The United States does not have a federally-enacted privacy law that governs all of the territory like the GDPR does in the EU. Instead, the majority of the privacy laws in the U.S. are created by state governments.
The California Online Privacy Protection Act, or CalOPPA, was enacted in 2004 to protect the private information of California residents.
A note to remember about CalOPPA is even though it is a state law, any website that collects, stores, and handles "personally identifiable information" of a California resident is governed by CalOPPA. The law doesn't only apply to California companies, but any company that collects the data.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 2.1. What Data You Collect, and Why
- 2.2. Accessing and Changing Information
- 2.5. Use of Third Party Services
- 2.6. Cookies
- 2.7. How You Handle Do Not Track Signals
- 3. Summary
- What data you collect
- How users can access and change/update their information
- How notifications will be made when the policy is updated or materially changed
- An effective date of the policy
- Any third parties who will receive personal information from you
- How you handle Do Not Track signals
For example, see how Moz does it:
If your website is a continual-scrolling site without a footer, such as Twitter or YouTube, you can include a link on at the top, or in a sidebar as YouTube does:
Snapchat's page on Google Play provides a link at the bottom of its "Additional Information" section:
In the app itself, a common place to include the link is in a menu, such as a Settings or Legal menu. Here's how Snapchat does this:
What Data You Collect, and Why
You can be more general with describing what you collect, but it is highly recommended that you err on the side of caution and be more specific when detailing the information you collect.
Apple states a list of the different personal information it collects, including email addresses, IP addresses, and credit card information:
You should also state how you will use the personal data you collect, either in this same clause or a following clause.
Here's how Starbucks lists out what it uses its collected information for, including to deliver gift cards, process purchases, respond to customer service inquiries and send special offers:
Accessing and Changing Information
To go along with informing users of the data that you collect, you need to provide ways for users to view and change their information.
Envanto states users can access their information through their accounts:
Most of the time this is done by sending an email to users, like Hulu did here:
Most Privacy Policies post a date at the very beginning, like Wahlburgers does here:
Use of Third Party Services
Disclose whether your website or app partners with third parties. These can be third-party companies that help you optimize your site, tell you where your users are located, or help visitors navigate the app. A prime example is Google Analytics.
You should notify users of what data these third parties will have access to, and how they use it. You don't have to state every third-party you use, but you can if you wish.
Take a look at how the Gap does it:
Here's an example of a fairly standard cookie clause from Envato:
How You Handle Do Not Track Signals
One of the key requirements of CalOPPA is that you must disclose how your app or website handles "Do Not Track" signals.
These signals are notifications a user creates that puts your website on notice of when they do not want their information tracked by your company.
Your clause should state how it responds to these signals and how users can access these preferences. Note that it isn't a requirement that you comply with do not track requests. Just that you disclose whether you do or not.
See how Tripadvisor handles this:
Include the word "Privacy" in the link you provide, most commonly included in a website footer, or relevant menu within a mobile app.
Make sure you include all the standard clauses found in Privacy Policies, as well as the additional information specifically required by CalOPPA. This will keep your users informed, and keep you compliant with the law.