US-California

What must a website privacy policy include under California law?

12 months
Data retention notice
30 days
Response time to requests
Do Not Track
Signal disclosure required
$7,500
Max civil penalty per violation
The Short Answer

A website privacy policy in California must disclose what personal information is collected, how it’s used and shared, how users can access or delete their data, and whether the site responds to 'Do Not Track' signals.

What the Law Says

California law imposes two main privacy policy requirements on operators of commercial websites and online services that collect personally identifiable information from California residents: the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA), as amended by the CPRA.

Under CalOPPA, any operator of a commercial website or online service that collects personally identifiable information from California residents must conspicuously post a privacy policy. The policy must identify the categories of personal information collected, the categories of third parties with whom the information may be shared, and how the operator responds to 'Do Not Track' signals.

The CCPA/CPRA adds further obligations: businesses must disclose the purposes for collecting personal information, the categories of personal information sold or shared, the right to request deletion or correction, the right to opt out of sale or sharing, and the right to non-discrimination for exercising privacy rights. Businesses must also provide at least two methods for submitting requests (e.g., toll-free number and website).

If a business sells or shares personal information, the privacy policy must include a link to the 'Do Not Sell or Share My Personal Information' page. For minors under 16, affirmative consent is required before selling or sharing their data — and for those under 13, parental consent is required.

Statutory Text

An operator of a commercial website or online service that collects personally identifiable information through the website or online service from California residents shall conspicuously post its privacy policy...

Cal. Civ. Code § 22575(a) — Online Privacy Protection Act
Statutory Text

A business shall inform consumers, at or before the point of collection, as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.

Cal. Civ. Code § 1798.100(a) — CCPA
Statutory Text

A business that sells or shares personal information shall provide a clear and conspicuous link on the business's homepage, titled 'Do Not Sell or Share My Personal Information'.

Cal. Civ. Code § 1798.120(a) — CCPA

What to Do

1

Post a clearly labeled, accessible privacy policy on your homepage and every page where personal information is collected.

2

List all categories of personal information collected (e.g., name, email, IP address, geolocation, identifiers, biometric data) and specify purposes (e.g., account creation, analytics, advertising).

3

Disclose whether you sell or share personal information, and if so, provide the 'Do Not Sell or Share My Personal Information' link and a method to submit opt-out requests.

4

Explain how consumers can exercise rights (access, deletion, correction, opt-out) and commit to responding within 45 days (extendable once by 45 days).

5

Update your policy at least annually and notify users of material changes — especially if new data uses or sharing practices are introduced.

Sources

statuteCal. Civ. Code § 22575 — Online Privacy Protection ActstatuteCal. Civ. Code § 1798.100 — CCPA Right to Know and DisclosuresstatuteCal. Civ. Code § 1798.120 — CCPA Right to Opt-Out of Sale or Sharing

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.