If you're a business owner with a website that collects or uses personal information from users, you need to be aware of US state and federal privacy laws that may apply to you.
One such law is the California Online Privacy Protection Act (CalOPPA).
This article will discuss exactly what CalOPPA is, who it applies to and how you, as the business owner, can comply with it.
Unlike other countries such as Europe and Australia, the US privacy laws regarding personal information and data used on websites are surprisingly lenient. The main regulation for data privacy is a California law known as the California Online Privacy Protection Act (CalOPPA).
CalOPPA was brought into effect in 2004 and was considered a landmark for online privacy protection efforts.
It is a set of rules surrounding the Privacy Policies used by online websites and organizations. It aims to remove any ambiguity around online data privacy and the rights of the individual consumer. CalOPPA does this by requiring transparency in Privacy Policies, making them clear and easy for anyone to understand.
Who Does CalOPPA Apply to?
Don't be deceived by its name - CalOPPA reaches far beyond the state of California. It applies to any website or online service that collects personal information from users who live in the state of California.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
So, even if you're not based in the state of California - or even in the US at all - CalOPPA will likely apply to you.
Under CalOPPA, the definition of personal information includes things like:
- Full names
- Birth dates/places
- Email addresses
- Billing and shipping addresses
- Phone and mobile numbers
- Social security numbers
- Credit card details (or other payment methods)
- Biometric data (for fingerprint/facial recognition software)
- IP addresses
- Vehicle information (like driver's license numbers or plate numbers)
Essentially, personal information can be anything that might identify an individual.
Why CalOPPA and Privacy Laws are Needed
To better protect consumers, regulations like CalOPPA exist to ensure proper procedures and protections when it comes to collecting and managing personal consumer information.
Privacy laws also serve to educate the public on privacy rights and security implications.
Consumers face a number of risks when their personal data is compromised or misused. These risks can occur from simple neglect, such as when old company computers or hard drives are thrown out, or when improper internal procedures expose sensitive data. Some risks are more serious, such as from malicious attacks to online systems or identity theft.
Privacy Policies can assist consumers in safeguarding their data by giving them better ability to make informed decisions about the organizations they share their personal information with.
Privacy Policies can be found in many different places, both online and offline. However, since the rapid rise of the digital economy, it has become more important than ever to protect consumers from an invasion of privacy and improper use of their personal information, and laws are reflecting this.
There are several requirements of CalOPPA that businesses must abide by to be compliant.
Again, these requirements apply to any business based anywhere in the world that collects or uses personal information from California residents.
There are a few additional requirements for how you display this link.
For a website:
- Display it in an obvious spot and use the word privacy in the link.
- The link must contrast enough with the rest of the website to make sure it doesn't get lost. Use font size, color and design methods to accomplish this.
For a mobile application:
- Provide a link to the policy on your application's distribution page in app stores (so users can read the policy before they download the application).
- Provide a link to the policy within the application itself (such as from the main menu, under About, Help or Account Settings).
If your customers can actually understand how you intend to protect their information, you'll be able to develop trust between them and your business.
- What type of personal information is being collected (like names, contact details, shipping addresses, credit card information, email addresses and so on).
- What you plan to do with the information (for example, whether you intend on sending it to an affiliate or adding it to any marketing campaigns).
- How you store the information, such as through an internal database, external hard-drive or cloud-based service.
- An easy way users can change this information.
- Any third-party services that user information might be shared with, and the reason for this (such as marketing or accounting companies and payment processors). It can also be handy to provide links to those third parties' Privacy Policies.
- Your accountability procedures, including who your customers can contact if they have any concerns or questions regarding your policy.
- How you plan on responding to any Do Not Track requests from users.
Do Not Track (DNT) Requests
In 2014, ten years after CalOPPA went into effect, a new requirement was added to it. This requirement is known as the Do Not Track (or DNT) clause. Its aim is to give users a choice as to whether they want to allow their online movements and activities to be tracked.
Once this clause was implemented, it meant all website owners were required to add it to their Privacy Policies to notify users of how they intend to handle DNT requests.
Note that there are no legal requirements for how a website operator responds to these requests. This means that while you might receive a DNT request from a user's browser, you do not actually have to comply with it.
You simply need to disclose whether your website does or does not respond to DNT requests.
As the business owner, you have several options regarding the way you handle DNT requests.
- You can simply ignore them.
- You can disable targeted advertising, choosing instead to display more common advertisements that don't relate to the individual user.
- You can disable tracking for other websites but continue tracking users on your own site, or you can disable all tracking completely.
You must let users know how you plan on responding (or not responding) to those DNT signals, and you must also disclose whether your website uses any third-party services that track your users.
CalOPPA's provisions are enforced by California's Unfair Competition Law (UCL). The purpose of the UCL is to prohibit fraudulent, unlawful or unfair business activities.
Since CalOPPA is regulated under the UCL, failing to stick to the regulations set by CalOPPA can be potentially severe. As mentioned in Chapter 22, Internet Privacy Requirements of the 2005 California Business and Professions Code Section 22575-22579:
"Any person who engages, has engaged, or proposes to engage in unfair competition shall be liable for a civil penalty not to exceed two thousand five hundred ($2,500) for each violation."
If you are notified of non-compliance with CalOPPA, you have up to 30 days to amend your policy and website (or mobile app) to meet the specified criteria.
Examples of CalOPPA-Compliant Privacy Policies
Facebook's Privacy Page contains drop-down links to the various topics covered in the policy. This is a great example of user-friendly readability, as it helps users navigate the information easier and find specific details.
This is an effective way to ensure just about anyone can read and understand the policy.
Any website/app that collects personal information from users in the state of California must comply with CalOPPA.
It doesn't matter where your business is located - if you reach users in California, CalOPPA applies to you.
Stay compliant with CalOPPA by:
- Including all of the required information in your Policy, including a Do Not Track clause.
- Making your Policy easily accessible and conspicuous to your users.