The California Online Privacy Protection Act (CalOPPA) is an internet privacy law that establishes a set of standards for how websites and online services handle users’ personal data.
If your website has California-based users, you may be required to follow CalOPPA guidelines. In this guide to CalOPPA, we break down the law into its essential requirements and guide you through the necessary steps you need to take to comply.
What is CalOPPA?
Under CalOPPA guidelines, websites must:
- Explain how users’ personal identifiable information (PII) will be used, and offer options for users to modify or delete their PII.
Who Does CalOPPA Apply To?
According to the official CalOPPA text, the law applies to any operator that collects personally identifiable information from California residents.
To see if CalOPPA applies to your website, let’s define a few key terms:
- Operator: A person or an organization that owns a commercial website or online service.
- Commercial website: A website that generates revenue and is not associated with any accredited non-profit organizations.
- Personally identifiable information (PII): Any information that can be used to identify a person.
- California resident: Any person who lives in California.
If you operate a commercial website or online service that collects PII from California residents, you’re required to comply with CalOPPA, even if you’re not located in the US.
What Are The Penalties For CalOPPA Noncompliance?
If your website is not CalOPPA compliant, you may face a penalty of up to $2,500 per violation.
While a $2,500 fine may seem small, it should be noted that the penalty is on a per violation basis. Because every visit to your website can be interpreted as a violation, your non-compliant website could be facing a $2.5 million fine with just 1000 visits.
Your CalOPPA Compliance Checklist
- Use an obvious link on your homepage containing the word “privacy.”
- Make the link stand out by using larger type than the surrounding text, contrasting color, or symbols that call attention to it.
- Put a “privacy” link on every web page where personal information is collected.
- Format the policy so that it can be printed as a separate document.
For Online Services or Applications:
- Link to the policy on your application’s platform page.
- Link to the policy within the application from the application’s configuration page. (e.g., “About,” “Information,” or “Settings” pages)
- Use plain, straightforward language.
- Avoid jargon.
- Use shorter sentences.
- Use fonts and/or formatting to make your policy easy to read.
3. Include an Effective Date
4. List the Categories of PII That You Process
- First and last names.
- Physical addresses.
- Email addresses.
- Telephone numbers.
- Social security numbers.
- IP addresses.
- Physical details (including but not limited to height, weight, hair color, etc.).
6. Explain How PII Will Be Shared With Third Parties
If your website shares PII with any third parties (such as Google Analytics, Disqus, Facebook, etc.) you need to detail what information will be shared.
A Do Not Track (DNT) request is a function inside a web browser (Google Chrome, Internet Explorer, Firefox, Safari, etc.) that allows users to tell websites not to track their online activity.
To be CalOPPA-compliant, tell your users on how you plan to handle DNT requests, regardless of whether or not you honor a user’s DNT request.
8. Explain How Users Can Request, Modify or Delete Their PII
For an example of how to fulfill this requirement, consider Chargebee’s personal data management page, which includes detailed instructions about how users can modify their personally identifiable information.
Generate a CalOPPA Compliant Policy
- consulting with an attorney.