CalOPPA: The California Online Privacy Protection Act Explained

By: Josh Langeland, CIPM Josh Langeland, CIPM | Updated on: November 12, 2024

Reviewed by: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Generate a CalOPPA Privacy Policy
CalOPPA-The-California-Online-Privacy-Protection-Act-01

California became the first U.S. state to pass a dedicated data privacy law in 2004 with the California Online Privacy Protection Act (CalOPPA).

In this guide, I help simplify CalOPPA compliance for your online business by summarizing the key legal requirements and presenting a checklist to help your platform comply with this California privacy law.

Table of Contents
  1. What Is the California Online Privacy Protection Act (CalOPPA)?
  2. CalOPPA Key Terms and Definitions
  3. What Does the California Online Privacy Protection Act Cover?
  4. Requirements of the California Online Privacy Protection Act
  5. California Data Privacy Laws vs. Other States: Similarities and Differences
  6. How Are Consumers Impacted by CalOPPA?
  7. How Are Businesses Impacted by CalOPPA?
  8. Who Must Comply With CalOPPA?
  9. How Can Businesses Comply With CalOPPA?
  10. How Is CalOPPA Enforced?
  11. Fines and Penalties Under the California Online Privacy Protection Act
  12. How Termly Helps With CalOPPA Compliance
  13. Are There Other Privacy-Related Laws in California?
  14. CalOPPA Checklist
  15. Summary

What Is the California Online Privacy Protection Act (CalOPPA)?

CalOPPA is a California state law and was one of the first data privacy regulations implemented in the United States — enacted on July 1, 2004.

It requires all online businesses that serve users in California to have a privacy policy on their website and sets legal standards for the policy’s presentation, wording, and implementation.

While there is no U.S. federal data privacy law, there are several state laws you can learn more about by checking out our interactive US data privacy law tracker map.

CalOPPA Key Terms and Definitions

To understand how to comply with CalOPPA, you must familiarize yourself with the following key terms — I’ve provided the definitions as they appear in the actual text of the law:

What Does the California Online Privacy Protection Act Cover?

CalOPPA covers the privacy rights of residents of California by establishing essential components that must appear in a privacy policy.

Any website, app, or online service intended to serve or available to California residents must comply with the law.

It, therefore, has a broad scope and enables all online consumers to rely on a privacy policy posted online, holding those online service providers accountable for the language they use.

Requirements of the California Online Privacy Protection Act

CalOPPA outlines specific requirements regarding two key concepts:

  1. Personally identifiable information (PII)
  2. Do not track (DNT) requests

Personally Identifiable Information (PII)

Qualifying online platforms that collect personally identifiable information or PII must post a CalOPPA-compliant privacy policy.

PII includes any user data that can identify an individual or household, and the text of CalOPPA lists the following specific items:

  • First and last name
  • Street address
  • Email address
  • Telephone number
  • Social security number
  • IP addresses
  • Physical details such as height, weight, and hair color

Any other data or personal information that someone might use in conjunction with the above items to identify individuals (e.g., date of birth) also fits the definition.

The term ‘PII’ is now considered outdated and has been replaced with personal information to better account for additional privacy laws, like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

Do Not Track (DNT) Requests

CalOPPA requires websites and apps to clearly explain whether they honor Do-Not-Track (DNT) requests in their privacy policy. It does not require that a website or app honors DNT requests or not, but rather simply disclosing whether they do or do not honor them.

As the name implies, a do-not-track request is a mechanism through which users of a website convey their preference regarding the tracking of their online browsing activities by the website.

Internet users can toggle a setting on their web browsers to indicate their DNT preference.

California Data Privacy Laws vs. Other States: Similarities and Differences

CalOPPA is very different than the U.S. state privacy laws listed below, most of which focus on consumer protections:

You can compare these laws to CalOPPA in the table below.

State Law Opt-in consent for certain types of data processing Opt-out consent for certain types of data processing Must present users with a privacy policy (or notice) Requires Data Protection Assessments Outlines Contractual Obligation with Third-Party Processors Allows for civil lawsuits or private right of action Must honor Global Privacy Controls/browser privacy settings
CalOPPA
CCPA/CPRA
CPA
CTDPA
DPDPA
FDBR
Indiana CDPA
Iowa CDPA
MCDPA
ODPA
TIPA
TDPSA
UCPA
VCDPA

How Are Consumers Impacted by CalOPPA?

CalOPPA impacts California consumers by providing them with transparent privacy policies so they know what data a website or online service collects from them and if the site honors DNT requests or not.

It also makes it easier for those individuals to request that information be corrected or deleted.

But internet users outside of California also benefit from CalOPPA — the law makes it so nearly every website has a privacy policy that’s much easier to read and find.

Who Does CalOPPA Apply To?

CalOPPA is a California state law that protects the privacy rights of California residents.

Businesses located in California or whose services are available to California users must follow the requirements of CalOPPA.

How Are Businesses Impacted by CalOPPA?

CalOPPA impacts businesses by describing guidelines for making a California-compliant privacy policy.

How Does CalOPPA Affect My Privacy Policy?

Websites and apps that fall under CalOPPA must include the following information in their privacy policy:

  • The effective date,
  • A list of the types of PII that are collected and how users can opt out of data collection,
  • An explanation of how users can request to review and delete their PII,
  • An explanation of updates and changes to the privacy policy communicated to users,
  • A statement of whether PII is shared with any third parties (including Google Analytics, AdSense, live chat tools, social login integrations, etc.),
  • A statement of whether DNT requests are honored or not.

The clause stipulating an explanation of how businesses handle do not track requests was added to CalOPPA via an amendment in January 2014.

Note that CalOPPA does not require you to adhere to DNT requests from users — instead, you must state how your website or online service handles such requests.

Additionally, your privacy policy must meet several accessibility requirements, including the following:

  • Be conspicuous and easy to find
  • Appear in full on either the homepage or the first significant page of your website, plus every page where personal information is collected
  • If it does not appear in full, the privacy policy must be hyperlinked, using text or an icon, on the homepage or first page after the landing page using the word ‘PRIVACY’ written in capital letters and the formatting of the ‘PRIVACY’ link (i.e., font size, type, and color) must stand out from the surrounding text used on the rest of the webpage.

If your business meets the threshold of the California Consumer Privacy Act (CCPA), there are additional privacy policy requirements you must implement.

Who Must Comply With CalOPPA?

Any business that is located in California or that serves California residents must comply with CalOPPA.

Online services are transnational by nature, so CalOPPA applies even if your business or servers are not physically located in California or even the U.S.

Unlike the CCPA, there are no minimum revenue or customer volume thresholds — the sole criterion is if your services are accessible to users in California.

The law has a broad threshold and makes it so even bloggers with potential visitors from California need a privacy policy for their blog.

In addition to websites, CalOPPA applies to apps on smartphones and tablets.

In fact, in 2012, the California Attorney General’s Office sent notices to nearly 100 app owners who weren’t compliant with CalOPPA provisions at the time.

“We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians,” said the Attorney General at the time, Kamala D. Harris, who went on to serve as the Vice President of the United States.

She added, “It is critical that we take all necessary steps to enforce California’s privacy laws.”

Who Is Exempt From CalOPPA?

Non-commercial websites that don’t collect PII and websites or other online services unavailable in California are exempt from CalOPPA.

How Can Businesses Comply With CalOPPA?

To comply with CalOPPA, businesses must put a conspicuous link to a privacy policy on all websites, apps, and online services.

The privacy policy must meet the law’s specific formatting and informational requirements.

How Is CalOPPA Enforced?

The California Attorney General’s Office can enforce the provisions outlined in CalOPPA.

Additionally, CalOPPA-related lawsuits may be brought against you by the Federal Trade Commission (FTC) if you don’t meet the privacy policy requirements on your website or app.

When noncompliance is first noted, you have 30 days to rectify the situation.

Remember to include data collected through marketing emails in your privacy policy.

Fines and Penalties Under the California Online Privacy Protection Act

Noncompliance under CalOPPA is addressed through the provisions of California’s Unfair Competition Law.

If you fail to comply within the 30-day grace period, you face a maximum penalty of $2,500 per violation.

You might think these fines seem minor in contrast to privacy laws like the following:

  • General Data Protection Regulation (GDPR fines): €20 million ($22 million) or 4% of your gross annual revenue, whatever is higher
  • Children’s Online Privacy Protection Act (COPPA fines): Up to $40,000

But take note of the “per violation” qualification in CalOPPA — each visit to your website, while noncompliant, may be deemed a violation, meaning that the fines multiply quickly.

CalOPPA and Delta

The most high-profile CalOPPA lawsuit was against Delta Airlines in 2012, when its mobile app failed to meet the visibility requirements regarding the placement of its privacy policy.

Delta Airlines had a CalOPPA-compliant privacy policy on their main website, but their app did not.

The case highlights the importance of ensuring comprehensive privacy policies cover all your platforms, including mobile apps.

Eventually, the lawsuit was dismissed due to the Airline Deregulation Act, which exempts the airline industry from specific government interventions.

However, if this happened to a company operating in almost any other field, the fine could have been as high as $2.5 million with just 1000 app downloads.

CalOPPA and Google

Another indicator of the strong influence of CalOPPA is that Google had to include a link to its privacy policy on the Google Search homepage, which happened for the first time in 2007.

Preempting potential legal action, Google responded to several online discussions about its noncompliance with CalOPPA by linking to its privacy policy on the Google homepage.

How Termly Helps With CalOPPA Compliance

Termly’s Privacy Policy Generator can help your business comply with CalOPPA and several other data privacy laws.

It’s intuitive and effortless to use, removing the hassles and confusion from your privacy compliance journey.

All you do is answer simple questions about your business and its data processing activities.

The generator makes a unique privacy policy based on your answers, which you can embed on your website or mobile app — it’s that easy!

California has several other privacy-related laws, including the following:

  • California Consumer Privacy Act (CCPA): The first comprehensive consumer privacy protection law in the U.S.
  • California Privacy Rights Act (CPRA): Amends portions of the CCPA.
  • Shine the Light Law (Shine the Light): Outlines requirements for sharing personal data for direct marketing.
  • California Invasion of Privacy Act (CIPA): Protects individuals using landline or mobile telephones.
  • Confidentiality of Medical Information Act (CMIA): Outlines requirements for medical records and information confidentiality.
  • Patient Access to Health Records Act (PAHRA): Describes consumer rights over accessing their health and medical records.
  • California Financial Information Privacy Act (CALFIPA): Restricts and bans selling or sharing financial consumer data without obtaining consent.
  • Privacy Rights for California Minors in the Digital World Act (Eraser Law): Protects the data of known minors in California, allowing them the right to be forgotten.

CalOPPA Checklist

Here is a simple, organized checklist to help your websites and applications become CalOPPA compliant.

Following this checklist will help you create a comprehensive privacy policy that thoroughly explains to site users how you handle their personal information.

Summary

If you own a website or app available to Californians, it’s your responsibility to make a privacy policy that complies with CalOPPA.

Given CalOPPA’s relatively narrow scope, meeting all guidelines is pretty straightforward.

Complying with CalOPPA is also a stepping stone to satisfying much broader requirements outlined by laws like the CCPA, the strict California-based legislation with global implications.

Save yourself from legal penalties now and down the road, start your CalOPPA compliance efforts today using Termly’s Privacy Policy Generator.

Josh Langeland, CIPM
More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author
Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy

Related Articles

Explore more resources