With a population of almost 40 million people (US Census), chances are high that some of your website visitors come from the Golden State.
- A Quick Overview of California Data Privacy Laws
- California Consumer Protection Act (CCPA)
- California Privacy Regulation Act (CPRA)
- California Online Privacy Protection Act (CalOPPA)
- California “Shine the Light” Law
- California “Online Eraser” Law
Privacy policies — whether they need to comply with California laws or not — should always be transparent and include the following information:
- What personal data you collect from users
- Where the personal data is collected from
- Why you collect the personal data from your users
- How the personal data is collected (i.e., through cookies or other trackers)
- Who the information is shared with or sold to
- What rights your users have over their data
- Your company’s contact information
Your business may fall under the jurisdictions of any of the laws listed above even if you’re not headquartered in California because they have an extraterritorial reach, meaning they apply to situations extending beyond normal territorial boundaries.
Let’s go over these thresholds in more detail.
Look at the table below to determine what California data privacy laws your company falls under.
|California Data Privacy Law
|Any for-profit entities that collect consumer data and meets one of the following:
|State of California Department of Justice
|Any for-profit organization doing business in California that meets one of the following:
|California Legislative Information
|Applies to all businesses located in California or any business that services California residents.
|California Legislative Information
|California “Shine the Light” Law
|Applies to any business that shares California consumer information for marketing purposes.
|California Legislative Information
|California “Online Eraser” Law
|Applies to any service that targets California minors under the age of 18.
|California Legislative Information
A Quick Overview of California Data Privacy Laws
- The CCPA and the CPRA
- The California “Shine the Light” Law
- The California “Online Eraser” Law
- Know what personal data you collect from them
- Know if their personal data is sold or shared and with whom
- Opt-out of the sale of their personal data (or opt-in if between 13 and 16)
- Request to access or delete their personal data
- Equal service and price, even if they act on their privacy rights
For example, the CPRA expands the threshold of the CCPA to include both selling and sharing personal data — a newly defined term. You must now provide a “Do Not Share My Personal Information” link, which you may combine with your “Do Not Sell” link.
This law also introduces and defines sensitive personal information, meaning:
- ID numbers
- Biometric data
- Ethnic or racial origins
- Precise geolocations
- Contents of consumers’ texts, mail, and email
Under the CPRA, consumers also have the right to tell you only to use their data when necessary, so the law recommends putting a “Limit the Use of My Sensitive Personal Information” link on your website or app, as outlined in Section 1798.135.
But this is just one method the CPRA recommends.
At the business’s discretion, you can also combine this link with the “Do Not Sell or Share” links mentioned above and post it to the homepage of your site. Just ensure that the link leads to a page that makes it easy for consumers to follow through on all three privacy rights.
One of the first data privacy regulations implemented in the US, CalOPPA set the foundation for how you create, phrase, and share privacy policies on websites and apps.
This law originally defined personally identifiable information, a phrase that is now being phased out and replaced by the broader legal term personal information, which accounts for other relevant data categories like sensitive information that PII did not actually cover.
CalOPPA-compliant privacy policies require you to:
- State the effective date
- List the types of personally identifiable information you collect
- Say how users can opt-out of data collection
- Explain how users can request to review or delete their information
- Explain how you’ll communicate changes and updates to your policy
- Say whether you will share personal information with any third parties
- Say whether a Do Not Track (DNT) request will be honored or not
California “Shine the Light” Law
In effect since 2003, the California Shine the Light Law applies to brokers and for-profit entities who sell or share consumers’ personal information for marketing benefits.
- Be linked to on your website’s homepage with the anchor text “Your California Privacy Rights”
- Describe Californians’ privacy rights under Shine the Light
- Provide valid contact information
But if your website or app does not engage in this kind of marketing, you do not have to worry about this law.
California “Online Eraser” Law
If your online service targets minors in California under 18, the Eraser Law requires you to give them the right to request to delete any information they’ve uploaded to your website or app.
- A section explaining California minors’ rights
- Details about how they can act on their rights
This information must be posted conspicuously and cannot be buried in dense paragraphs, use small fonts, or include a lot of complicated jargon and legalese.
If you target children under 13 in the US, you must follow the requirements outlined by COPPA, which is a federal law, not just a California state law.
- Email addresses
- First and last names
- Screen names
- Instant message details
- Physical addresses
- Telephone numbers
- Video and audio files
Additional Clauses Needed for the CCPA and the CPRA
- A notice of collection
- An explanation of your California consumers’ rights
Let’s go over each of these in more detail.
Provide a Notice of Collection
Your notice of collection must state:
- What categories of personal data your company collects
- What type of information you collect from users under each category
- The reason or purpose as to why you collect each category of personal data
- The source for where you got their data from
- Whether you share or sell any of the data you collect.
Explain California Consumers’ Rights
- Access their data twice a year
- Request to delete their information
- Non-discrimination in price and service if they choose to act on their data privacy rights
In this clause, you must also explain how your users can follow through and act on these rights.
Additional Clauses Needed for CalOPPA
Under CalOPPA, you must specify in a clause what types of personal data you collect, including names, addresses, device data, and more.
You also need to explain if your company honors “do not track” (DNT) requests or not.
A DNT is a setting that specific browsers allow users to enable so when they enter a website, it automatically requests that the site doesn’t track or collect their browsing data.
Additional Clauses Needed for California “Shine the Light” Law
The highlighted text below shows an example of this link as it appears on the footer of Target’s website.
But if your website or app does not share California consumer data for marketing purposes, you do not need to worry about the Shine the Light Law or the additional clauses it requires.
Additional Clauses Needed for California “Online Eraser” Law
You must separate this clause, so it’s easy for your users to find; you cannot bury it in other clauses.
But if your website does not target minors, you do not have to worry about this law or the additional clauses it requires.
Additional Clauses Needed for COPPA
If your website does not target minors, then you do not need to worry about COPPA, and you do not need to add this clause to your policy.
Include Your Company Contact Information
Ensure you provide your users with a proper email address, phone number, mailing address, and any other contact details that your consumers may need to request, issue complaints, or ask questions regarding your privacy agreement and practices.
Or, as shown in the screengrab below from Instagram, you can also include a link that leads to proper contact information.
Even fast food chain Chipotle prominently mentions California privacy rights directly in the footer of their website, as shown below.
- Website footer
- Main menu
- Sign-up or new user profile page
- Checkout or payment pages
- Any points where you collect data
You can also link to this agreement within other relevant documents, like your terms and conditions.
Include Links for California Users to Follow Through on Their Rights
Certain California data privacy laws require you to post specific links with distinct phrasing, anchor texts, and visibility, including the Shine the Light Law, the CCPA, the CPRA, and CalOPPA.
Those links include a:
- “Do Not Sell My Personal Information” link (CCPA)
- “Do Not Share My Personal Information link (CPRA)
- “Limit the Use of My Sensitive Personal Information” link (CPRA)
- “Your California Privacy Rights” link (Shine the Light Law)
If your website or app falls under any of these California laws, ensure you post the correct links with law-abiding anchor texts prominently displayed in the footer and help sections of your site.
Below, we use Chipotle’s website footer as an example again, because they also prominently display a link for California users who want to act on their rights to limit the selling or sharing of their data.
One of the best California-compliant privacy policies to read through for inspiration comes from Disney, who provides both a generic and a California-specific privacy agreement.
In the screenshot below, see how Disney’s link reflects the CPRAs introduction of the term ‘sharing’.
Disney also does a good job organizing their agreement so it’s easy for users to navigate through, read, and find the answers to any questions they may have about their data privacy rights.
For example, they clearly reference the Shine the Light Law, as shown in the screenshot below.
Now look at the highlighted text below to see how Disney clearly states how parents and individuals can remove content belonging to minors, which is COPPA-compliant.
The screenshot below shows a sample of the table Instagram uses as their notice of collection clause in accordance with the CCPA and CPRA.
You might also consider using a table to organize your notice of collection clause, as it is an easy and straightforward way to communicate all relevant information to your users.
Check out the example clause below, which outlines how Instagram’s users can follow through on their privacy rights and includes two necessary links.
Not only do templates complete some initial writing for you, but ours provides you with all of the most common clauses, including the ones specific to the laws we covered earlier in this article.
Last updated [Date]
This privacy notice for [Company Name] (doing business as [Company Short Name]) ("Company," "we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:
- Visit our website at [Website URL], or any website of ours that links to this privacy notice
- [Download and use our application(s), such as our mobile application — [Mobile App Name], our Facebook application — [Facebook App Name], or any other application of
Additional Template Download Options
- DSAR Forms
- “Do Not Sell/Share My Personal Information”
- “Your California Privacy Rights”
- Your website footer
- In your privacy center
- In a pop-up consent banner
- On checkout or payment pages
- In your main menu
- In other legal documents
- On new user sign-up or account creation pages
You can update your existing agreement with the proper clauses and links to abide by the California data privacy laws your business falls under.