Skip to content

CPRA Step 02

Update your Privacy Policy: Adjust your public notices to comply with the CPRA’s changes

There are several changes you should make to your privacy policy to prepare for the CPRA.

1. Display to the consumer all of their rights and how these can be used:

  • Right to Opt-Out
  • Right to limit the use of sensitive personal information
  • Right to opt-out of automated decision making
  • Right to know about automated decision making
  • Right to Access
  • Right to Delete
  • Right to Correction
  • Right to Data Portability

For the example of the “right to access” their data, you should provide a statement that explains their rights and how they can be enacted. Here's an example below.

Right of Access: You may request access to the specific pieces of Personal Information we have about you. You may also request additional details about our information practices, including the categories of Personal Information we collect, the sources of information, the types of third parties we share information with, the types of Personal Information we share for business purposes, and details about the information we have shared, if any. You may request access by visiting our Privacy Center or contacting us via

To learn more about these consumer rights, read the CPRA requirements here

2. If your business is using any automated decision making tools for behavioral inference, analysis, or decision making, you should notify the user.

Provide the user with a written notice of automated decision making in your privacy policy, describing what categories of personal data you are using and for what type of automated decision making.

Note: in the case of automated decision making, you must also notify the user that when they exert their right to opt-out, you will not discriminate against them. That is to say, if they opt-out of automated processing, you will still provide the service to them within reasonable limitations.

3. For each of the 11 categories of data you must have four clear notices as follows:

  • Whether you collect that data: simply confirm whether this is a category of data you collect or not.
  • How you use the data: confirm the purpose for which you use the data.
  • Whether you share it: if you share the data, specify what other parties is it shared with.
  • How long you retain the data: you must specify when the data is disposed of. It is no longer permissible to provide an approximation such as “for as long as is necessary”. The CPRA demands specificity.

The following table is a helpful way to consider how to display this information in your policy.

Note: in this description, we have provided an list of examples. You should complete this table with only the categories of data you process for each category.

Data Category Description Do we collect Categories of Use Data Retention Policy
Identifiers Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name or other similar identifiers YES
  1. To provide our ecommerce service
  2. Marketing
When your account is deleted or upon request
Customer records information Name, signature, physical characteristics or description, address, telephone number, education, employment, employment history, credit or debit card number, other financial information YES
  1. Payment processing
When your account is deleted or upon request
Characteristics of protected classifications under California or federal law Race, religion, sexual orientation, gender identity, gender expression, age No Not Applicable Not Applicable
Commercial Information Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies No Not Applicable Not Applicable
Biometric Information Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data No Not Applicable Not Applicable
Internet or other electronic network activity information Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement YES
  1. Analysis
  2. Marketing
  3. Third Party Advertising
Not Applicable
Geolocation data Longitude, latitude, sensor data that defined location No Not Applicable Not Applicable
Audio, electronic, visual, thermal, olfactory, or similar information Sensor and sensor derived data No Not Applicable Not Applicable
Professional or employment-related information Employment history, salary or job application history No Not Applicable Not Applicable
Education information Information that is Not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99) No Not Applicable Not Applicable
Inferences Drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. No Not Applicable Not Applicable
Sensitive Personal Information Biometric data processed to identify an individual, Data about sexual orientation or sex life, Financial account details in a combination (for example card number and password), Genetic data, Government-issued numbers (such as a social security number or a number on a passport, or driver's license), Health data, Philosophical or religious beliefs, Precise geolocation, Racial or ethnic origin, Union membership No Not Applicable Not Applicable

If you're unsure how to setup your privacy policy, ask a question on the Fides Slack Community, or get Privacy Engineering Intelligence from Ethyca now.