This guide simplifies CalOPPA compliance for your online business by summarizing the key legal requirements, and includes a checklist to help your online platforms comply with this major privacy law.
1. What is CalOPPA?
2. What are the Main Compliance Requirements of CalOPPA?
- personally identifiable information (PII) and
- do not track (DNT) requests
Personally Identifiable Information (PII)
In general, personally identifiable information, also known simply as personal data, refers to any piece of tracked user data or personal information (e.g., name, mailing address, telephone number, email address) that can be used to identify an individual user.
Specifically within CalOPPA, the following items, among others, are deemed to be personally identifiable information:
- first and last name
- street address
- email address
- telephone number
- social security number
- IP addresses
- physical details such as height, weight, and hair color
- any other data or personal information that can be used in conjunction with the above items to identify individuals (e.g., date of birth or other contact information)
Do Not Track (DNT) Requests
As the name implies, a do not track request is a mechanism through which users of a website can convey their preference regarding the tracking of their online browsing activities by the website.
Internet users can typically toggle a setting on their web browsers to indicate their DNT preference.
- State the effective date.
- List the types of personally identifiable information you collect (and how users can opt out of data collection).
- Explain how users can request to review (and request to delete) their personally identifiable information.
- Say whether personally identifiable information will be shared with any third parties (including services such as Google Analytics, AdSense, live chat tools, and social login integrations).
- Say whether a DNT request will be honored or not.
The clause stipulating an explanation of how do not track requests should be handled was added to CalOPPA text via an amendment with an effective date of Jan 1, 2014.
Note that this amendment does not require you to adhere to DNT requests from users — your responsibility is only to state how your website or online services handle such requests.
You can adhere to this stipulation by ensuring the following:
This is, of course, atypical of most commercial websites. Therefore, alternatively, you may comply with the following two requirements instead.
- The formatting of this “Privacy” link (i.e., font size, type, and color) must stand out from the surrounding text used on the rest of the webpage.
Consequences of Failure to Comply with CalOPPA
The text of CalOPPA itself does not list the consequences of failing to comply with the law. Noncompliance is addressed through the provisions of California’s Unfair Competition Law.
When noncompliance is first noted, you are given 30 days to rectify the situation.
If you fail to comply within this grace period, you will be fined a maximum penalty of $2,500 per violation.
Although this seems like a minor amount, in contrast to privacy laws like the General Data Protection Regulation (GDPR) (€20 million, or even higher) and the Children’s Online Privacy Protection Act (COPPA) ($40,000), note the “per violation” qualification in the CalOPPA. Each visit to your website while your website fails to comply can be deemed a violation, meaning that the fines can quickly multiply.
The most high profile lawsuit relating to the CalOPPA thus far was against Delta Airlines. In 2012, Delta Airlines faced a lawsuit because one of their mobile apps failed to meet the visibility requirement that we discussed earlier.
The lawsuit was eventually dismissed due to an earlier regulation (The Airline Deregulation Act) that exempts the airline industry from certain government interventions.
However, had this been the case with a company operating in almost any other field, the fine could have been as high as $2.5M with just 1000 app downloads.
3. Does CalOPPA Apply to My Business?
If your online business is located in California, or otherwise serves California residents, then CalOPPA applies to you.
Given the transnational nature of online services, your business (or servers) doesn’t need to be physically located in California, or even in the US, for CalOPPA to apply to your business.
Moreover, unlike the CCPA, another California-based consumer privacy regulation, there are no minimum revenue or customer volume thresholds for the law to apply. The sole criterion for CalOPPA to apply is that your website is accessible to users in California.
Remember that, in addition to websites, CalOPPA applies to smartphone and tablet apps, as well.
In fact, in 2012, the California Attorney General’s Office prioritized the administration of the CalOPPA to applications by sending notices to nearly one hundred app owners whose apps were not compliant with CalOPPA provisions.
We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws. – Senator Kamala D. Harris (California AG, 2011–2017)
4. CalOPPA Checklist
As promised, here is a simple, organized checklist to help your websites and applications become CalOPPA compliant.
Complying with CalOPPA is also a stepping stone to satisfying the much broader requirements of the CCPA, a stricter California-based legislation with global implications. Thus, to save yourself from legal penalties now and down the road, get your CalOPPA compliance efforts started today.