The California Online Privacy Protection Act (CalOPPA) is an internet privacy law that establishes a set of standards for how websites and online services handle users’ personal data.
If your website has California-based users, you may be required to follow CalOPPA guidelines. In this guide to CalOPPA, we break down the law into its essential requirements and guide you through the necessary steps you need to take to comply.
What is CalOPPA?
CalOPPA is a 2003 internet privacy law that requires websites with California users to provide a privacy policy. CalOPPA also establishes a set of standards for the presentation, implementation, and the wording of privacy policies.
Under CalOPPA guidelines, websites must:
- Post a conspicuous privacy policy.
- Explain how users’ personal identifiable information (PII) will be used, and offer options for users to modify or delete their PII.
- Follow the rules of their own privacy policy.
Who Does CalOPPA Apply To?
According to the official CalOPPA text, the law applies to any operator that collects personally identifiable information from California residents.
To see if CalOPPA applies to your website, let’s define a few key terms:
- Operator: A person or an organization that owns a commercial website or online service.
- Commercial website: A website that generates revenue and is not associated with any accredited non-profit organizations.
- Personally identifiable information (PII): Any information that can be used to identify a person.
- California resident: Any person who lives in California.
If you operate a commercial website or online service that collects PII from California residents, you’re required to comply with CalOPPA, even if you’re not located in the US.
What Are The Penalties For CalOPPA Noncompliance?
If your website is not CalOPPA compliant, you may face a penalty of up to $2,500 per violation.
While a $2,500 fine may seem small, it should be noted that the penalty is on a per violation basis. Because every visit to your website can be interpreted as a violation, your non-compliant website could be facing a $2.5 million fine with just 1000 visits.
In 2020, the California Attorney General’s office launched an online form for users to report CalOPPA violations. Given user concerns over data privacy and the fines for noncompliance, you need to check if your website and your privacy policy are CalOPPA-compliant as soon as possible.
Your CalOPPA Compliance Checklist
CalOPPA compliance is based on how you present, write and communicate your privacy policy. To comply with CalOPPA, follow this privacy policy checklist.
1. Post a Conspicuous Privacy Policy
Your privacy policy must be easy to locate and readily available for users and non-users of your website.
To ensure that your privacy policy is conspicuous, we recommend that you follow the formatting recommendations detailed by the California Attorney General’s office. This guide outlines the following two sets of best practices for websites and applications.
For Websites:
- Use an obvious link on your homepage containing the word “privacy.”
- Make the link stand out by using larger type than the surrounding text, contrasting color, or symbols that call attention to it.
- Put a “privacy” link on every web page where personal information is collected.
- Format the policy so that it can be printed as a separate document.
For Online Services or Applications:
- Link to the policy on your application’s platform page.
- Link to the policy within the application from the application’s configuration page. (e.g., “About,” “Information,” or “Settings” pages)
2. Make Your Privacy Policy Accessible
Make your privacy policy accessible. This means that it should be easily read and understood by all of your users.
To make your privacy policy accessible, we recommend doing the following:
- Use plain, straightforward language.
- Avoid jargon.
- Use shorter sentences.
- Use titles, headers, and bullet points to identify the parts of your privacy policy.
- Offer your privacy policy in different languages.
- Use fonts and/or formatting to make your policy easy to read.
For an example of an accessible privacy policy, consider CD Projekt Red’s privacy policy, which offers a bolded summary of its privacy policy side-by-side with its full text.
3. Include an Effective Date
Under CalOPPA requirements, your privacy policy must include an effective date.
For an example of how an effective date can be integrated into your privacy policy, consider Spotify’s privacy policy, which lists its effective date immediately underneath its title.
4. List the Categories of PII That You Process
A CalOPPA-compliant privacy policy must detail the types of personal identifiable information (PII) that your website/service collects. According to California privacy law, types of PII include:
- First and last names.
- Physical addresses.
- Email addresses.
- Telephone numbers.
- Social security numbers.
- IP addresses.
- Physical details (including but not limited to height, weight, hair color, etc.).
For an example of how to best communicate the types of PII you collect, consider the layout used in Reddit’s privacy policy, which uses a tabled format to detail and explain the types of information it collects.
5. State How Changes to Your Privacy Policy Will Be Communicated
A key part to complying with CalOPPA is notifying users of changes to your privacy policy. Examples of how to do so include (but are not limited to):
- Sending an email to users notifying them of changes to your privacy policy.
- Using a banner/pop-up notice to notify users about your updated privacy policy.
- Using a blog post to detail the latest changes to your privacy policy.
For a good example of how to update your users about changes to your privacy policy, consider the following email/newsletter from Coursera, which notifies users that they are updating their privacy policy.
Notice that the email also links users to a page detailing all of the revisions made to their privacy policy.
6. Explain How PII Will Be Shared With Third Parties
If your website shares PII with any third parties (such as Google Analytics, Disqus, Facebook, etc.) you need to detail what information will be shared.
For an example of how to fulfill this requirement, consider the privacy policy of the New York Times, which provides a link that lists all of its third party vendors and the actions that they will take with user data.
7. Explain How Your Privacy Policy Will Handle a “Do Not Track” Request
A Do Not Track (DNT) request is a function inside a web browser (Google Chrome, Internet Explorer, Firefox, Safari, etc.) that allows users to tell websites not to track their online activity.
Users set DNT requests at the browser level, and websites can choose whether or not to honor DNT requests. While CalOPPA does not require websites to follow DNT requests, it does require websites to state how a DNT request will be handled inside their privacy policy.
To be CalOPPA-compliant, tell your users on how you plan to handle DNT requests, regardless of whether or not you honor a user’s DNT request.
8. Explain How Users Can Request, Modify or Delete Their PII
Your privacy policy must detail how users can request, modify, or delete the PII that you collect from them.
For an example of how to fulfill this requirement, consider Chargebee’s personal data management page, which includes detailed instructions about how users can modify their personally identifiable information.
Generate a CalOPPA Compliant Policy
Now that you’re aware of the requirements for CalOPPA compliance, you can create your own CalOPPA-ready privacy policy by:
- consulting with an attorney.
- using a free privacy policy generator.
- customizing a privacy policy template.
To avoid fines and show your California users you take their privacy seriously, ensure your website’s privacy policy is CalOPPA-compliant today.
