California Online Privacy Protection Act (CalOPPA)

The California Online Privacy Protection Act is a foundational piece of privacy legislation that mandates operators of commercial websites and online businesses to prominently display and maintain a compliant privacy policy.

This means that if you have a small business using a website, a blog running ads, and even mobile applications, and you engage with residents in California, you need to have a privacy policy displayed on all of the online platforms you use.

Here’s the important part – since the internet transcends geographical boundaries, the influence of CalOPPA extends well beyond the confines of California. Yes, you read that right.

This means that regardless of where your business is based on the globe if you collect personal information from California residents, you’re stepping onto the toes of CalOPPA compliance.

Now, let’s explore the details of this important privacy law, its essential provisions, and how you can ensure your small business complies with it.

KEY TAKEAWAYS:
  • The California Online Privacy Protection Act requires operators of commercial websites and online businesses to prominently display a compliant privacy policy.
  • CalOPPA applies to businesses worldwide if they collect personal information from California residents, regardless of their geographical location.
  • Non-compliance with CalOPPA can result in penalties of up to $2,500 per violation with fines accumulating for each individual who visits a non-compliant website.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 200,000 businesses.

What Is the California Online Privacy Protection Act (CalOPPA)?

The California Online Privacy Protection Act (CalOPPA), which took effect on July 1, 2004, is a legal framework that requires online businesses to have a transparent and easily accessible privacy policy on their website.

CalOPPA was established to protect the personal information of individuals who visit your website or use your online services. It was the first state law in the United States to establish a comprehensive requirement for privacy policies.

It’s worth noting that, regardless of the size of your business and your geographical location, if your business’ website is accessible to California residents, and you collect Personally Identifiable Information (PII) from them, complying with CalOPPA is imperative, as it protects both your business and your customers’ trust.

There’s also a strong emphasis on accessibility. It’s not enough to just have a privacy policy, you must prominently display it on your website or online platform, ensuring that it’s easily visible to your users.

CalOPPA was then amended in 2013 to address the emerging issue of ‘online tracking’, where personal information about individual consumers is collected as they navigate across various websites and online services. This raised concerns about user privacy.

To tackle this, Do Not Track (DNT) technology was introduced, allowing consumers to signal their preference not to be tracked via their web browsers.

In a nutshell, CalOPPA directly impacts you as a small online business owner if you engage with residents from California. Non-compliance can lead to penalties, with the California Attorney General’s Office having the authority to take action.

ALSO READ: Personalized Privacy Statement Template

PRO TIP: Treat CalOPPA compliance as not just a legal requirement, but as a commitment to user privacy, which can help your business establish trust among your customers and users.

What Are the General Definitions of CalOPPA?

Before we dive deeper into CalOPPA’s mandates, let’s first lay a strong foundation by understanding some basic definitions. While these terms help clarify CalOPPA’s scope, you can treat this as your roadmap to keeping your online business on the right track to compliance.

  • Personally Identifiable Information (PII): This encompasses information that can be used to identify an individual, such as names, physical or email addresses, and Social Security numbers. Essentially, any data that can pinpoint a person’s identity falls under this category.
  • Operator: CalOPPA refers to operators as entities responsible for the ownership, operation, or management of commercial websites or online services. As a small business owner, you are considered an operator if you run online platforms that involve collecting personal user data.
  • Commercial Website or Online Service: CalOPPA applies to platforms that engage in commercial activities by gathering data from individuals. Whether you run an e-commerce site, a blog with ads, a mobile app, or any online service that involves transactions or user interactions, your platform likely qualifies as a “commercial website or online service.”
  • Privacy Policy: Your privacy statement is a legal blueprint that outlines your business’s practices regarding data collection and usage. It’s not just a formality; it’s a binding commitment that informs your users and customers about how their personal information will be handled.
  • Conspicuous Posting: This concept highlights the importance of making your privacy notice easily accessible and visible to your users. It’s not enough to simply have a privacy document buried deep within your website; it should be prominently displayed and effortlessly discoverable, often through a direct link on your website’s homepage or within your app’s interface.
  • Do Not Track (DNT): DNT is a mechanism or feature that allows users to choose whether their online activities and the collection of their personal information across different websites, should be tracked or not.

Who Does CalOPPA Apply To?

CalOPPA applies to operators of commercial websites and online services, regardless of whether they’re situated within or outside California’s borders. Simply put, it applies to online businesses collecting PII from Californians.

It’s important to note that the reach of CalOPPA isn’t confined to geographical location; rather, it hinges on your interaction with California residents.

Whether you manage a website from within the U.S. or in other parts of the globe, if your website or online service collects personal data from California residents, CalOPPA’s requirements are applicable to your business.

I’ve come across businesses wrongly assuming that CalOPPA doesn’t concern them since they’re not within the US’s boundaries. Don’t fall for that incorrect assumption.

Remember, It’s not about where your business is situated; it revolves around whom you serve.

How Can Businesses Comply With CalOPPA?

Even though the demands of this privacy act might appear daunting, your business must adhere to the CalOPPA without exception. By following the correct procedures, you can streamline the process and align with its requirements.

Here’s your guide on how to ensure your privacy notice aligns with CalOPPA’s requirements:

1. Indicate Date of Effectivity

Start by clearly indicating the date when your privacy policy became effective. This ensures users can readily determine the policy’s currency and relevance to their interactions with your platform.

If you look at Apple’s policy, it clearly indicates the date it was last updated:

Modification date in Apple privacy policy.

2. Provide the Types of PII You Collect

Transparency is at the core of CalOPPA. Thus, your policy should explicitly outline the categories of PII you collect from users. Additionally, it’s essential to provide a user-friendly mechanism for individuals to opt out of this data collection should they choose to do so.

Using Apple as an example again, you can see from this excerpt on their privacy statement a list of personal data they collect:

"Personal data apple collects from you" clauses in Apple privacy policy.

3. Enable Users to Access and Manage Their Personal Information

Inform your users on how they can access and request modification of their personally identifiable information. By providing clear instructions on how consumers can review and request changes or even delete their information, you demonstrate your commitment to user privacy, build trust, and give individuals control over their data.

Giving the ability to exercise choice regarding personal data not only complies with CalOPPA but also enhances your relationship with your users.

You can see Netflix’s privacy here informing users of their rights to access, correct, and delete their personal data.

"Your information and rights" clauses in Netflix privacy statement.

4. Notify Users About Third-Party Sharing

Ensure your users are informed about whether their personally identifiable information may be shared with third parties. This disclosure should encompass services like Google Analytics, AdSense, live chat tools, or social login integrations. By being transparent about these data-sharing practices, you not only meet CalOPPA requirements but also build trust with your users by keeping them informed about how their information may be utilized beyond your platform.

Apple explains ways they share your personal information with third parties and the reasons why they do so:

"Apple's sharing of personal data" clauses in Apple privacy policy.

5. Make Your Privacy Policy Accessible

CalOPPA places a strong emphasis on the accessibility of your privacy notice. To meet this requirement, you need to consider the following:

  • Visible Placement: Make your privacy policy readily accessible to users. You can achieve this by ensuring that your privacy notice appears on your homepage or the first significant page of your website. Additionally, it should be prominently displayed on any page where personal information is collected. This approach aligns with the atypical nature of most commercial websites.
  • Hyperlinked Policy: Alternatively, you can meet accessibility requirements through hyperlinks. On your homepage or the first page after the landing page, include a link labeled “Privacy Policy”. Ensure that the formatting of this link, font, or color does not make it difficult to see it. You also want to keep text of the same size as the surrounding text so it looks natural and not obscure or hard to see. If possible, you can have the text link written in capital letters or use a color that contrasts the rest.

6. Explain How Your Business Handles DNT Requests:

Clarity in addressing Do Not Track (DNT) requests is essential for user privacy. Even though CalOPPA doesn’t make it mandatory to comply with DNT requests, it does emphasize the importance of explaining your platform’s approach to handling such requests.

This explanation provides users with a clear understanding of how their privacy preferences are respected and managed within your website or online service.

As an example, here is Netflix’s statement regarding DNT signals:

"We do not respond to web browser 'do not track' signals" emphasized in yellow highlight in Netflix privacy policy.

7. Notify Users Regarding Updates on Your Privacy Policy

Keeping your users in the loop about updates to your privacy policy is an essential aspect of maintaining trust. Over time, as your business grows and adapts to changing circumstances, updates to your privacy policy may be necessary.

It’s important to establish a clear and transparent method for communicating these changes to your users. By doing so, you ensure that your audience remains well-informed about any alterations to how their data is handled.

You can see here that Google informs its users that they regularly update their privacy policy:

"Changes to this policy" clause in Google privacy policy.

8. Consider the Attorney General’s Recommendations

The Attorney General’s Office, in line with its mission to protect Californians’ privacy rights, released a set of recommendations titled “Making Your Privacy Practices Public”. The aim of these recommendations is to encourage businesses to develop clear, easily understandable, and user-friendly privacy policies that address essential data practices.

These are the highlights of the recommendation:

  • Readability: Use clear and simple language, avoiding technical or legal terms. Structure the policy in an easy-to-read format, like a layered style.
  • Online Tracking: Clearly label the section where you explain your approach to online tracking, using terms like “How We Handle Do Not Track Signals” or “California Do Not Track Information.” You should also explain how you respond to a browser’s Do Not Track signal, rather than simply linking to a “choice program”. You also need to state whether other parties might collect users’ PII while they’re on your platform.
  • Data Use and Sharing: Clarify how you use PII beyond what’s necessary for customer transactions or basic service functions. Whenever possible, provide links to the privacy policies of third parties with whom you share or disclose the information.
  • Individual Choice and Access: Describe the choices users have regarding the collection, use, and sharing of their personal information.
  • Accountability: Inform your customers about whom they can contact if they have questions or concerns about your privacy policies and practices. Being able to get contacted physically or online is preferable to give your customers choices.

Who Enforces CalOPPA?

The enforcement of CalOPPA is overseen by the California Attorney General’s Office. This office plays the important role of safeguarding Californians’ rights and interests, including their data privacy.

The Attorney General, as the state’s top legal official, is responsible for ensuring that businesses comply with CalOPPA, protecting consumers from privacy violations, and promoting online transparency and trust.

The Attorney General is dedicated to upholding California’s commitment to privacy and data protection. So as a small business owner who engages with the residents of California, you also need to be committed to complying with CalOPPA, or you may face serious legal implications from this office.

What Are the Penalties for Violating CalOPPA?

CalOPPA commissions the California Attorney General to take action against website operators who fail to comply with its regulations. CalOPPA itself lacks a specific enforcement mechanism, so it falls under the broader scope of California’s Unfair Competition Law (UCL) to address non-compliance.

The UCL defines “unfair competition” as any “unlawful, unfair, or fraudulent business practice.” Violating CalOPPA by, for instance, failing to post a privacy policy or not adhering to a posted policy is considered unfair competition.

When a violation of CalOPPA is initially identified, businesses are granted a grace period of 30 days to correct the situation. This grace period reflects a reasonable opportunity during which the website operators must rectify their privacy practices.

However, if the operator doesn’t take corrective measures within this 30-day window, the California Attorney General’s office can take legal action which can include seeking civil penalties.

Civil penalties can be substantial, reaching up to $2,500 for each CalOPPA violation. Determining the civil penalty involves several factors presented during the case, including:

  • The nature and gravity of the misconduct.
  • The number of violations.
  • The continuous nature of the misconduct.
  • The duration over which the misconduct took place.
  • The intentionality behind the defendant’s misconduct.
  • The financial situation of the defendant, including assets, liabilities, and net worth.

It’s also important to highlight that non-compliance has a compounding effect. Each violation incurs a fine, and these fines can accumulate significantly.

This means that each visitor to your website during the period when your site is not in compliance with CalOPPA can be counted as a separate violation.

So if multiple users access your non-compliant website, each visit can result in a separate fine.

The financial impact of noncompliance can escalate significantly, underscoring the urgency of adhering to CalOPPA’s provisions.

Examples of CalOPPA Violations

One of the most prominent CalOPPA-related lawsuits involved Delta Airlines, making it a notable case study in the realm of privacy compliance. In 2012, Delta Airlines faced legal action due to non-compliance with CalOPPA’s visibility requirements.

While Delta Airlines did maintain a CalOPPA-compliant privacy policy on its primary website, this policy was absent from one of its mobile applications. This scenario reflects the need for transparent and accessible privacy policies that cover all online platforms a business uses.

However, the lawsuit was eventually dismissed due to a pre-existing regulation known as the Airline Deregulation Act, which provides certain exemptions to the airline industry, shielding them from certain government interventions.

Delta Airlines may have managed to prevent significant legal consequences, but for small business owners, the situation might not play out the same way.

Keep in mind that if a similar situation occurred within a different industry, the resulting financial penalties could be substantial. To put it in perspective, with just 1,000 app downloads, the fines could soar as high as $2.5 million.

How Does CalOPPA Compare to Other Data Privacy Laws?

Among the several data privacy regulations in the world, CalOPPA holds a unique position, because it focuses on a specific aspect of data protection: transparency through a privacy policy disclosure. This sets it apart from other prominent privacy laws, such as the General Data Protection Regulation (GDPR).

GDPR, the General Data Protection Regulation, takes a broader international approach. It applies to all businesses processing data of individuals residing in the EU, regardless of the business’s location. In contrast to CalOPPA, GDPR emphasizes extensive data protection principles, including data minimization and purpose limitation.

GDPR also grants a wide range of rights to individuals, such as data access and deletion.

Compared to CalOPPA, which enforces a penalty of $2500 per violation, GDPR’s violation penalty can potentially reach up to €20 million ($21 million) or 4% of the company’s global annual revenue.

Another law that also focuses on consumers residing in California is the California Consumer Privacy Act (CCPA). Though it applies to the same residents, CCPA is more comprehensive and grants specific consumer rights, including access, deletion, and opting out of data sales.

While CalOPPA is all about transparency, both the CCPA and the GDPR aim to give consumers more control over their personal data.

Brazil’s LGPD, or Lei Geral de Proteção de Dados, is also another privacy law that closely resembles GDPR in many aspects. LGPD also gives Brazilians a wide range of rights over their data, including access, correction, and deletion.

However, LGPD’s enforcement mechanisms are not as stringent as GDPR.

The main point to remember here is that even though these laws have their unique details and rules, they all emphasize one paramount concept: you need to handle personal data with care and honesty.

Frequently Asked Questions

What is the California Online Privacy Protection Act (CalOPPA)?

The California Online Privacy Protection Act is a privacy law that requires commercial websites and online businesses to have a transparent and easily accessible privacy policy.

Who does CalOPPA apply to?

CalOPPA applies to operators of commercial websites and online services that collect personally identifiable information (PII) from California residents.

Who enforces CalOPPA?

CalOPPA is enforced by the California Attorney General’s Office, which is responsible for ensuring compliance with the law and protecting consumers’ data privacy.

What are the penalties for violating CalOPPA?

Violating CalOPPA can result in civil penalties of up to $2,500 per violation. The financial impact can be significant as each visit to a non-compliant website can be counted as a separate violation.

Gabriela Dascalescu
CS50L, FIP, CIPP/E, CIPM, CIPT
Gabriela is a privacy expert and data protection officer who focuses on translating legalese. She dedicates to staying updated on tech and digital law developments to help clients get compliant with privacy regulations and legal tech requirements. She provides clear and concise legal advice, considering business objectives and interdisciplinary expertise. She integrates knowledge from various legal fields to offer comprehensive solutions in today's interconnected world.