If you have ever shared a bathroom with your siblings, you know that privacy is important. A sign on your bathroom door telling everyone else that you are not to be disturbed can go a long way. The same fact goes for websites and applications – you are required to inform your visitors of their privacy rights. While there is no overarching federal law that protects the privacy of internet users in the United States, the state of California does have a law that you must follow, the California Online Privacy Protection Act of 2003 (“CalOPPA”). This law governs California residents that access a website, regardless of where the website is based. Therefore, whether your business is in Illinois or Texas, CalOPPA still applies to you.

CalOPPA contains provisions for hefty fines in the cases of non-compliance.

In this case, claims may be brought under the “unfair competition” provisions of the statute, leading to a possible fine of up $2,500.00 for each time a user accessed the website or application that does not contain a Privacy Policy. Thus, having a Privacy Policy will help you comply with CalOPPA and will thus help you save money in the long term.

According to CalOPPA, your Privacy Policy must discuss the following:

  1. What personal information you gather;
  2. Who you share the personal information with;
  3. A description of any third parties that may collect personal information;
  4. A description of the process, if any, by which a customer can review and request changes to his or her personal information;
  5. The process of how you notify users of any material changes to the Privacy Policy;
  6. The effective date of the Privacy Policy; and
  7. How your website responds to Do Not Track signals.

CalOPPA does not cover all information that you collect but instead focuses on personally identifiable information. This information includes the following:

First and last name;
Home or other physical address;
Email address;
Phone number;
Social security number;
Any other identifier that permits physical or online contacting of that individual; and
Information about an individual collected online and maintained in personally identifiable form in combination with any of the above categories.

The second part of CalOPPA is where and how you place your Privacy Policy onto your website. According to the law, your Privacy Policy should:

  1. Be posted on a web page that is the homepage or other first significant page that a user would visit after entering the website or application;
  2. Contain an icon that hyperlinks to a web page on which the actual Privacy Policy is posted. The icon must contain the word “privacy”. The icon must also be a color that contrasts with the background color of the web page or is otherwise distinguishable; OR
  3. Be a text link that hyperlinks to a Web Page on which the actual Privacy Policy is posted and includes the word “privacy”, is written in capital letters equal to or greater in size than the surrounding text. The text link must also be written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language;
  4. Be any other functional hyperlink that is so displayed that a reasonable person would notice it.

The above rules show how to display your Privacy Policy in a way that is easily seen and distinguished by your users so that they can easily find your Privacy Policy. Another important distinction in the display of the Privacy Policy is clickwrap and browsewrap display. Clickwrap display is where the user must click a box to agree to the policy. Browsewrap display is where the policy is contained somewhere on the website and you do not need to show express consent or do anything to agree to that policy. In general, since clickwrap agreements require express consent, they are more likely to be enforced by a court. However, there is no hard and fast rule as to what will be enforced.

Protect yo self,
Team Termageddon