Free CCPA Privacy Policy Generator
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents powerful rights over their personal information. If your website has visitors from California — even if your business is based elsewhere — you may need to comply. LegalForge generates a CCPA-compliant privacy policy that covers all required disclosures, including the right to know, the right to delete, and the right to opt out of the sale of personal information.
Generate for Free — No Signup RequiredWhat Is the CCPA and Who Must Comply?
The California Consumer Privacy Act applies to for-profit businesses that do business in California and meet one of these thresholds: annual gross revenue over $25 million, buying or selling the personal information of 100,000 or more California residents, or deriving 50% or more of annual revenue from selling or sharing California residents' personal information. Even if you don't meet these thresholds, having a CCPA-compliant privacy policy is a best practice that builds trust with California visitors.
Required CCPA Disclosures in Your Privacy Policy
Under CCPA, your privacy policy must disclose: the categories of personal information collected in the past 12 months, the purposes for which each category is used, the categories of sources from which information is collected, the categories of third parties with whom information is shared, and whether you sell or share personal information. You must also describe the rights of California consumers and provide instructions for submitting data requests. LegalForge's generator includes all of these disclosures automatically.
Consumer Rights Under CCPA/CPRA
California residents have the following rights: the right to know what personal information is collected and how it is used, the right to delete personal information held by a business, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate personal information (added by CPRA), the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising their privacy rights. Your privacy policy must describe each of these rights and how consumers can exercise them.
Do Not Sell or Share My Personal Information
If your business sells or shares personal information (which includes many common practices like targeted advertising via Facebook Pixel or Google Ads), you must provide a 'Do Not Sell or Share My Personal Information' link on your website. This link must be prominently displayed, typically in the footer. You must also honor Global Privacy Control (GPC) signals from browsers. LegalForge generates the required privacy policy language and reminds you to add the opt-out link.
Ready to Create Your CCPA Privacy Policy?
Answer a few simple questions and get a professionally worded document in seconds. Free, no account required.
Start Generating — It's FreeFrequently Asked Questions
Does my website need to comply with CCPA?
If your business meets any of the CCPA thresholds (over $25M revenue, 100K+ California consumer records, or 50%+ revenue from selling data) and you have California visitors, then yes. Even if you don't meet the thresholds, compliance is recommended as a best practice, especially since many other US states are adopting similar laws.
What is the difference between CCPA and GDPR?
GDPR applies to EU residents and requires opt-in consent for most data processing. CCPA applies to California residents and uses an opt-out model — businesses can collect data but must allow consumers to opt out of its sale. GDPR has broader scope and stricter penalties. Many websites need to comply with both. LegalForge can generate a single privacy policy that satisfies both regulations.
What are the penalties for CCPA non-compliance?
The California Attorney General can bring enforcement actions with fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Additionally, consumers have a private right of action for data breaches resulting from failure to implement reasonable security measures, with statutory damages of $100 to $750 per consumer per incident.
Does CCPA apply to small businesses?
CCPA has revenue and data volume thresholds that exempt many small businesses. However, if you sell or share the personal information of 100,000 or more California consumers (which can include unique website visitors tracked by cookies), you may be subject to CCPA regardless of your revenue. When in doubt, having a CCPA-compliant privacy policy is the safest approach.