The Business Owner's Guide to CalOPPA

Written by Elizabeth Lord (FreePrivacyPolicy Legal writer) and last updated on 01 July 2022.

The Business Owner's Guide to CalOPPA

If you're a business owner with a website that collects or uses personal information from users, you need to be aware of US state and federal privacy laws that may apply to you.

One such law is the California Online Privacy Protection Act (CalOPPA).

This article will discuss exactly what CalOPPA is, who it applies to and how you, as the business owner, can comply with it.

We'll discuss the importance of having a Privacy Policy that complies with CalOPPA, and we'll walk you through the various requirements you'll need to follow in order to do so.

Unlike other countries such as Europe and Australia, the US privacy laws regarding personal information and data used on websites are surprisingly lenient. The main regulation for data privacy is a California law known as the California Online Privacy Protection Act (CalOPPA).

CalOPPA was brought into effect in 2004 and was considered a landmark for online privacy protection efforts.

It is a set of rules surrounding the Privacy Policies used by online websites and organizations. It aims to remove any ambiguity around online data privacy and the rights of the individual consumer. CalOPPA does this by requiring transparency in Privacy Policies, making them clear and easy for anyone to understand.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Who Does CalOPPA Apply to?

Who Does CalOPPA Apply to?

Don't be deceived by its name - CalOPPA reaches far beyond the state of California. It applies to any website or online service that collects personal information from users who live in the state of California.

So, even if you're not based in the state of California - or even in the US at all - CalOPPA will likely apply to you.

It's also important to note that CalOPPA applies to operators and developers of mobile apps, Facebook apps, and Software-as-a-Service (SaaS) apps that are used by residents of California.

Under CalOPPA, the definition of personal information includes things like:

  • Full names
  • Birth dates/places
  • Email addresses
  • Billing and shipping addresses
  • Phone and mobile numbers
  • Social security numbers
  • Credit card details (or other payment methods)
  • Biometric data (for fingerprint/facial recognition software)
  • IP addresses
  • Vehicle information (like driver's license numbers or plate numbers)

Essentially, personal information can be anything that might identify an individual.

Why CalOPPA and Privacy Laws are Needed

Why CalOPPA and Privacy Laws are Needed

To better protect consumers, regulations like CalOPPA exist to ensure proper procedures and protections when it comes to collecting and managing personal consumer information.

Privacy laws also serve to educate the public on privacy rights and security implications.

Consumers face a number of risks when their personal data is compromised or misused. These risks can occur from simple neglect, such as when old company computers or hard drives are thrown out, or when improper internal procedures expose sensitive data. Some risks are more serious, such as from malicious attacks to online systems or identity theft.

By having a solid Privacy Policy on your website, you're ensuring you are compliant with the various laws relating to Privacy Policies and the collection and use of personal information, including the robust GDPR out of the EU.

In simple terms, a Privacy Policy is a legal agreement that discloses how personal information is handled by a business. It should include details about what information is collected, why it's collected, how it's used, how it's stored, who it's shared with, and how a user might be able to edit or remove that information.

Privacy Policies can assist consumers in safeguarding their data by giving them better ability to make informed decisions about the organizations they share their personal information with.

Privacy Policies can be found in many different places, both online and offline. However, since the rapid rise of the digital economy, it has become more important than ever to protect consumers from an invasion of privacy and improper use of their personal information, and laws are reflecting this.

CalOPPA Requirements

CalOPPA Requirements

There are several requirements of CalOPPA that businesses must abide by to be compliant.

Again, these requirements apply to any business based anywhere in the world that collects or uses personal information from California residents.

Have an Accessible Privacy Policy

The main requirement of CalOPPA is that you have a Privacy Policy on your website (or mobile app). You also must provide a clear link to your Privacy Policy on your website to make it accessible. Generally, this link is placed in the footer.

Wide Open Road Coffee website footer showing links

There are a few additional requirements for how you display this link.

For a website:

  • Display it in an obvious spot and use the word privacy in the link.
  • The link must contrast enough with the rest of the website to make sure it doesn't get lost. Use font size, color and design methods to accomplish this.

For a mobile application:

  • Provide a link to the policy on your application's distribution page in app stores (so users can read the policy before they download the application).
  • Provide a link to the policy within the application itself (such as from the main menu, under About, Help or Account Settings).

Here's an example of how the Privacy Policy link is included in the Dropbox Android app settings menu under Legal and Privacy:

Dropbox Android app menu for Legal and Privacy links

And here's an example of a link to Skype's Privacy Policy found on the app's Google Play Store page:

Skype app on Google Play Store: Developer info with Privacy Policy link

Readability

Write your Privacy Policy with ease of readability as a goal. Too often, Privacy Policies are filled with such technical language that it can be difficult or impossible for the reader to understand. CalOPPA requires plain and simple language the average site visitor can understand.

If your customers can actually understand how you intend to protect their information, you'll be able to develop trust between them and your business.

Here's an example of Privacy Policy readability recommendations given by the Attorney General of the California Department of Justice (see page 10 of the linked PDF):

CA Attorney General CalOPPA Recommendations for Readability of a Privacy Policy

Once you have established a user-friendly tone for your Privacy Policy, you need to focus on the content.

Important Clauses

When it comes to CalOPPA compliance, there are several important things you must include in your Privacy Policy.

These are:

  • The date your Privacy Policy came into effect.
  • What type of personal information is being collected (like names, contact details, shipping addresses, credit card information, email addresses and so on).
  • What you plan to do with the information (for example, whether you intend on sending it to an affiliate or adding it to any marketing campaigns).
  • How you store the information, such as through an internal database, external hard-drive or cloud-based service.
  • An easy way users can change this information.
  • Any third-party services that user information might be shared with, and the reason for this (such as marketing or accounting companies and payment processors). It can also be handy to provide links to those third parties' Privacy Policies.
  • How you intend to inform users about any changes to your Privacy Policy.
  • Your accountability procedures, including who your customers can contact if they have any concerns or questions regarding your policy.
  • How you plan on responding to any Do Not Track requests from users.

Do Not Track (DNT) Requests

In 2014, ten years after CalOPPA went into effect, a new requirement was added to it. This requirement is known as the Do Not Track (or DNT) clause. Its aim is to give users a choice as to whether they want to allow their online movements and activities to be tracked.

Once this clause was implemented, it meant all website owners were required to add it to their Privacy Policies to notify users of how they intend to handle DNT requests.

Note that there are no legal requirements for how a website operator responds to these requests. This means that while you might receive a DNT request from a user's browser, you do not actually have to comply with it.

You simply need to disclose whether your website does or does not respond to DNT requests.

As the business owner, you have several options regarding the way you handle DNT requests.

  • You can simply ignore them.
  • You can disable targeted advertising, choosing instead to display more common advertisements that don't relate to the individual user.
  • You can disable tracking for other websites but continue tracking users on your own site, or you can disable all tracking completely.

Though you don't have to respond to DNT requests, your DNT policy must be spelled out in your company's Privacy Policy.

You must let users know how you plan on responding (or not responding) to those DNT signals, and you must also disclose whether your website uses any third-party services that track your users.

Here's an example of a Do Not Track clause that Apple includes in its California Privacy Disclosures section of its Privacy Policy:

Apple Privacy Policy: Do Not Track clause

CalOPPA Penalties

CalOPPA's provisions are enforced by California's Unfair Competition Law (UCL). The purpose of the UCL is to prohibit fraudulent, unlawful or unfair business activities.

Since CalOPPA is regulated under the UCL, failing to stick to the regulations set by CalOPPA can be potentially severe. As mentioned in Chapter 22, Internet Privacy Requirements of the 2005 California Business and Professions Code Section 22575-22579:

"Any person who engages, has engaged, or proposes to engage in unfair competition shall be liable for a civil penalty not to exceed two thousand five hundred ($2,500) for each violation."

While this might not seem like much, each time a user visits a website without a compliant Privacy Policy is considered a violation. So, depending on your website traffic, you could find yourself handing over quite a large sum of money in fines or civil judgments if your Privacy Policy is not compliant with CalOPPA.

If you are notified of non-compliance with CalOPPA, you have up to 30 days to amend your policy and website (or mobile app) to meet the specified criteria.

Examples of CalOPPA-Compliant Privacy Policies

Apple's Privacy Policy contains the most recent effective date of the policy, a brief overview of what it covers, a link to a settings page for users to adjust how their information is used, a link to their contact page to promote accountability, and a separate section dedicated to the California Privacy Disclosure.

Apple Privacy Policy: Intro clause showing date, link to settings, link to contact and CalOPPA disclosure

Facebook's Privacy Page contains drop-down links to the various topics covered in the policy. This is a great example of user-friendly readability, as it helps users navigate the information easier and find specific details.

Facebook Data Policy: Homepage with main menu

LinkedIn's Privacy Policy is another excellent example of an easy to read policy. It contains detailed paragraphs relating to important aspects of user data on the left, and succinct summary statements on the right.

This is an effective way to ensure just about anyone can read and understand the policy.

LinkedIn Privacy Policy: Other Important Information clause excerpt

Any website/app that collects personal information from users in the state of California must comply with CalOPPA.

Remember

It doesn't matter where your business is located - if you reach users in California, CalOPPA applies to you.

Stay compliant with CalOPPA by:

  • Creating a Privacy Policy that's easy to read and understand. Forget the legal jargon.
  • Including all of the required information in your Policy, including a Do Not Track clause.
  • Making your Policy easily accessible and conspicuous to your users.