The California Online Privacy Protection Act (“CalOPPA”) was the first state privacy law in the nation to require a web business to post a Privacy Policy. The purpose of the law is to strengthen the right to privacy that is in the California Constitution.
CalOPPA requires online businesses that collect the personally identifiable information (PII) of California residents to provide an explanation of how it collects and shares the personally identifiable information of California residents in its Privacy Policy. To write an effective policy, a business must be aware of the types of personal data that CalOPPA protects. In this guide, we will help you understand what personal information CalOPPA covers and help you answer the following:
- What is the CalOPPA definition of personal information?
- What does CalOPPA require to protect a consumer’s information?
- How to use CalOPPA to protect the personal information of your customers.
Table of Contents
What is the CalOPPA definition of personal information?
California passed CalOPPA to protect the personal information of consumers that reside in California. The focus of CalOPPA is requiring a business to provide transparency to California residents about the use of their personal data.
Operators often collect personal information when communicating with a customer
CalOPPA applies to the collection of “personally identifiable information” (PII) through the Internet that a website collects about an individual consumer. The law concerns identifiable information about a California consumer that an operator collects online from an individual and maintains in an accessible form. The CalOPPA statute defines PII as including any of the following:
- A first and last name
- A home or other physical address, including street name and name of a city or town
- An e-mail address
- A telephone number
- A social security number
PII also includes an individual’s online user information that is in a personally identifiable form when combined with another identifier listed in CalOPPA. In addition, PII includes “any other identifier” that permits someone to contact a specific individual in person or online. Examples of other identifiers often used by operators include:
- User preferences
- Security answers
- Online activity
- Shopping cart data
- Data submitted in forms
Other identifiers also include personal details that consumers provide to websites and mobile apps when they set up an account. This type of information can be used with the identifiers listed in the statute to identify an individual. Examples of personal details include:
- Bank account numbers
- Credit card numbers
- Education history
- Family information
- Social media accounts
An operator needs to be aware of the personal information that it collects. A web business should establish internal controls for how personal information is collected, used, and stored.
Operators should review automated processes that collect data
One of the most significant ways that individuals leak private data is through their web browser. The browser communicates with the website and sends various information about the user.
Many online services collect data using an automated process to increase a website’s functionality. Under CalOPPA, PII includes information that is collected passively through various methods, such as a web browser. Websites use the information gathered from a user’s browser to track information. For example, a website may record the IP address of a visitor for security purposes. The website may also track what type of browser, device, and operating system the visitor is using. Other types of automatically collected data include:
- Cookies
- Web beacons
- Geolocation data
When surfing the web, many websites send a “cookie” to a user’s browser. A cookie is a small file that saves a user’s settings to offer the user a more efficient experience when returning to the site. A cookie is a type of note-taker that logs a user’s activity on the website. Users will normally encounter two types of cookies, which are:
- Session cookies – stores information temporarily and disappears when the browser is closed
- Persistent cookies – stores information for long periods of time and remains when the browser is closed
An example of a persistent cookie is a shopping cart. When a user visits a shopping site, the cookie keeps track of the items added to a shopping cart that the user may want to purchase when returning to the website.
A web beacon is a graphic that is usually no larger than 1 pixel x 1 pixel. They are also called pixel tags, clear GIFs, or web bugs. Web beacons are a part of a website and work together with cookies. They are mostly used for general statistics and are not normally used to access personally identifiable information.
Geolocation data tracks where a website visitor or app user is located. This type of data refers to the geographical location of an Internet-connected device using latitudinal and longitudinal information.
Some users do not want to be tracked with information communicated from their browsers to online service providers. Under CalOPPA. A website’s Privacy Policy must disclose how a website responds to Do Not Track signals.
CalOPPA requires an operator to disclose to consumers in its Privacy Policy what types of information third parties collect through their website or mobile app. An advertiser’s site may use cookies to store the user’s private browsing information. An example is when a website is displaying ads to make advertising income by integrating a third-party service such as Google AdSense. A user may click on an ad and end up with cookies from a connected site.
Information compiled by third-party cookies can be in-depth, and an operator cannot control the actions of a third party. This is why a Privacy Policy must disclose to a user what types of third-party services are active on an online service. A Privacy Policy gives the user a choice to continue using the online service and interact with third parties.
What does CalOPPA require to protect a consumer’s information?
CalOPPA defines a “consumer” as a California resident who uses or visits a commercial website or online service. The law considers a consumer as “any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.” In the statute, a consumer also includes anyone in California that uses a mobile application.
Operators should provide transparency and choice to consumers
The core idea of CalOPPA is to provide transparency to California residents about data collection practices. The law sets standards for data collection practices so that consumers have an opportunity to choose if they want their personal data shared with others.
On a regular basis, companies capture, analyze, and share the PII of consumers for marketing purposes. Some companies sell access to an individual’s personal information. Customer data is usually collected by:
- Asking the consumer
- Tracking the consumers indirectly
- Aggregating consumer data from other sources
The collection of consumer data is big business, and information about consumers is extremely valuable. Companies have entire business models built around the collection of consumer data. The sharing of information flows all over the Internet and is accessed by a wide variety of entities, including academic researchers, law enforcement, and criminals.
Operators should share information to benefit consumers
Data brokers aggregate information about consumers and place the information on public websites for anyone to see. To remove the information, a consumer often has to make time-consuming efforts to figure out how to “opt-out” of these data aggregating services.
The sharing of PII does not always benefit consumers. Often, a consumer finds their personal information all over the Internet. As a result, a consumer could end up being targeted for a crime, such as fraud. Also, the consumer is left vulnerable to doxing, which is when an individual’s personal information is publicly released without consent.
Under CalOPPA, your business must identify the types of information that you collect and inform them of how you use the data. If you want to share your customer’s data, you can promote the value that they will receive or allow them to opt-out.
To enforce the provisions of CalOPPA, the California Attorney General created the Privacy Enforcement and Protection Unit. To report violations of CalOPPA, consumers can fill out an online complaint form.
How to use CalOPPA to protect the personal data of your customers
CalOPPA requires an operator to disclose the types of information that their online service collects. A Privacy Policy provides an opportunity to gain trust with your customers by informing them about the collection and sharing of their data.
As a business practice, you should safeguard the personal data of your customers.
Carefully review the types of data that your online service collects. Additionally, be aware that third-party service providers also collect information from your customers. If you share information, use your Privacy Policy to explain the value the consumers are receiving.
Operators of websites and mobile apps that collect the personal information of California residents need to post a Privacy Policy that follows the provisions of CalOPPA. Termageddon is a Privacy Policy generator that you can easily use to help comply with CalOPPA and protect the PII of California consumers.
