
Related queries
Frequently asked questions
Does my small business need a CCPA privacy policy?
The CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue over $25 million, buying or selling personal information of 100,000 or more consumers or households per year, or deriving 50 percent or more of annual revenue from selling consumers' personal information. If you meet any one of these, you need a compliant policy regardless of where your business is physically located.
What must a CCPA privacy policy include?
At minimum, your policy must disclose the categories of personal information you collect, the purposes for collection, the categories of third parties with whom you share information, and a description of consumer rights including the right to know, delete, correct, and opt out of sale or sharing. It must also include instructions for submitting consumer rights requests and a contact method such as a toll-free number or email address.
Is a CCPA privacy policy the same as a GDPR privacy policy?
They overlap but are not the same. Both require transparency about data collection and grant consumers rights over their data. However, GDPR requires a lawful basis for processing and focuses on data minimization, while CCPA focuses more on disclosure and opt-out rights. A policy that covers both is possible, but you should clearly distinguish which rights apply to which users, typically with a California-specific section and an EU-specific section.
Can I use a free CCPA privacy policy template from a generator website?
You can use it as a reference, but generator output is only as accurate as the questions you answered to produce it. Many generators ask limited questions and produce overly generic output. Using AI with a detailed, business-specific prompt and then having counsel review the result typically produces a more accurate policy than most free generators because you control the inputs precisely.
How often do I need to update my CCPA privacy policy?
The CCPA requires that your posted privacy policy reflect your practices for the preceding 12 months. You must update it whenever your data collection or sharing practices materially change. At minimum, review your policy annually. The CPRA amendments that took effect in 2023 are a common reason businesses currently need to update policies that were accurate under the original 2020 CCPA.
What is the difference between CCPA and CPRA for privacy policy purposes?
The CPRA, which took effect January 1, 2023, amended and expanded the CCPA. For your privacy policy, the key additions are: a new right for consumers to correct inaccurate personal information, new rules around sensitive personal information requiring an opt-out or opt-in depending on use, and new data retention disclosure requirements. Any privacy policy template written before 2023 needs to be updated to reflect these additions.