A prescient Californian privacy law enforced in 2004 mandates the publishing of privacy policies by websites, online services, and mobile applications.

Official law text: California Online Privacy Protection Act

Enforcement date: July 1, 2004

What is the California Online Privacy Protection?

California Online Privacy Protection Act commonly known as the CalOPPA is the pioneer of data transparency in the US. The law went into effect in 2004, way before many countries even started acknowledging the importance of privacy and data transparency laws. 

The law necessitates websites, online services, and mobile applications that collect personally identifiable information from Californian residents to post privacy policies conspicuously and to mention whether they honor “do not track” requests from consumers.

The enforcement of CalOPPA is through the Unfair Competition law of California. The Attorney General of California, District attorneys, and in some cases, city and county attorneys are the enforcement agencies under the act. The penalty for each violation may go up to $2500.

In 2012, the then Attorney General of California, Kamala Harris issued a notification to expand the applicability of the law to mobile applications. Later in 2013, CalOPPA was amended to include whether or not “do not track” opted by consumers be honored in the privacy policies.

Who must comply with CalOPPA?

The law applies to the operators of the following entities in a commercial context that collect personally identifiable information from Californian residents:

  • Websites
  • Online services
  • Mobile applications

The law exempts a third party who merely acts on behalf of the website owner. For example, the website might be managed and hosted by a person other than the owner, yet the owner will be held responsible for any violation that may occur.

A person who owns a website/online service/application that collects and handles personally identifiable information from its users who are Californian residents is called an operator.

What is personally identifiable information under CalOPPA?

Any information collected and handled by an operator that can potentially identify a consumer is known as personally identifiable information. It includes but is not limited to:

  • First and last name
  • Email ID
  • Telephone number
  • Social Security number
  • Any information that can be used to contact a specific individual (online/ offline manner)
  • Any information collected and maintained in a personally identifiable manner by the operator along with an identifier mentioned above. This means that information may not itself be capable of identifying an individual, but when kept in combination with the identifier it becomes identifiable.

A person who either looks for or acquires any goods, services, money, or credit by way of a purchase or lease in a personal, family, or household context is considered a consumer under CalOPPA.

Obligations of businesses under CalOPPA

Let’s look at some of the key obligations businesses have under CalOPPA:

Privacy policy

If you are a business that maintains a website/online service including a mobile application for commercial purposes you should provide a privacy policy conspicuously on your website. 

Disclosure

Reveal to your users if the personally identifiable information from the users will be shared with third parties or if it will be used for tracking their online activities. Also, disclose whether or not you will honor the consumer’s “do not respond” request. 

Notifications

Inform any changes to the privacy policy to your consumers promptly and also mention the process of such notification in your privacy policy.  

What are the Privacy policy requirements under CalOPPA?

As provided by the law, an ideal privacy policy must be conspicuously posted on the website and should contain the following information:

  • The categories of personally identifiable information collected from its users.
  • The categories of third parties with whom the personally identifiable information might be shared
  • The method to submit requests (if there are any) to review and make changes to their personally identifiable information by users.
  • The method used by the operator to notify of any alterations to the privacy policy.
  • The effective date of the privacy policy
  • How the operator responds to “do not track signals” by users to prevent tracking their online activities to create profiles of them.
  • Whether or not third parties collect a user’s personally identifiable information about their online activities for tracking.

The law also provides an alternative to the requirement regarding the “do not track” response. Operators can publish all the details regarding the response process in another location and then conspicuously provide its link in the privacy policy.

Generate a custom privacy policy
for your website

Create a free privacy policy

Generate instantlyNo signup required

What does “conspicuously post” mean under CalOPPA?

The law requires websites/online services and mobile applications to not only have a privacy policy but to post it conspicuously. A privacy policy is considered to have been conspicuously posted under the act if it is posted through any of the following:

  • Homepage or the first significant web page after entering a website.
  • An icon on the homepage or the first significant page after entering the website provided it is in a noticeable color that is different from that of its background, contains the word privacy, and is hyperlinked to the webpage containing the privacy policy.
  • A text link on the homepage or the first significant page after entering the website provided it is hyperlinked to the webpage containing the privacy policy and fulfills any one of the following characteristics:
  • Has the word privacy in it
  • Provided in capital letters in a size equal to or greater than the words surrounding it.
  • Distinguishable from the surrounding words in terms of their color, font, size, or any signs that grab the attention of the consumers.
  • Functional and noticeable hyperlinks
  • For online services, any reasonable means by which consumers can access the privacy policy.

What is the penalty for violations under CalOPPA?

The act doesn’t specify enforcement methods; instead, it’s enforced under California’s Unfair Competition Law, targeting illegal business practices. Fines can reach $2500 per violation, enforced by the Attorney general and in some cases, by the county and city attorneys, with the amount depending on the severity and frequency of the offense and the number of users impacted.

Non-compliance doesn’t automatically result in guilt. Fines are imposed only if violations aren’t corrected within 30 days of notification. Violations include failing to comply with the act knowingly, willfully, or through material negligence.

Liability issues arise for not having a clear, easily accessible privacy policy on your website or online service, including mobile apps, or for not detailing responses to “do not track” requests. It’s essential to maintain a transparent privacy policy and adhere strictly to it.

CalOPPA Compliance checklist

  • Conspicuously post a privacy policy on your website or online services including mobile applications
  • The privacy policy must contain all the necessary details as provided by the law
  • Ensure compliance with your privacy policy
  • Ensure that your privacy policy is up to date
  • Provide your privacy policy’s effective date in it
  • Disclose whether you collect personally identifiable information for tracking purposes
  • Disclose whether the personally identifiable information is shared with any third parties
  • Notify any changes to your privacy policy to the users promptly.
  • Ensure that the hyperlinks to privacy police are not broken.

Infographic: CCPA vs CalOPPA

ccpa vs caloppa infographic

FAQ on CalOPPA

What is the purpose of the California Online Privacy Protection Act?

The CalOPPA necessitates websites and online services including mobile applications to post privacy policies conspicuously on their website.

Does California law require a privacy policy?

Yes, CalOPPA obligates commercial websites to provide privacy policies that are compliant with its provisions.

Is there a cure period in CalOPPA?

Yes. There is a 30-day cure period after getting notice from the Attorney general. If you cure the violation within that period, penalties may not be imposed upon the infringer.

Is CalOPPA still in effect?

Yes, CalOPPA is still in effect and all commercial online platforms must abide by the law.

What is the difference between CalOPPA and CCPA?

The CalOPPA deals with online privacy policy and came into force in 2004 whereas the CCPA deals with data privacy and was enforced in 2020. Both laws are significant to businesses that handle digital information.