This guide simplifies CalOPPA compliance for your online business by summarizing the key legal requirements, and includes a checklist to help your online platforms comply with this major privacy law.
1. What is CalOPPA?
2. What are the Main Compliance Requirements of the CalOPPA?
- personally identifiable information (PII) and
- do not track (DNT) requests
Personally Identifiable Information (PII)
In general, PII, also known simply as personal data, refers to any piece of tracked user data (e.g., name, mailing address, phone number, email) that can be used to identify an individual user.
Specifically within the CalOPPA, the following items, among others, are deemed to be PII:
- full name
- mailing address
- email address
- telephone number
- social security number
- any other data that can be used in conjunction with the above items to identify individuals (e.g., date of birth)
Numerous privacy laws, such as the CalOPPA, the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR), have regulations governing PII. Unsure whether your website is collecting PII? Read our article on personally identifiable information (PII).
Do Not Track (DNT) Requests
As the name implies, a DNT request is a mechanism through which users of a website can convey their preference regarding the tracking of their online browsing activities by the website.
Web users can typically toggle a setting on their internet browsers to indicate their DNT preference.
For an in-depth discussion of DNT requests and disclosures, read our article on do-not-track (DNT) disclosures.
- State the effective date.
- List the types of PII you collect.
- Explain how users can request to review (and request to delete) their PII.
- State whether PII will be shared with any third parties.
- State whether a DNT request will be honored or not.
The clause stipulating an explanation of how DNT requests should be handled was added to the CalOPPA text via an amendment that became effective on Jan 1, 2014.
Note that this amendment does not require you to adhere to DNT requests from users — your responsibility is only to state how your website handles such requests.
You can adhere to this stipulation by ensuring the following:
This is, of course, atypical of most business websites. Therefore, alternatively, you may comply with the following two requirements instead.
- The formatting of this “Privacy” link (i.e., font size, type, and color) must stand out from that used on the rest of the webpage.
Consequences of Failure to Comply with the CalOPPA
When noncompliance is first noted, you are given 30 days to rectify the situation.
If you fail to comply within this grace period, you will be fined a maximum penalty of $2,500 per violation.
Although this seems like a minor amount, in contrast to privacy laws like the GDPR (€20 million, or even higher) and the Children’s Online Privacy Protection Act (COPPA) ($40,000), note the “per violation” qualification in the CalOPPA. Each visit to your website while your website fails to comply can be deemed a violation, meaning that the fines can quickly multiply.
The most high profile lawsuit relating to the CalOPPA thus far was against Delta Airlines. In 2012, Delta Airlines faced a lawsuit because one of their mobile apps failed to meet the visibility requirement that we discussed earlier.
The lawsuit was eventually dismissed due to an earlier regulation (The Airline Deregulation Act) that exempts the airline industry from certain government interventions.
However, had this been the case with a company operating in almost any other field, the fine could have been as high as $2.5M with just 1000 app downloads.
3. Does the CalOPPA Apply to My Business?
If your online business is located in California, or otherwise serves residents of California, then CalOPPA applies to you.
Given the transnational nature of internet services, your business (or servers) doesn’t need to be physically located in California, or even in the US, for CalOPPA to apply to your business.
Moreover, unlike the CCPA, another California-based privacy regulation, there are no minimum revenue or customer volume thresholds for the law to apply. The sole criterion for CalOPPA to apply is that your website is accessible to users in California.
Remember that, in addition to websites, CalOPPA applies to smartphone and tablet apps, as well.
In fact, in 2012, the California Attorney General’s Office prioritized the administration of the CalOPPA to applications by sending notices to nearly one hundred app owners whose apps were not compliant with CalOPPA provisions.
We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws. – Senator Kamala D. Harris (Attorney General of California, 2011 – 2017)
4. CalOPPA Checklist
As promised, here is a simple, organized checklist to help your websites and applications become CalOPPA compliant.
Given the relatively narrow scope of CalOPPA, full compliance is relatively straightforward. As a website or application owner or manager, the onus of adherence to these stipulations falls entirely on you.
Compliance with CalOPPA is a stepping stone on your way to satisfying the much broader requirements of the CCPA, a stricter California-based legislation with global implications. Thus, to save yourself from legal penalties now and down the road when the CCPA comes to the fore in 2020, get your CalOPPA compliance efforts started today.