Understanding CalOPPA Privacy Policy disclosure requirements

California passed the California Online Privacy Protection Act (“CalOPPA”) in 2004 and became the first in the nation to require operators of websites and mobile applications to post a Privacy Policy. In 2014, California updated the law to require a list of disclosures in a Privacy Policy.

Under CalOPPA, an operator needs to know the requirements of the law and how it applies to its online service. In this guide, we will explain the CalOPPA Privacy Policy disclosure requirements and help you answer the following:

  • What are the CalOPPA Privacy Policy disclosure requirements?
  • How to use CalOPPA to gain trust with your customers.

What are the CalOPPA Privacy Policy disclosure requirements?

CalOPPA requires operators of websites and mobile apps to post a Privacy Policy that provides details about how they share the personal information of residents of California. In 2013, the California Legislature passed Assembly Bill 370, which added new disclosure requirements to CalOPPA. 

On January 1, 2014, the updated version of CalOPPA went into effect. The new provisions require an operator to:

  • Identify the categories of personally identifiable information collected by the business
  • Explain if the operator maintains a process to review and request changes to an individual’s PII, if such a process exists
  • Describe the process by which the operator notifies consumers of material changes to the operator’s Privacy Policy
  • Identify the effective date of the Privacy Policy
  • Disclose how the operator responds to Do Not Track and other anti-tracking mechanisms
  • Disclose whether other parties may collect personal data about an individual
  • Disclose the categories of third parties with whom you share PII

Using CalOPPA, the lawmakers want to hold operators accountable for collecting and sharing the personally identifiable information (PII) of Californians. The intent of the lawmakers was to promote consumer awareness of the tracking activities of online services and third parties. When consumers become aware that they are being tracked, they can make an informed decision before using the online service.

Describe data collecting and sharing practices

In a Privacy Policy, CalOPPA requires operators to identify the categories of PII that its website or mobile app collects. Categories include device information, browser type, and geolocation data.

Under CalOPPA, an operator must explain if consumers have a way to review the data that is collected about them. The operator must also tell the consumer if they will be able to request changes to their data.

When an operator makes a “material change” to its online service, such as joining an advertising network, it needs to update its Privacy Policy. CalOPPA requires that the operator explain in its Privacy Policy how it will notify consumers about the material change. For example, the operator could post an announcement on its homepage.

Disclose Do Not Track signals

Internet users surf the web by using a web browser. A browser sends a request to access a website from its server and then displays the website for the user. Popular web browsers include:

  • Google Chrome
  • Microsoft Explorer
  • Apple Safari
  • Mozilla Firefox
  • Opera

When a browser communicates with a server, it sends information about the user. The server uses the information to display the pages of the website. While communicating with the browser, the server can gather data passively. Information gathered from a browser includes:

  • IP address
  • Operating system
  • Hardware data
  • Browser plugins

Do Not Track signals are sent through a user’s web browser. Many browsers have an option to send a Do Not Track signal. The signal asks an online service operator not to track the user’s data that it can get from the browser.

A Do Not Track signal uses a machine-readable header that indicates a user doesn’t want to be tracked. A header contains short pieces of data, such as the type of browser and other technical information.

A Do Not Track signal is only a request, and the law does not require operators to take action. However, CalOPPA requires the operator to disclose in its Privacy Policy whether or not it respects a Do Not Track request.

If a website does respond to a Do Not Track signal, the operator should explain its practice in the Privacy Policy. As a way to alert a user that a website respects a Do Not Track request, the operator can display a small pop-up message that acknowledges the request. The pop-up can say that the website recognizes the request not to be tracked, and the user may disable the Do Not Track feature to opt-in.

Disclose other anti-tracking mechanisms

CalOPPA’s disclosure requirements also cover “other mechanisms” beyond a Do Not Track signal. The operator must disclose how the operator responds to “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”

The term “other mechanisms” includes anti-tracking tools that users activate in their web browsers.To prevent tracking, many users add “extensions” to their browsers. The extensions can block trackers used by various sources, including social media and marketing agencies.

Browser extensions work by detecting cookies sent by trackers. A cookie is a small text file that saves small amounts of data to the user’s computer. Websites send cookies to make browsing more user-friendly. However, a “tracking” cookie can take the data gathered from the user’s browser and send it to another party.

Operators can embed tracking mechanisms from third parties into their websites and apps. Typically, the third-party uses the data to send targeted advertisements to the user.

Anti-tracking browser extensions can detect trackers and block them. Basically, the extensions can prevent the source from loading content. Without the ability to load its content, the source behind the tracker can’t track a user.

An example of an anti-tracking mechanism is the popular extension called “Disconnect” that offers private browsing. Disconnect is available for browsers, including Chrome, Firefox, Safari, and Opera. Disconnect offers different levels of tracking protection, including a basic free version for a desktop or mobile browser. As a mission, Disconnect aims to free consumers from unwanted tracking of their personal information and allows them to:

  • Achieve “meaningful privacy”
  • Control the sharing of personal information
  • Visualize the connections that websites attempt to make
  • Choose which websites to continue to block

Many other browser extensions are available for users to block unwanted tracking. Some of the most popular blockers include:

Ghostery – Intercepts and blocks trackers for a safer browsing experience

Adblock Plus – Avoids tracking, malware, and annoying ads

Privacy Badger – Learns by watching which domains appear to be tracking while browsing

AdGuard – Gets rid of intrusive ads, online tracking, and makes web surfing faster and safer

uBlock Origin – Loads and enforces thousand of filters with efficient blocking methods

uMatrix – Uses a point-and-click matrix-based firewall that includes privacy-enhancing tools

Some operators may attempt to detect when a consumer is using a blocker. For example, Detect Adblock offers different scripts for websites to detect ad blockers.

Under CalOPPA, if an operator attempts to detect blocking, this would be a response to an “other mechanism” that provides consumers the ability to exercise choice. If an operator uses a detection method, the operator should explain its practices in its Privacy Policy and identify what detection methods it uses. 

Instead of trying to detect ad blockers, an operator should focus on finding creative ways to make advertising more appealing and engaging for consumers. Otherwise, the operator should explain in its Privacy Policy why it uses blocker detection, such as the website depends on advertising revenue. 

Anti-tracking tools are not just for consumers. Government agencies and consumer organizations can use browser add-ons as a way to reveal whether a website’s claims about its use of tracking actually match-up with its practices.

Disclose other parties that collect personal information

CalOPPA requires operators to “disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

There are a variety of third-party services that operators integrate into their websites. The types of third-party services include:

  • Web analytics
  • Advertising networks
  • Streaming video services

An operator needs to be aware of the data-collecting practices of third parties. Third-party service providers often send cookies to a user’s browser. Under CalOPPA, an operator must either explain in its Privacy Policy about third-party tracking or provide a link to an explanation of the third-party’s data collection and sharing practices.

How to use CalOPPA to gain trust with your customers

The CalOPPA requirement of having disclosures in a Privacy Policy should be part of an operator’s business practices. An operator must follow its own policy or it will be in violation of the law. Non-compliance with CalOPPA may result in a civil fine or an investigation for deceptive practices by the Federal Trade Commission.

A way to establish trust with your customers is to be honest with them in your Privacy Policy. Whether you use tracking methods or not, your customers will not have to guess if they are being tracked. Explaining why your website uses certain tracking methods will help them better understand how your online service operates.

Operators that conduct business online with California residents need to post a CalOPPA Privacy Policy that contains the required disclosures. Termageddon is a Privacy Policy generator that you can easily add to your website or mobile app to meet the requirements of CalOPPA.