[Privacy Policy Series 2] Key Elements That Must Be Included in a Privacy Policy

Written By 소영 장

When drafting a Privacy Policy, there are certain “must-have” elements that many companies overlook. This article focuses on the key items required under U.S. laws such as the California Consumer Privacy Act (CCPA/CPRA) and the European Union’s General Data Protection Regulation (GDPR).

It’s easy to think, “Our service doesn’t collect much personal information, so we can keep it simple.” However, regulators look not at the volume of information you collect but at whether the information can identify an individual. Even small services need to include the required elements in full. The definition of “personal information” continues to broaden, and international privacy laws are becoming increasingly detailed. While template policies are available, the applicable requirements vary depending on the company and the specific use of data, so legal review is strongly recommended.

Five Core Elements Required Under Both CCPA/CPRA and GDPR

1. Categories and Specific Types of Personal Information Collected
CCPA/CPRA classifies personal information into 11 categories (e.g., identifiers, commercial information, biometric information, internet activity, geolocation, inferences) and requires disclosure for each. GDPR also requires specifying the categories of personal data processed, though not in such granular categories. A practical approach for dual compliance is to adopt the CCPA/CPRA’s 11-category framework and include a separate explanation for GDPR’s “special categories” of personal data.

2. Sources and Methods of Collection
CCPA/CPRA distinguishes between direct and indirect collection and requires disclosure of each source—whether directly from consumers, from third parties, or from publicly available sources. GDPR similarly requires disclosure when data is not obtained directly from the individual.

3. Purpose of Processing – Distinguishing “Business Purpose” and “Commercial Purpose”
Here, CCPA/CPRA and GDPR take different approaches. CCPA/CPRA requires a clear separation of “business purposes” (e.g., providing services, security and fraud prevention, debugging, quality assurance) and “commercial purposes” (e.g., advertising, marketing, profiling). This distinction is directly tied to consumers’ right to opt out of the sale of their personal information. GDPR requires stating the purpose of processing along with the lawful basis (consent, contract performance, legal obligation, vital interests, public task, or legitimate interests). For dual compliance, state both the CCPA/CPRA category (business or commercial purpose) and the GDPR lawful basis.

Sale or Sharing of Personal Information
CCPA/CPRA requires detailed disclosure of the categories of personal information sold or shared in the past 12 months, the categories of third parties to whom it was sold or shared, and the specific categories shared with each. The policy must also state if the business does not sell the personal information of consumers under 16 years old. Many U.S. websites display a “Do Not Sell or Share My Personal Information” link—this requirement is tied to CCPA rules, and whether you must include it depends on your service scope.

4. Data Retention and Deletion Policy
GDPR requires retaining personal data only for as long as necessary for the stated purposes, and the retention criteria must be disclosed in the Privacy Policy. You may list specific retention periods or the criteria used to determine them.
CCPA/CPRA guarantees the right to request deletion but allows certain exceptions (e.g., transaction completion, security incident detection, exercising free speech, legal compliance). These exceptions and the categories of personal information they apply to must be clearly explained in the policy. In practice, businesses should use data mapping to set retention periods for each purpose and system and implement automated deletion processes to ensure actual compliance.

5. Third-Party Disclosures and Cross-Border Data Transfers
CCPA/CPRA distinguishes between:

  • Business Purpose Disclosures – sharing with service providers under contract who cannot use the data beyond the stated purpose.

  • Sales – providing personal information to third parties for monetary value.

  • Sharing – providing personal information for cross-context behavioral advertising.

GDPR has separate requirements for transfers of personal data outside the EU, which must rely on an adequacy decision, appropriate safeguards (e.g., Standard Contractual Clauses), or specific derogations. U.S. transfers may rely on the EU-U.S. Data Privacy Framework or SCCs.

Protecting Consumer Rights

Both laws grant broad rights to individuals, but the scope differs.

  • CCPA/CPRA – Right to know, delete, opt-out of sale/sharing, non-discrimination; CPRA adds right to correct and limit use of sensitive personal information.

  • GDPR – Right to rectification, erasure, restriction of processing, data portability, objection, and others, with more extensive requirements for explaining how these rights can be exercised.

Under CCPA/CPRA, you must offer at least two methods to submit requests (e.g., toll-free number, web form) and respond within 45 days (extendable once by 45 days). GDPR requires specifying limitations and describing the form in which data will be provided when fulfilling portability requests.

Commonly Overlooked CCPA/CPRA Requirements

  • Disclosure of revenue from personal information sales – If the proportion of revenue from selling personal information is significant, CCPA/CPRA may require stating this (in revenue range form).

  • Third-party cookies/pixels – Data collected through third-party cookies or pixels may constitute a sale or sharing of personal information.

  • Sensitive personal information protections – CPRA treats data like SSN, driver’s license, passport number, biometric data, health, and sexual information as sensitive, requiring special disclosure and purpose limitation.

  • Non-discrimination – Businesses may not deny services or provide lower quality/prices to those exercising privacy rights, except where differential treatment is reasonably related to the value provided by the data.

Sustaining Compliance Through Monitoring and Updates

Privacy laws evolve continuously. The California Privacy Protection Agency regularly issues new regulations, and the European Data Protection Board releases updated guidelines. Privacy Policies must be updated to reflect these changes and any changes in actual processing activities, such as new data categories collected or new third-party relationships. Version control and change logs are important, and in some cases, direct consumer notification is required.

Practical Tip:
Aligning CCPA/CPRA and GDPR requirements into a single Privacy Policy is achievable by adopting the stricter standard where they differ and ensuring the policy accurately reflects real-world practices. Compliance is not just about documentation—it requires operational alignment in contracts, system design, and governance.

If you need assistance developing a Privacy Policy that meets both CCPA/CPRA and GDPR requirements or implementing a broader data protection strategy, LexSoy Legal LLC can help. Contact us at contact@lexsoy.com.

© LexSoy Legal LLC. All rights reserved.

소영 장
Next

[Privacy Policy Series 1] Why Every Business Needs a Privacy Policy?