California became the first U.S. state to pass a dedicated data privacy law in 2004 with the California Online Privacy Protection Act (CalOPPA).
In this guide, I help simplify CalOPPA compliance for your online business by summarizing the key legal requirements and presenting a checklist to help your platform comply with this California privacy law.
CalOPPA is a California state law and was one of the first data privacy regulations implemented in the United States — enacted on July 1, 2004. It requires all online businesses that serve users in California to have a privacy policy on their website and sets legal standards for the policy’s presentation, wording, and implementation. While there is no U.S. federal data privacy law, there are several state laws you can learn more about by checking out our interactive US data privacy law tracker map. To understand how to comply with CalOPPA, you must familiarize yourself with the following key terms — I’ve provided the definitions as they appear in the actual text of the law: CalOPPA covers the privacy rights of residents of California by establishing essential components that must appear in a privacy policy. Any website, app, or online service intended to serve or available to California residents must comply with the law. It, therefore, has a broad scope and enables all online consumers to rely on a privacy policy posted online, holding those online service providers accountable for the language they use. CalOPPA outlines specific requirements regarding two key concepts: Qualifying online platforms that collect personally identifiable information or PII must post a CalOPPA-compliant privacy policy. PII includes any user data that can identify an individual or household, and the text of CalOPPA lists the following specific items: Any other data or personal information that someone might use in conjunction with the above items to identify individuals (e.g., date of birth) also fits the definition. The term ‘PII’ is now considered outdated and has been replaced with personal information to better account for additional privacy laws, like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). CalOPPA requires websites and apps to clearly explain whether they honor Do-Not-Track (DNT) requests in their privacy policy. It does not require that a website or app honors DNT requests or not, but rather simply disclosing whether they do or do not honor them. As the name implies, a do-not-track request is a mechanism through which users of a website convey their preference regarding the tracking of their online browsing activities by the website. Internet users can toggle a setting on their web browsers to indicate their DNT preference. CalOPPA is very different than the U.S. state privacy laws listed below, most of which focus on consumer protections: You can compare these laws to CalOPPA in the table below. CalOPPA impacts California consumers by providing them with transparent privacy policies so they know what data a website or online service collects from them and if the site honors DNT requests or not. It also makes it easier for those individuals to request that information be corrected or deleted. But internet users outside of California also benefit from CalOPPA — the law makes it so nearly every website has a privacy policy that’s much easier to read and find. CalOPPA is a California state law that protects the privacy rights of California residents. Businesses located in California or whose services are available to California users must follow the requirements of CalOPPA. CalOPPA impacts businesses by describing guidelines for making a California-compliant privacy policy. Websites and apps that fall under CalOPPA must include the following information in their privacy policy: The clause stipulating an explanation of how businesses handle do not track requests was added to CalOPPA via an amendment in January 2014. Note that CalOPPA does not require you to adhere to DNT requests from users — instead, you must state how your website or online service handles such requests. Additionally, your privacy policy must meet several accessibility requirements, including the following: If your business meets the threshold of the California Consumer Privacy Act (CCPA), there are additional privacy policy requirements you must implement. Any business that is located in California or that serves California residents must comply with CalOPPA. Online services are transnational by nature, so CalOPPA applies even if your business or servers are not physically located in California or even the U.S. Unlike the CCPA, there are no minimum revenue or customer volume thresholds — the sole criterion is if your services are accessible to users in California. The law has a broad threshold and makes it so even bloggers with potential visitors from California need a privacy policy for their blog. In addition to websites, CalOPPA applies to apps on smartphones and tablets. In fact, in 2012, the California Attorney General’s Office sent notices to nearly 100 app owners who weren’t compliant with CalOPPA provisions at the time. “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians,” said the Attorney General at the time, Kamala D. Harris, who went on to serve as the Vice President of the United States. She added, “It is critical that we take all necessary steps to enforce California’s privacy laws.” Non-commercial websites that don’t collect PII and websites or other online services unavailable in California are exempt from CalOPPA. To comply with CalOPPA, businesses must put a conspicuous link to a privacy policy on all websites, apps, and online services. The privacy policy must meet the law’s specific formatting and informational requirements. The California Attorney General’s Office can enforce the provisions outlined in CalOPPA. Additionally, CalOPPA-related lawsuits may be brought against you by the Federal Trade Commission (FTC) if you don’t meet the privacy policy requirements on your website or app. When noncompliance is first noted, you have 30 days to rectify the situation. Remember to include data collected through marketing emails in your privacy policy. Noncompliance under CalOPPA is addressed through the provisions of California’s Unfair Competition Law. If you fail to comply within the 30-day grace period, you face a maximum penalty of $2,500 per violation. You might think these fines seem minor in contrast to privacy laws like the following: But take note of the “per violation” qualification in CalOPPA — each visit to your website, while noncompliant, may be deemed a violation, meaning that the fines multiply quickly. The most high-profile CalOPPA lawsuit was against Delta Airlines in 2012, when its mobile app failed to meet the visibility requirements regarding the placement of its privacy policy. Delta Airlines had a CalOPPA-compliant privacy policy on their main website, but their app did not. The case highlights the importance of ensuring comprehensive privacy policies cover all your platforms, including mobile apps. Eventually, the lawsuit was dismissed due to the Airline Deregulation Act, which exempts the airline industry from specific government interventions. However, if this happened to a company operating in almost any other field, the fine could have been as high as $2.5 million with just 1000 app downloads. Another indicator of the strong influence of CalOPPA is that Google had to include a link to its privacy policy on the Google Search homepage, which happened for the first time in 2007. Preempting potential legal action, Google responded to several online discussions about its noncompliance with CalOPPA by linking to its privacy policy on the Google homepage. Termly’s Privacy Policy Generator can help your business comply with CalOPPA and several other data privacy laws. It’s intuitive and effortless to use, removing the hassles and confusion from your privacy compliance journey. All you do is answer simple questions about your business and its data processing activities. The generator makes a unique privacy policy based on your answers, which you can embed on your website or mobile app — it’s that easy! California has several other privacy-related laws, including the following: Here is a simple, organized checklist to help your websites and applications become CalOPPA compliant. Following this checklist will help you create a comprehensive privacy policy that thoroughly explains to site users how you handle their personal information. If you own a website or app available to Californians, it’s your responsibility to make a privacy policy that complies with CalOPPA. Given CalOPPA’s relatively narrow scope, meeting all guidelines is pretty straightforward. Complying with CalOPPA is also a stepping stone to satisfying much broader requirements outlined by laws like the CCPA, the strict California-based legislation with global implications. Save yourself from legal penalties now and down the road, start your CalOPPA compliance efforts today using Termly’s Privacy Policy Generator.
Reviewed by
Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Director of Global Privacy
What Is the California Online Privacy Protection Act (CalOPPA)?
CalOPPA Key Terms and Definitions
What Does the California Online Privacy Protection Act Cover?
Requirements of the California Online Privacy Protection Act
Personally Identifiable Information (PII)
Do Not Track (DNT) Requests
California Data Privacy Laws vs. Other States: Similarities and Differences
State Law
Opt-in consent for certain types of data processing
Opt-out consent for certain types of data processing
Must present users with a privacy policy (or notice)
Requires Data Protection Assessments
Outlines Contractual Obligation with Third-Party Processors
Allows for civil lawsuits or private right of action
Must honor Global Privacy Controls/browser privacy settings
CalOPPA
✓
CCPA/CPRA
✓
✓
✓
✓
✓
✓
✓
CPA
✓
✓
✓
✓
✓
CTDPA
✓
✓
✓
✓
✓
DPDPA
✓
✓
✓
✓
✓
✓
FDBR
✓
✓
✓
✓
Indiana CDPA
✓
✓
✓
✓
Iowa CDPA
✓
✓
✓
MCDPA
✓
✓
✓
✓
✓
ODPA
✓
✓
✓
✓
✓
TIPA
✓
✓
✓
✓
✓
TDPSA
✓
✓
✓
✓
✓
UCPA
✓
✓
✓
VCDPA
✓
✓
✓
✓
How Are Consumers Impacted by CalOPPA?
Who Does CalOPPA Apply To?
How Are Businesses Impacted by CalOPPA?
How Does CalOPPA Affect My Privacy Policy?
Who Must Comply With CalOPPA?
Who Is Exempt From CalOPPA?
How Can Businesses Comply With CalOPPA?
How Is CalOPPA Enforced?
Fines and Penalties Under the California Online Privacy Protection Act
CalOPPA and Delta
CalOPPA and Google
How Termly Helps With CalOPPA Compliance
Are There Other Privacy-Related Laws in California?
CalOPPA Checklist
Summary