What are the privacy laws in California? What’s the difference between CPRA (CCPA amendment) and CalOPPA? How does the CPRA (CCPA amendment) affect your business?
In this post, we take a look at the main requirements of California privacy laws, and we explain what you may need to do to comply.
California is the US state with the most comprehensive legislation on data privacy. As of today, there are three main laws regulating data collection and the processing of users’ personal information.
Let’s have a more in-depth look at each one of them.
The California Consumer Privacy Act CCPA is the most robust US law on data privacy, and it’s often referred to as the “California GDPR”.
The CCPA was signed into law in 2018, became effective on January 1st, 2020, and made fully enforceable from July 1st, 2020.
The law aims at giving users more control over the data that businesses collect about them by granting consumers additional rights.
Does the CCPA apply to you?
It’s worth mentioning that by “business”, the CCPA means any for-profit organization targets California residents (even if the business is not actually in California), processes the data of California residents for their own purposes and meets at least one of the following requirements:
*Note that since IP addresses fall under what is considered personal data, it’s likely that any website with at least 50k unique visits per year from California falls within the scope of the last point.
💡 While not every business that collects Californian consumer data is subject to the CCPA – they are still subject to specific requirements according to CalOPPA. More about this in the next paragraph.
As we said above, the CPRA (CCPA amendment) may not apply to you if you don’t fall under its definition of business, but it’s likely that you may need to comply with the California Online Privacy Protection Act (CalOPPA).
CalOPPA was enforced in 2004 and it was the first US state law to make privacy policies mandatory. It was then amended in 2013, to regulate the tracking of users.
Unlike the CPRA (CCPA amendment), CalOPPA has a broader scope, because it applies to any person or entity that owns or operates a commercial website or online service collecting and maintaining personally identifiable information from California-based consumers.
In order to comply with CalOPPA, you should:
The Children’s Online Privacy Protection Act (COPPA) was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The amended Rule became effective on July 1st, 2013.
The primary goal of COPPA is to protect children’s privacy online: COPPA puts parents in control over what information from their children is collected and processed by websites and online services.
COPPA applies to you if your commercial website or online service (the definition includes mobile apps):
For a more in-depth guide about COPPA, you can follow this link.
As for the European GDPR, California privacy laws may apply also outside the state borders.
These laws aim at protecting California users, so they can apply to every entity – in or outside California – doing business with California-based users.
If you’re still not sure which laws apply to you, you can take this quiz and find out!
This article is a part of our series on CCPA compliance. Read also:
Now that you’ve made sure, let’s go back over what you may need to do to comply.
The first thing you need is a valid and clear privacy policy, with all the relevant disclosures on how you collect and process the users’ personal information. It should be easily accessible from the homepage of your website / app, describe the process by which users can request changes to personal data and your contact information for CPRA (CCPA amendment) requests.
If also CalOPPA applies to you, add a statement on how you handle “Do Not Track” requests.
Then, it’s important that you show a “Do Not Sell My Personal Information” (“DNSMPI“) notice, for users to opt-out.
Remember, you don’t always need to ask users to opt-in, but it may be mandatory if there are children involved, or you’re collecting and processing sensitive information.
Learn more about CPRA (CCPA amendment), CalOPPA and COPPA requirements.
We have designed a set of tools that can help you comply with CPRA (CCPA amendment), CalOPPA and COPPA all at once.
Our Privacy and Cookie Policy Generator allows you to choose from +1700 pre-existing clauses. For example, if COPPA applies to you, just choose “The Service is directed to children under the age of 13”.
iubenda makes it easy for you to meet enhanced requirements by:
With our Privacy Controls and Cookie Solution, you can display a “Do Not Sell My Personal Information” notice and manage opt-outs.
More specifically, you can:
Then, you may need to keep track of your users’ requests.
Our Consent Database hooks onto your web-forms to let you automatically pass consumer preference details, like opt-outs. As the CPRA (CCPA amendment) mandates that opted-out users may not be contacted for a minimum of 12 months after the request, it’s prudent to keep records of opt-out details.