If you are drafting a Privacy Policy for your website or mobile app, make sure to keep in mind CalOPPA, one of the key privacy laws from the state of California. To help you create your CalOPPA Privacy Policy, we'll explain a bit more about what CalOPPA requires, and walk you through the key sections to include in your CalOPPA-compliant Privacy Policy.

The United States does not have a federally-enacted privacy law that governs all of the territory like the GDPR does in the EU. Instead, the majority of the privacy laws in the U.S. are created by state governments.

The California Online Privacy Protection Act, or CalOPPA, was enacted in 2004 to protect the private information of California residents.

A note to remember about CalOPPA is even though it is a state law, any website that collects, stores, and handles "personally identifiable information" of a California resident is governed by CalOPPA. The law doesn't only apply to California companies, but any company that collects the data.


CalOPPA Privacy Policy Requirements

Having a Privacy Policy is a must to comply with CalOPPA. If your website or mobile app does not have one, you could be in violation of the act.

There are some key clauses that you must include in your Privacy Policy in order to comply with CalOPPA.

These include:

  • What data you collect
  • How users can access and change/update their information
  • How notifications will be made when the policy is updated or materially changed
  • An effective date of the policy
  • Any third parties who will receive personal information from you
  • Your use of cookies
  • How you handle Do Not Track signals

Arguably, the most important requirement under CalOPPA is that your Privacy Policy must be "conspicuous" and include the word "Privacy" in its title. This means that your policy or a link to your policy must be easily accessible and in a location where visitors will find it. You shouldn't hide it in a list of links on a page visitors aren't likely to visit.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

The most common place to include your Privacy Policy link is in the footer of your page. Most consumers know to go to the footer to look for navigational and legal links and will go there first.

For example, see how Moz does it:

Moz website footer with Terms and Privacy link highlighted

If your website is a continual-scrolling site without a footer, such as Twitter or YouTube, you can include a link on at the top, or in a sidebar as YouTube does:

YouTube sidebar with Privacy Policy link highlighted

When it comes to your mobile app, you can display a link to your Privacy Policy both on the app's store listing page, as well as within the app itself.

Snapchat's page on Google Play provides a link at the bottom of its "Additional Information" section:

Snapchat Google Play Store listing with Privacy Policy link highlighted

In the app itself, a common place to include the link is in a menu, such as a Settings or Legal menu. Here's how Snapchat does this:

Snapchat mobile app Settings menu with Privacy Policy link highlighted

Another part of making your Privacy Policy "accessible" involves how you write the policy. Keep your language simple and easy to understand so that anyone who reads it won't be confused.

Key Clauses for your CalOPPA Privacy Policy

Key Clauses for your CalOPPA Privacy Policy

Here are some of the key clauses you'll need to include in your Privacy Policy.

What Data You Collect, and Why

This requirement isn't CalOPPA-specific, but rather, it should be included in every Privacy Policy. You must disclose what type of information you collect. This can be email addresses, phone numbers, birthdates, etc.

You can be more general with describing what you collect, but it is highly recommended that you err on the side of caution and be more specific when detailing the information you collect.

Apple states a list of the different personal information it collects, including email addresses, IP addresses, and credit card information:

Apple Privacy Policy: Excerpt of Personal Data Apple Collects from You clause

You should also state how you will use the personal data you collect, either in this same clause or a following clause.

Here's how Starbucks lists out what it uses its collected information for, including to deliver gift cards, process purchases, respond to customer service inquiries and send special offers:

Starbucks Privacy Policy: How We Use Your Information clause excerpt

Accessing and Changing Information

To go along with informing users of the data that you collect, you need to provide ways for users to view and change their information.

In your Privacy Policy, state how users can do this. You can include a link in your policy to where they can do it, or include the step-by-step process. Whatever way you choose, it should be simple and understandable.

Envanto states users can access their information through their accounts:

Envato Privacy Policy: How you can access your personal information clause

Your Privacy Policy should also state how users can update or change what data they allow you to collect from them. For example, if someone signs up for emails from you and then later wants to opt out, they need to be able to do this. Include a clause in your policy that clarifies this right to users, and how they can exercise it.

Pizza Hut Privacy Policy: Your Choices and Control Over Your Information clause

Notifications of Changes to the Privacy Policy

You'll need to let users know that at times, you may make material changes to your Privacy Policy. Also let them know how you'll alert them of these changes.

Most of the time this is done by sending an email to users, like Hulu did here:

Hulu email about Privacy Policy updates

Within the Privacy Policy itself is a clause that addresses changes to the policy, and notifying users of material ones:

Hulu Privacy Policy: Changes to this Privacy Policy

Alternatively, you can include a banner or pop-up when a user visits your page notifying them that there have been changes. Like in the email, include a link in the pop-up or banner to the Privacy Policy for users to review.

Privacy Policy's Effective or Last Updated Date

Your Privacy Policy should have a date of when it was last updated, or its "effective date." This lets not only your users know that your policy is current, but it lets the authorities know that you're staying active with keeping your policy up to date and hopefully accurate

Most Privacy Policies post a date at the very beginning, like Wahlburgers does here:

Wahlburgers Privacy Policy: Effective Date - Last Updated date highlighted

Use of Third Party Services

Disclose whether your website or app partners with third parties. These can be third-party companies that help you optimize your site, tell you where your users are located, or help visitors navigate the app. A prime example is Google Analytics.

You should notify users of what data these third parties will have access to, and how they use it. You don't have to state every third-party you use, but you can if you wish.

Take a look at how the Gap does it:

Gap Privacy Policy: Third Party Payment Service clause

Cookies

If you use cookies, disclose this. Even if you have a separate Cookies Policy, you should include at least a short cookies clause in your Privacy Policy as well. You can link to your complete Cookies Policy from the clause, if applicable.

Here's an example of a fairly standard cookie clause from Envato:

Envato Privacy Policy: Cookies clause

How You Handle Do Not Track Signals

One of the key requirements of CalOPPA is that you must disclose how your app or website handles "Do Not Track" signals.

These signals are notifications a user creates that puts your website on notice of when they do not want their information tracked by your company.

Your clause should state how it responds to these signals and how users can access these preferences. Note that it isn't a requirement that you comply with do not track requests. Just that you disclose whether you do or not.

See how Tripadvisor handles this:

Tripadvisor Privacy and Cookie Statement: Do Not Track Signals clause

Summary

If you fall under the scope of CalOPPA, your Privacy Policy will need to be compliant with the act. Make it compliant by posting it conspicuously on your website and within your mobile app.

Include the word "Privacy" in the link you provide, most commonly included in a website footer, or relevant menu within a mobile app.

Make sure you include all the standard clauses found in Privacy Policies, as well as the additional information specifically required by CalOPPA. This will keep your users informed, and keep you compliant with the law.