California has one of the most robust privacy legislations in the world. Even though the CCPA may not apply to you, if you own a website or are planning to launch one, it’s important to understand the California Online Privacy Protection Act (CalOPPA).
In this guide, we explain what CalOPPA is, its purpose, who needs to comply, and how to do it!
CalOPPA stands for the California Online Privacy Protection Act.
Effective from July 1, 2004, CalOPPA is designed to help protect the personal information of California residents and ensure that they are informed about how their information is being used by websites and online services. In 2013 the law was amended to also regulate the tracking of users.
If your website collects personal information from California residents, CalOPPA requires you to post a privacy policy on your website and make it easily accessible to website visitors. The privacy policy should outline how the information is being collected, used, and shared.
Personal information can include anything that can be used to identify an individual, such as:
In addition, personal information can include information that is linked or associated with an individual, such as their browsing history, purchase history, or location data. It’s important to note that even if a piece of information on its own may not allow to identify an individual, it can still be considered personal information if it is linked to other information that can identify a person.
This means that if your website collects any personal information from California residents, even through a contact form or newsletter subscription, you are required to comply with CalOPPA.
The California Online Privacy Protection Act was the first US state law to make privacy policies mandatory!
The main purpose of CalOPPA is to protect the privacy of California residents who use online services and websites by ensuring that websites and online services provide transparent and clear information about their data collection practices, particularly concerning personal information.
The main difference between the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) is the scope of the laws.
The CCPA is a comprehensive privacy law that regulates the collection, use, sale, and sharing of personal information of California residents by businesses. Under the CCPA, the definition of businesses refers to organizations that meet one of the following thresholds:
Moreover, CCPA grants more comprehensive consumer rights over personal data, such as, for example, the ability to access, delete, and opt out of the sale and sharing of their information.
On the other hand, CalOPPA primarily focuses on transparency and it applies to any business that operates a commercial website or online service that collects personal information from California residents. There is no particular threshold for CalOPPA, you just need to collect personal information from your users. As you can understand, it has a much broader scope.
| Aspect | CalOPPA | CCPA |
|---|---|---|
| Scope | Websites and online services | Large for-profit businesses |
| Purpose | Transparency in privacy policies | Consumer rights and control over data |
| Requirements | Privacy policy disclosure | Access, delete, and opt-out rights |
| Applicability | Broad (any website collecting CA data) | Threshold-based (large data handlers) |
Any organization, regardless of location, that operates a website, online service, or mobile app and collects personal information from California residents.
The California Online Privacy Protection Act may apply to you even if you’re not based in California, but you target California residents.
Now let’s take a look at the requirements and what you need to do to comply in practice.
Having a clear and accessible privacy policy is the first and most important requirement of CalOPPA.
To comply with CalOPPA, your privacy policy should include at least the following:
This policy must be easily accessible to your website visitors, such as through a link in your website’s footer.
A “Do Not Track” request (DNT) is a request that users send to websites through their browsers to ask them to stop tracking their online activity, for example via cookies. When this feature is activated through the browser’s settings, every website visited receives a Do Not Track request.
However, most websites don’t support Do Not Track requests, so even though the Do Not Track request is sent, it has no effect.
Under CalOPPA, it’s not mandatory to honor “Do Not Track” requests, but it is mandatory to disclose whether you honor them or not. If you do, then you should also explain the process.
👉 You can learn more about “Do Not Track” requests here.
Failure to comply with the California Online Privacy Protection Act can result in fines and legal action. The California Attorney General’s office can enforce CalOPPA and seek penalties of up to $2,500 per violation.
If you’re looking for an easy way to create your privacy policy for CalOPPA, then iubenda may be the solution for you.
Our Privacy and Cookie Policy Generator helps you create a customized privacy policy that you can easily add to your website, by simply copying and pasting our code.
If you don’t know where to start, our Generator comes with a handy Site Scanner, that suggests you the best configuration for your policy.
