CalOPPA: The California Online Privacy Protection Act

Avatar for Felix Sebastian

by Felix Sebastian

May 30, 2019

Start Building Compliance
CalOPPA: California Online Privacy Protection Act Compliance Guide

On July 1, 2004, the California Online Privacy Protection Act (CalOPPA) went into effect, making California the first US state to pass a dedicated website privacy policy regulation.

This guide simplifies CalOPPA compliance for your online business by summarizing the key legal requirements, and includes a checklist to help your online platforms comply with this major privacy law.

Table of Contents
  1. What is CalOPPA?
  2. What are the Main Compliance Requirements of CalOPPA?
  3. Does CalOPPA Apply to My Business?
  4. CalOPPA Checklist
  5. Conclusion: Create a Comprehensive CalOPPA Privacy Policy

1. What is CalOPPA?

CalOPPA is one of the first data privacy regulations to be implemented in the United States. It’s a vast improvement on current US internet privacy laws, and requires all online businesses that serve users who live in California to have a privacy policy on their website.

Although no federal law requires that websites include a privacy policy, CalOPPA sets legal standards for the presentation, wording, and implementation of privacy policies. The statute pertains to commercial websites and online services (e.g., mobile applications and Facebook applications) that serve or intend to serve consumers in California.

In other words, CalOPPA enables online consumers to rely on a privacy policy posted online, as this landmark regulation holds online service providers accountable to the language of their privacy policies.

2. What are the Main Compliance Requirements of CalOPPA?

CalOPPA’s sole concern is with establishing the essential components of a website or app’s privacy policy in order to protect the privacy rights of California residents. To understand CalOPPA’s  scope and requirements, you must familiarize yourself with two key concepts:

  • personally identifiable information (PII) and
  • do not track (DNT) requests

Personally Identifiable Information (PII)

In general, personally identifiable information, also known simply as personal data, refers to any piece of tracked user data or personal information (e.g., name, mailing address, telephone number, email address) that can be used to identify an individual user.

Specifically within CalOPPA, the following items, among others, are deemed to be personally identifiable information:

  • first and last name
  • street address
  • email address
  • telephone number
  • social security number
  • IP addresses
  • physical details such as height, weight, and hair color
  • any other data or personal information that can be used in conjunction with the above items to identify individuals (e.g., date of birth or other contact information)

Do Not Track (DNT) Requests

As the name implies, a do not track request is a mechanism through which users of a website can convey their preference regarding the tracking of their online browsing activities by the website.

Internet users can typically toggle a setting on their web browsers to indicate their DNT preference.

CalOPPA California Website Privacy Policy Requirements

Now that you understand PII and DNT requests, you can comply with CalOPPA by ensuring that your California privacy policy satisfies the following requirements:

Privacy Policy Requirements: Content

Your privacy policy must:

  1. State the effective date.
  2. List the types of personally identifiable information you collect (and how users can opt out of data collection).
  3. Explain how users can request to review (and request to delete) their personally identifiable information.
  4. Explain how changes and updates to the privacy policy will be communicated with users.
  5. Say whether personally identifiable information will be shared with any third parties (including services such as Google Analytics, AdSense, live chat tools, and social login integrations).
  6. Say whether a DNT request will be honored or not.

The clause stipulating an explanation of how do not track requests should be handled was added to CalOPPA text via an amendment with an effective date of Jan 1, 2014.

Note that this amendment does not require you to adhere to DNT requests from users — your responsibility is only to state how your website or online services handle such requests.

Privacy Policy Requirements: Accessibility

A critical CalOPPA requirement is that your privacy policy be conspicuous.

You can adhere to this stipulation by ensuring the following:

  • Your privacy policy — in full — appears on either the homepage or the first significant page of your website, plus every page where personal information is collected.

This is, of course, atypical of most commercial websites. Therefore, alternatively, you may comply with the following two requirements instead.

  • Your privacy policy is hyperlinked, using text or an icon, on the homepage (or first page after the landing page) using the word Privacy (written in capital letters), and
  • The formatting of this “Privacy” link (i.e., font size, type, and color) must stand out from the surrounding text used on the rest of the webpage.

Privacy Policy Requirements: Enforcement

Finally, CalOPPA-related lawsuits may be brought against you by the Federal Trade Commission (FTC) if you do not adhere to the privacy policy published on your website or application.

Therefore, in addition to meeting the aforementioned key requirements, your operations must adhere to your own website, app, or email privacy policy.

Consequences of Failure to Comply with CalOPPA

The text of CalOPPA itself does not list the consequences of failing to comply with the law. Noncompliance is addressed through the provisions of California’s Unfair Competition Law.

When noncompliance is first noted, you are given 30 days to rectify the situation.

If you fail to comply within this grace period, you will be fined a maximum penalty of $2,500 per violation.

Although this seems like a minor amount, in contrast to privacy laws like the General Data Protection Regulation (GDPR) (€20 million, or even higher) and the Children’s Online Privacy Protection Act (COPPA) ($40,000), note the “per violation” qualification in the CalOPPA. Each visit to your website while your website fails to comply can be deemed a violation, meaning that the fines can quickly multiply.

The most high profile lawsuit relating to the CalOPPA thus far was against Delta Airlines. In 2012, Delta Airlines faced a lawsuit because one of their mobile apps failed to meet the visibility requirement that we discussed earlier.

Delta Airlines did have a CalOPPA-compliant privacy policy on their main website, but their app did not. This case highlights the importance of ensuring that the privacy policies are comprehensive in that they cover all of your platforms.

The lawsuit was eventually dismissed due to an earlier regulation (The Airline Deregulation Act) that exempts the airline industry from certain government interventions.

However, had this been the case with a company operating in almost any other field, the fine could have been as high as $2.5M with just 1000 app downloads.

Another indicator of the strong influence of CalOPPA is that Google had to include a link to its privacy policy on the Google Search homepage, which was not the case until 2007. Preempting potential legal action, Google responded to several online discussions about its noncompliance with CalOPPA by linking to their privacy policy on the Google homepage.

3. Does CalOPPA Apply to My Business?

If your online business is located in California, or otherwise serves California residents, then CalOPPA applies to you.

Given the transnational nature of online services, your business (or servers) doesn’t need to be physically located in California, or even in the US, for CalOPPA to apply to your business.

Moreover, unlike the CCPA, another California-based consumer privacy regulation, there are no minimum revenue or customer volume thresholds for the law to apply. The sole criterion for CalOPPA to apply is that your website is accessible to users in California.

Remember that, in addition to websites, CalOPPA applies to smartphone and tablet apps, as well.

In fact, in 2012, the California Attorney General’s Office prioritized the administration of the CalOPPA to applications by sending notices to nearly one hundred app owners whose apps were not compliant with CalOPPA provisions.

We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws. – Senator Kamala D. Harris (California AG, 2011–2017)

4. CalOPPA Checklist

As promised, here is a simple, organized checklist to help your websites and applications become CalOPPA compliant.

CalOPPA Compliance Checklist

Following this checklist will help you create a comprehensive privacy policy which fully explains to site users how you handle their personal information.

5. Conclusion: Create a Comprehensive CalOPPA Privacy Policy

Given the relatively narrow scope of CalOPPA, complying is relatively straightforward. As a website operator or application owner or manager, the onus falls entirely on you to create a compliant privacy policy if you are subject to this law.

Complying with CalOPPA is also a stepping stone to satisfying the much broader requirements of the CCPA, a stricter California-based legislation with global implications. Thus, to save yourself from legal penalties now and down the road, get your CalOPPA compliance efforts started today.

Click the button below to create a privacy policy that complies with privacy legislation worldwide.

Avatar for Felix Sebastian
More about the author

Written by Felix Sebastian

Felix is the managing editor at Termly. With nearly a decade of editorial experience, Felix helps business owners comply with transnational privacy laws by writing and curating compliance guides and law overviews. More about the author

Related Articles

Explore more resources