The California Online Privacy Protection Act (CalOPPA) is a state law that was enacted in 2003 to protect the privacy rights of individuals living in California.
It requires any commercial website or online service that collects personally identifiable information (PII) from California residents to conspicuously post a privacy policy.
This policy must detail the kinds of information gathered, how it is used, and with whom it is shared. Under CalOPPA, the privacy policy must be easy to find and include a date of the last update.
It should also explain how users will be notified of any changes to the policy and how they can review and change their personal information collected by the site.
For example, a website collecting email addresses for a newsletter must inform users how they can unsubscribe and manage their information. CalOPPA was the first law in the United States to impose privacy policy requirements on websites.
It applies not only to businesses located in California but also to any website that collects personal information from California residents, making its impact nationwide.
This means that even if your business is based outside of California if you have users from California, you need to comply with CalOPPA.
Additionally, CalOPPA requires that your privacy policy mentions how your website responds to Do Not Track (DNT) signals from web browsers.
If your website tracks users over time and across third-party websites, you must disclose this practice.