CCPA Privacy Policy Requirements: What Your Policy Must Include in 2026

Your privacy policy is often the first thing regulators check during a CCPA investigation. An outdated or incomplete policy can trigger enforcement action on its own — and it is one of the easiest compliance requirements to get right. This guide covers every element your privacy policy must include under CCPA/CPRA in 2026.

First, check whether CCPA applies to your business using our privacy law calculator. If it does, your privacy policy must meet all of the requirements below.

Mandatory Privacy Policy Disclosures Under CCPA

CCPA (California Civil Code Section 1798.100 et seq.) and the CPPA's implementing regulations require your privacy policy to include specific disclosures. Here is everything your policy must cover:

1. Categories of Personal Information Collected

List every category of personal information you collected in the preceding 12 months. CCPA defines 11 categories including identifiers, commercial information, internet or electronic network activity, geolocation data, professional or employment information, education information, biometric data, audio/visual data, and inferences. You must also disclose whether you collect sensitive personal information and which categories.

2. Sources of Personal Information

Describe the categories of sources from which you collect personal information. Examples include: directly from consumers (web forms, account creation), automatically through tracking technologies (cookies, pixels), from third-party data providers, from publicly available sources, and from service providers.

3. Business Purposes for Collection

Explain the business or commercial purpose for collecting each category of personal information. Common purposes include: providing services requested by the consumer, processing transactions, customer support, marketing and advertising, analytics and improvement, security and fraud prevention, and legal compliance.

4. Third-Party Sharing Disclosures

This section must include:

Categories of personal information sold in the preceding 12 months, and to whom. If you have not sold personal information, state that explicitly.
Categories of personal information shared for cross-context behavioral advertising in the preceding 12 months, and to whom.
Categories of personal information disclosed for a business purpose and the categories of recipients.

5. Retention Periods

CPRA added a requirement to disclose how long you retain each category of personal information, or the criteria used to determine retention periods. This is a common gap in privacy policies drafted before 2023.

6. Consumer Rights Section

Your policy must describe each consumer right under CCPA and explain how to exercise it:

Right to Know — how to submit a request and what you will provide.
Right to Delete — how to request deletion and any exceptions.
Right to Correct — how to request correction of inaccurate data.
Right to Opt Out — a link to or description of the opt-out mechanism, including reference to GPC signals. See our Do Not Sell compliance guide.
Right to Limit Sensitive Data Use — how to exercise this right if applicable.
Right to Non-Discrimination — a statement that you will not discriminate.

7. Contact Information and Request Methods

Provide at least two methods for consumers to submit rights requests. This typically includes a web form (or email address) and a toll-free telephone number. Online-only businesses may be exempt from the toll-free number requirement.

8. Authorized Agent Instructions

Explain how an authorized agent can submit requests on behalf of a consumer, including any verification requirements.

9. Minors' Information

If you have actual knowledge that you collect or sell personal information of consumers under 16, your policy must disclose this and describe your opt-in consent process. If you do not knowingly collect minors' data, state this explicitly.

10. Policy Update Date

Your privacy policy must be updated at least every 12 months and display the date it was last updated.

Common Privacy Policy Mistakes That Trigger Enforcement

Based on recent enforcement actions tracked on our penalty tracker, these are the most common privacy policy deficiencies:

Missing opt-out link: The "Do Not Sell or Share My Personal Information" link must be on your homepage and prominently accessible, not buried in the policy.
Outdated categories: Failing to update the categories of personal information collected or shared after adding new tracking technologies or analytics tools.
No GPC mention: Not disclosing that you honor (or are required to honor) Global Privacy Control signals.
Missing retention periods: A post-CPRA requirement that many businesses overlook.
Confusing rights descriptions: Using legal jargon instead of plain language to describe consumer rights.

Multi-State Privacy Policy Considerations

If your business operates across multiple states, your privacy policy likely needs to satisfy requirements from several state privacy laws simultaneously. Virginia, Colorado, Connecticut, and other states have their own privacy policy requirements — many of which overlap with CCPA but some differ.

Use our state comparison tool to see how privacy policy requirements differ across states, and check our state privacy law tracker for the latest count of active laws.

Privacy Policy Update Checklist

Run through this quick checklist every time you update your privacy policy:

Are all 11 CCPA personal information categories reviewed and updated?
Are third-party sharing disclosures accurate for the last 12 months?
Is the retention period section complete?
Are all six consumer rights described with clear exercise instructions?
Is there a working "Do Not Sell or Share" link on the homepage?
Is GPC compliance mentioned?
Is the "last updated" date current?
Is the policy written in plain, understandable language?

For a comprehensive compliance assessment, use our privacy law calculator and California compliance checklist.

Last updated: March 28, 2026.