CCPA § 1798.130(a)(5) requires the privacy policy to disclose, for the 12-month period before the policy's effective date, the specific CCPA-defined categories of PI collected (identifiers, internet activity, geolocation, commercial information, inferences, sensitive PI, and others enumerated in Civil Code § 1798.140), the business purpose for each, the categories of third parties who receive the PI, and which categories are sold or shared for cross-context behavioral advertising. A vague policy that says "we may share data with partners" satisfies none of these requirements. If your policy is stale — no update in 12 months — it is non-compliant regardless of content. Regulators read privacy policies before filing enforcement actions; a CCPA-deficient policy is often exhibit A.
Critical because a non-compliant or absent privacy policy violates CCPA § 1798.130(a)(5) on its face — it is the foundational document the law requires, and its absence or vagueness leaves every consumer request without a lawful basis for denial or fulfillment.
Restructure your privacy policy using CCPA-defined category names from Civil Code § 1798.140 — not generic terms like "personal information" — and add distinct sections for PI sold/shared, consumer rights, and third-party disclosures.
## Categories of Personal Information We Collect
| CCPA Category | Examples We Collect | Business Purpose |
|-----------------------------|-------------------------|--------------------------|
| Identifiers | Name, email, IP address | Account creation, service|
| Internet/network activity | Pages visited, clicks | Analytics, improvement |
| Commercial information | Purchase history | Order fulfillment |
| Inferences | Inferred preferences | Personalization |
## Sale or Sharing of Personal Information
We share cookie IDs with Google and Meta for cross-context behavioral
advertising ("sharing" under CPRA § 1798.140(ah)).
## Your California Privacy Rights
[Know, Delete, Correct, Opt-Out, Limit SPI Use, Non-Discrimination]
Set a calendar reminder to update the policy within 12 months; CCPA requires it to be current. Add the effective date prominently at the top.
ID: ccpa-readiness.privacy-disclosures.privacy-policy-categories
Severity: critical
What to look for: Find the privacy policy (/privacy, /privacy-policy, or linked in the footer). CCPA requires the policy to disclose at least 12 months of data practices and specifically list: (1) the categories of personal information collected (using the CCPA-defined categories: identifiers, commercial information, biometric data, internet activity, geolocation, professional information, inferences drawn, sensitive personal information, etc.), (2) the business or commercial purpose for each category, (3) the categories of third parties to whom the PI is disclosed, and (4) the categories of PI sold or shared for cross-context behavioral advertising. Check whether the policy distinguishes between "disclosed to service providers" and "sold or shared" — CCPA treats these differently. Verify the policy covers all 12 months prior to the effective date and that it was updated within the last 12 months. Count every CCPA-defined PI category disclosed in the privacy policy and enumerate which are present vs. missing. Report the ratio of disclosed categories to the CCPA-required list.
Pass criteria: Privacy policy discloses all required CCPA categories: PI categories collected with their business purposes, third-party categories to whom PI is disclosed, categories of PI sold or shared (or a statement that no selling/sharing occurs), and consumer rights available. Policy has been updated within the last 12 months. At least 1 implementation must be confirmed.
Fail criteria: No privacy policy exists. Policy exists but uses vague language ("we may share data with partners") without the specific CCPA-required category disclosures. Policy does not distinguish between service providers, contractors, and third parties. Policy has not been updated within 12 months.
Skip (N/A) when: Same CCPA threshold analysis — document if skipping.
Cross-reference: The notice-at-collection check verifies that inline disclosures at collection points align with the categories disclosed here.
Detail on fail: Specify what is missing. Example: "Privacy policy does not list specific CCPA categories of PI collected (e.g., 'identifiers,' 'internet or other network activity'). Uses vague 'personal information' without CCPA category breakdown." or "Policy does not disclose which categories of PI are sold or shared with third parties for cross-context behavioral advertising.".
Remediation: Restructure the privacy policy to match CCPA required disclosures:
CCPA-Compliant Privacy Policy Structure:
## Categories of Personal Information We Collect
| CCPA Category | Examples We Collect | Business Purpose |
|--------------------------------------|----------------------------|-----------------------------|
| Identifiers | Name, email, IP address | Account creation, service |
| Internet/network activity | Pages visited, clicks | Analytics, improvement |
| Geolocation data | Country (from IP) | Fraud detection |
| Commercial information | Purchase history | Order fulfillment |
| Inferences | Preferences inferred | Personalization |
## Categories of Third Parties We Disclose PI To
- Service providers (Stripe for payments, SendGrid for email) — disclosed for contracted purpose only
- Analytics providers (Google Analytics) — shared for cross-context behavioral advertising
## Sale or Sharing of Personal Information
We share the following categories of PI with third parties for cross-context behavioral
advertising (which constitutes "sharing" under CPRA):
- Identifiers (cookie IDs) with Google and Meta for ad targeting
## Your California Privacy Rights
[Right to Know, Right to Delete, Right to Correct, Right to Opt-Out, Right to Limit
Sensitive PI Use, Non-Discrimination]
Use CCPA-specific category names (defined in Civil Code § 1798.140) rather than generic descriptions.