Privacy Policy Template — CCPA, CPRA & 20-State Compliant

A privacy policy is the public-facing legal document that tells users, customers, and regulators exactly what personal information your business collects, why it collects it, who it shares the data with, and what rights consumers can exercise over that data. Any U.S. business with a website, mobile app, SaaS product, or e-commerce store now needs one, regardless of size : the question stopped being "do I need a privacy policy" years ago and became "is mine compliant with the twenty state regimes that apply to my visitors". This template is built for founders, in-house counsel, and small business owners who want a single document that satisfies the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the cluster of state laws now in force from Virginia to Rhode Island.

The version generated through Captain.Legal covers consumer rights, opt-out mechanisms, sensitive data categories, retention rules, and the contractual language regulators expect when you share data with vendors or use cookies for advertising.

A privacy policy is a written disclosure that describes a business's data practices in enough detail to let a reasonable consumer understand what is happening to their information. It is the legal vehicle through which the notice at collection required by the CCPA, the clear and conspicuous notice required by the Virginia Consumer Data Protection Act, and the equivalent disclosures in seventeen other states are delivered to the public. The policy lives at a stable URL on your website (typically yourdomain.com/privacy), is linked from every page footer, and is referenced in your terms of service, your sign-up flows, and any consent banner you display.

People often confuse a privacy policy with a terms of service or a cookie notice, but the three are distinct and complementary. The terms of service govern the contractual relationship between the user and the business : payment, refunds, intellectual property, dispute resolution. The cookie notice handles the granular consent layer for trackers and is usually surfaced through a banner. The privacy policy is the umbrella document that explains the data lifecycle from the moment information is collected to the moment it is deleted, and it must align with the categories used in any business contract template you sign with vendors or processors. A site without a posted privacy policy is presumed non-compliant in every state that has enacted a comprehensive law, and most state attorneys general treat the absence of a policy as prima facie evidence of a violation.

The U.S. privacy regime is a state-by-state patchwork, not a single federal statute. Twenty states now have comprehensive consumer privacy laws in force, and the practical effect for any nationwide business is that the policy must satisfy the strictest applicable rule rather than the weakest. The foundational layer is California's Consumer Privacy Act of 2018 (Cal. Civ. Code §1798.100 et seq.), substantially amended by the California Privacy Rights Act of 2020 (CPRA), which created the California Privacy Protection Agency as the first dedicated U.S. privacy regulator. The CCPA gives California residents a right to know, a right to delete, a right to correct, a right to opt out of the sale or sharing of personal information, and a right to limit the use of sensitive personal information such as Social Security numbers, precise geolocation, biometrics, and health data. The Cornell Legal Information Institute publishes a practitioner-grade reference on the CCPA's right-to-know provisions that we treat as authoritative when drafting U.S. notices.

Outside California, the dominant model is the Virginia Consumer Data Protection Act (Va. Code §59.1-575), which inspired the laws in Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Minnesota, Nebraska, Maryland, Kentucky, and Rhode Island. The Virginia template grants consumer rights to access, correct, delete, port, and opt out, and it requires a data protection assessment whenever processing presents a heightened risk of harm. Texas adds a notable wrinkle through the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code §541), which has no minimum revenue threshold and applies to almost every business that targets Texans. The most recent additions, effective January 1, 2026, are the Indiana Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, and the Rhode Island Data Transparency and Privacy Protection Act. Several states, including Connecticut and Oregon, also began requiring recognition of a Universal Opt-Out Mechanism at the start of 2026, which the policy must explicitly acknowledge. A boilerplate downloaded from a generic generator and never updated is the single most common source of enforcement actions, and California's recent settlements have reinforced that the policy text must match what the website actually does at the cookie and SDK level.

The most common trigger is the launch of any commercial website or app that collects identifiable information from U.S. residents, even something as innocuous as an email signup form or a contact page with name and phone fields. Once a single visitor from California, Colorado, Texas, or Virginia lands on that page, the relevant state law applies if the business meets the volume or revenue threshold, and most thresholds are reached faster than founders expect. A SaaS product processing data on 100,000 consumers annually triggers Virginia, Indiana, and Kentucky simultaneously. A direct-to-consumer e-commerce store that derives more than half its revenue from selling personal data crosses the 25,000 consumer threshold of several Virginia-model statutes immediately. Texas applies regardless of volume the moment the business is not a small business under the SBA definition.

The second trigger is any change to the data practices of an existing business : a new analytics provider, a new advertising pixel, a new marketing automation tool, a new third-party login. Each addition modifies the categories of data collected, the purposes of processing, and the third parties with which data is shared, and the policy must be republished accordingly. The third scenario is investor or enterprise due diligence. A serious B2B buyer will request the privacy policy in the first round of diligence, and a venture investor will flag a missing or outdated policy as a material legal risk in the data room. Sister templates such as the non-disclosure agreement covering CA, NY, TX and Delaware are typically signed at the same stage, which makes the privacy policy a practical companion document. Backdating a policy after a breach has happened is not a legal option : the disclosure obligation runs from the moment of collection, and a policy uploaded the day after an incident does nothing to cure the prior gap.

The Captain.Legal privacy policy template is structured around the disclosures that the CCPA, the Virginia model statutes, and the 2026 amendments now treat as mandatory. Each clause is drafted to the statutory language of the strictest applicable regime, then softened where weaker states allow.

• The categories of personal information collected clause maps your data inputs to the eleven CCPA categories defined at Cal. Civ. Code §1798.140(v), plus the sensitive personal information subset added by the CPRA. The clause is written so that adding a new field to your sign-up form does not require a full rewrite : the categories are described at the level of granularity that California's regulations require, with concrete examples drawn from the most common SaaS and e-commerce patterns.
• The purposes of processing clause explains, for each category, why the business collects the data and how long it retains it. Both the CCPA retention disclosure required since 2023 and the purpose limitation principle of the Virginia-model laws are satisfied here. Vague language like "for business purposes" is replaced by enumerated purposes such as order fulfillment, fraud prevention, analytics, and targeted advertising.
• The third-party sharing and sale clause distinguishes service providers under contract from third parties receiving data for their own purposes, the line that triggers the Do Not Sell or Share obligation in California and Texas. The clause names the categories of recipients (payment processors, analytics, advertising networks, hosting providers) rather than listing individual vendors, which would force a rewrite every time you swap one tool for another.
• The consumer rights and how to exercise them clause walks through the rights to access, correct, delete, port, opt out of sale or sharing, opt out of targeted advertising, and limit the use of sensitive data. It includes the 45-day statutory response window of the CCPA, the appeals process required by Virginia-model statutes, and the dual contact channels (web form plus toll-free or email) that California regulations explicitly demand.
• The cookies, trackers, and Universal Opt-Out clause integrates the Global Privacy Control signal that California, Colorado, Connecticut, Texas, and now Oregon and several others require businesses to honor automatically. The clause connects to whatever consent banner you deploy and aligns the disclosed practices with the actual tags loaded on your site.
• The changes to this policy clause specifies the notice mechanism for material changes, the 30-day review window that several attorneys general consider best practice, and the archival of prior versions, which has become a litigation-grade requirement in California enforcement actions.

California is the most demanding regime in the country and the one that drives most drafting decisions. The CCPA, as amended by the CPRA, applies to any for-profit business that does business in California and meets one of three thresholds : $26.625 million in annual gross revenue, processing personal data of 100,000 or more California consumers or households, or deriving 50% or more of revenue from selling or sharing personal data. The policy must include the Notice at Collection, the Notice of Right to Opt Out, the explicit list of sensitive personal information categories, and a working Do Not Sell or Share My Personal Information link. Since January 1, 2026, the California Privacy Protection Agency's automated decision-making and risk-assessment regulations apply, and the California Delete Act opt-out platform is operational. Settlements published in late 2025 and early 2026 confirm that the agency targets cookie banner failures and unhonored opt-out signals aggressively, with the largest CPPA settlement to date now exceeding $2.75 million.

Texas applies the Texas Data Privacy and Security Act (effective July 1, 2024) to virtually every business that targets Texas residents, with no revenue or volume threshold for non-small-businesses. The Texas attorney general announced a settlement above $1 billion with a major technology company under TDPSA in 2025, which reset enforcement expectations across the country. The policy must contain a specific Texas notice for sensitive data sales : "NOTICE: We may sell your sensitive personal data" or "NOTICE: We may sell your biometric personal data" in the relevant cases, in those exact words, Tex. Bus. & Com. Code §541.102(b).

Florida operates under the narrower Florida Digital Bill of Rights, which applies only to controllers with global gross revenue above $1 billion that meet additional criteria. Most small businesses are out of scope, but the policy still benefits from including Florida-friendly language because Florida residents may rely on it as a representation. New York has no comprehensive privacy law in force, but the SHIELD Act requires reasonable data security measures and breach notification, and the policy is the natural place to disclose them. Other Virginia-model states (Colorado, Connecticut, Utah, Indiana, Kentucky, Tennessee, Montana, Oregon, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Nebraska, Iowa, Rhode Island) share the same core structure : opt-in for sensitive data, opt-out for sale, targeted advertising and certain profiling, a consumer appeals process, and a data protection assessment for high-risk processing under Va. Code §59.1-580 or its local equivalent. The template detects the states you operate in and inserts the right thresholds and notice formulas automatically.

You begin by selecting the states where your customers live, which sets the strictest applicable thresholds and turns on the right disclosure modules. From there, the form asks for the legal name of the business, the type of entity (LLC, corporation, partnership, sole proprietor) and a registered contact email or web form address that consumers can use to exercise their rights. If the entity is still being formed, the articles of incorporation template covering the same state-by-state requirements is a logical first step, since the privacy policy must name a legally constituted controller.

Next, you describe your data practices through plain-English checkboxes : whether you collect names, emails, IP addresses, payment information, geolocation, account credentials, biometric identifiers, and so on, and for each category, the purpose of the collection. You declare the third parties involved, by category rather than by name, and answer two binary questions that drive the entire California and Texas notice : do you sell personal data, and do you share it for cross-context behavioral advertising. The form then asks about cookies, analytics, and any automated decision-making, and adjusts the Universal Opt-Out paragraph to your stack. The final block covers retention periods, the security measures you have in place, the breach notification process, and the contact details for consumer requests. The output is a single Word and PDF document, ready to upload to your CMS at yourdomain.com/privacy and link from your footer alongside your terms and any employment-side HR policies you maintain.

The mistake we see most often is the generic generator policy that lists every conceivable practice without checking which ones the business actually engages in. Regulators read the policy as a binding representation, and a policy that claims to honor Global Privacy Control on a site that ignores the signal is worse than a missing policy : it is a written misrepresentation, and California's CPPA has built several enforcement actions on exactly that gap. The second recurring mistake is the forgotten update : the policy was correct when the site launched, then a new analytics tool, a new chatbot, or a new advertising pixel was added without a corresponding rewrite. By the time the consumer files a complaint, the policy describes a world that no longer exists, and the disclosure defense is gone.

A third common error is treating the Do Not Sell or Share link as cosmetic. The link must lead to a working mechanism that actually stops the sale or sharing, propagates the choice to downstream vendors through opt-out preference signals, and respects the consumer's Authorized Agent if one is involved. A non-functional link is the single most cited deficiency in California settlements. The fourth mistake, particularly damaging in B2B contexts, is failing to align the privacy policy with the data processing addenda signed under your non-disclosure and contractor agreements : the categories of personal data, the purposes, and the retention periods must read consistently across the public policy and the private contracts, because regulators and plaintiffs read both. A fifth, often overlooked, is the absence of an appeals process under Virginia-model laws : Indiana, Kentucky, and Rhode Island all require one as of January 1, 2026, and the omission alone is enforceable.