Compliance

CCPA privacy policy generator

Generate a California-compliant privacy policy with the "Do Not Sell or Share" link, free.

Generate CCPA-ready policy Free · no signup · hosted public URL

CCPA vs CPRA — what changed

The California Privacy Rights Act (CPRA) took effect on 1 January 2023 and amended the original CCPA. The big additions: the new category of sensitive personal information, a "Right to Limit" disclosure for that category, the "Do Not Sell or Share My Personal Information" link (sharing now covers cross-context behavioural advertising), and a 12-month data inventory requirement. The generator emits all four.

The "Do Not Sell or Share" link

If you serve programmatic ads, run Meta Pixel, or pass conversion data to ad networks via cookie or device ID, you are "sharing" personal information under CPRA. Your privacy policy and your homepage footer must carry a link titled "Do Not Sell or Share My Personal Information" or "Your Privacy Choices". The generator outputs a section explaining the link and a footer snippet you can paste into your site.

Categories of personal information

CCPA defines eleven categories (identifiers, customer records, characteristics, commercial info, biometric data, internet activity, geolocation, sensory data, professional info, education info, inferences). The generator maps each item you collect to the correct category and lists them in the standard table format Californian regulators expect.

Ready to publish?

Answer six questions, get a hosted public URL the App Store, Google Play, and ad networks accept. No credit card.

Generate CCPA-ready policy

Frequently asked questions

Does CCPA apply to my small business?

CCPA applies to for-profit entities doing business in California that meet one of: (a) $25M+ annual revenue, (b) buy/sell/share PI of 100,000+ consumers or households, or (c) derive 50%+ revenue from selling/sharing PI. If none apply, CCPA does not apply — but adding the policy is cheap insurance for when you grow.

What is "sharing" under CPRA?

Disclosing personal information to a third party for cross-context behavioural advertising, whether or not money changes hands. This catches Meta Pixel, Google Ads remarketing, and most ad-tech setups.

How do I honour a "Do Not Sell" request?

You must stop sharing the user's data with ad networks and inform downstream parties to do the same. Most CDPs (Segment, RudderStack) and CMPs (OneTrust, Cookiebot) automate this when the request comes through. The generator describes the user-facing flow.