67 | 
California Consumer Privacy Act of 2018 (as amended by the
California Privacy Rights Act of 2020) and Related Regulations
11 C.F.R. § 7011. Privacy Policy
(a)  The purpose of the privacy policy is to provide consumers with a comprehensive description of a business’s online and
offline information practices regarding the collection, use, disclosure, and sale of personal information. It shall also inform
consumers about and of the rights of consumers they have regarding their personal information and provide any information
necessary for them to exercise those rights.
(b) The privacy policy shall comply with section 7003, subsections (a) and (b).
(c) The privacy policy shall be available in a format that allows a consumer to print it out as a document.
(d)  The privacy policy shall be posted online and accessible through a conspicuous link that complies with section 7003,
subsections (c) and (d), using the word “privacy” on the business’s website homepage(s) or on the download or landing page
of a mobile application. If the business has a California-specific description of consumers’ privacy rights on its website,
then the privacy policy shall be included in that description. A business that does not operate a website shall make the
privacy policy conspicuously available to consumers. A mobile application may include a link to the privacy policy in the
application’s settings menu.
(e) The privacy policy shall include the following information:
(1) A comprehensive description of the business’s online and offline information practices, which includes the following:
(A)  Identification of the categories of personal information the business has collected about consumers in the preceding
12 months. The categories shall be described using the specific terms set forth in Civil Code section 1798.140,
subdivisions (v)(1)(A) to (K) and (ae)(1) to (2). To the extent that the business has discretion in its description, the
business shall describe the category in a manner that provides consumers a meaningful understanding of the
information being collected.
(B) Identification of the categories of sources from which the personal information is collected.
(C)  Identification of the specific business or commercial purpose for collecting personal information from consumers.
The purpose shall be described in a manner that provides consumers a meaningful understanding of why the
information is collected.
(D)  Identification of the categories of personal information, if any, that the business has sold or shared to third parties
in the preceding 12 months. If the business has not sold or shared consumers’ personal information in the preceding
12 months, the business shall disclose that fact.
(E)  For each category of personal information identified in subsection (e)(1)(D), the categories of third parties to whom
the information was sold or shared.
(F)  Identification of the specific business or commercial purpose for selling or sharing consumers’ personal information.
The purpose shall be described in a manner that provides consumers a meaningful understanding of why the
information is sold or shared.
(G)  A statement regarding whether the business has actual knowledge that it sells or shares the personal information of
consumers under 16 years of age.
(H)  Identification of the categories of personal information, if any, that the business has disclosed for a business purpose
to third parties in the preceding 12 months. If the business has not disclosed consumers’ personal information for
a business purpose in the preceding 12 months, the business shall disclose that fact.