CalOPPA Privacy Policy requirements

In 2004, California became the first state in the nation to require posting a Privacy Policy when it passed the California Online Privacy Protection Act (“CalOPPA”). In 2014, California updated CalOPPA to require a list of criteria that needs to be included in a Policy Policy.

CalOPPA serves as a national privacy landmark for what an online service should include in a Privacy Policy. Meeting the requirements of CalOPPA is mandatory for website and mobile application operators that collect the personal information of California residents. However, even if your site targets non-residents of California, it’s a good idea to be compliant with CalOPPA. In this guide, we will offer you guidance to understand how to meet the CalOPPA Privacy Policy requirements and help you answer the following:

  • How does CalOPPA apply to your online business?
  • What are the CalOPPA Privacy Policy requirements?
  • What disclosure does CalOPPA require?
  • How to use CalOPPA to create a Privacy Policy.

How does CalOPPA apply to your online business?

In California, this privacy law has a mission to reassure consumers who are afraid of conducting business online. As a benefit, having a Privacy Policy creates goodwill between your business and consumers. Also, protecting consumer data is a great way to establish brand loyalty with your customers.

CalOPPA applies to the collection of personally identifiable information (PII) by an online service, which includes websites and mobile apps. Operators of these online services must follow the provisions of CalOPPA in their Privacy Policy.

California considers any activity on a website or mobile app that collects consumer data to be an online service. For example, if your website collects PII for California customers, you need to have a CalOPPA compliant Privacy Policy. This applies to a variety of online methods that allow consumers to input their data on a website or a mobile app, which includes contact forms and mailing lists.

The scope of CalOPPA is very broad, so you need to have a Privacy Policy if you target California residents, even if your website is outside of the state. CalOPPA does not specify where the operator of a website is located, so it includes many online businesses.

When you post your Privacy Policy, consumers will be able to read about your data collection practices. When consumers have the ability to read your policy and understand how you use their data, they can decide whether or not to submit their information to the online service.

What are the CalOPPA Privacy Policy Requirements?

Inform consumers about data collection

When creating a Privacy Policy, keep in mind the main objectives of CalOPPA, which is to inform consumers about data collection practices and offer them a choice of how their data is used. As a goal, a Privacy Policy allows your customers to have control over their PII.

CalOPPA requires website and mobile app operators to post a Privacy Policy where a consumer can easily find it. The operator must “conspicuously post” a Privacy Policy on the website or mobile app to be compliant with the law.

A website should post a text link that hyperlinks to the Privacy Policy. The link should be located on the homepage or the first significant page when a visitor enters the website. The link must do one of the following:

  • Include the word “privacy”
  • Use capital letters that are equal to or greater in size than the surrounding text
  • Use a larger type of text than the surrounding text
  • Use a contrasting text

CalOPPA’s text rule allows consumers to easily find your Privacy Policy. When using a contrasting method, the goal is to call attention to the language in the link.

Online services have various types of user interfaces, such as large computer monitors for websites and small phone screens for mobile apps. To accommodate the variety of devices, CalOPPA permits flexibility in how operators post their Privacy Policy in a “conspicuous” place. The law allows “any other reasonably accessible means of making the Privacy Policy available for consumers of the online service.”

Identify how the online service collects data

In a Privacy Policy, the operator must identify specific information about its online service. CalOPPA requires the Privacy Policy to identify:

  • The policy’s effective date.
  • The categories of PII that the operator collects.
  • The categories of PII that third parties collect.

The effective date is when the policy goes into effect. Any time an operator changes a business practice that concerns PII, the policy must be updated. The date of a policy change should be placed at the top of the policy with the phrase “last updated” next to the latest change date.

A Privacy Policy should identify the categories of PII that the operator and third parties collect. The operator should describe the types of data and how it’s collected. Examples include when an operator collects IP addresses for security purposes, and when a third party collects browser information for web traffic reporting.

What disclosures does CalOPPA require?

The operator must make certain disclosures about its business practices with handling a consumer’s PII. CalOPPA requires the Privacy Policy to explain the following:

  • Does the online service have a process for consumers to view their PII?
  • Do consumers have a method to request changes to their PII?

CalOPPA requires an operator to disclose how it uses PII. The Privacy Policy must disclose:

  • If the website shares the consumer’s PII with third parties.
  • Whether other parties may collect PII about online activities.
  • How the operator notifies consumers of material changes to the policy.
  • How the operator responds to browser “do not track” signals.
  • The ability for consumers to exercise choice for the collection of PII.
  • Whether other parties collect PII about a consumer’s online activities.

Consumers are often targeted by third parties that profile their behavior and interests for marketing purposes. CalOPPA requires that website and mobile app operators disclose their data sharing practices. A Privacy Policy should disclose to consumers if an operator shares their PII with third parties or allows third parties to collect their PII.

CalOPPA requires that an operator disclose how it informs consumers of a material change to its Privacy Policy. For example, an operator should describe how they inform consumers, such as sending an email about the change. Eventually, when a material change actually happens, the operator should follow through with its own policy and send the emails about the change. Otherwise, the operator would be in violation of CalOPPA.

The operator must explain in the Privacy Policy how the website responds to “Do Not Track” signals. As a way to comply, the operator may provide a clear and noticeable hyperlink to an online location that describes the effects of any program or protocol that offers the consumer a choice.

A Privacy Policy should disclose if consumers can access their data and make changes. The operator should have a procedure to receive consumer communications and track access requests. However, an operator should be careful to place internal controls to verify a person’s identity before the information can be accessed.

If the online service has an account interface, the operator can build in an option to allow consumers to manage their PII. This would allow the consumer to create an account that allows them to access their information as soon as they sign up for the online service.

Websites and mobile apps often collect data using automated processes for tracking visitors and securing the website. Under CalOPPA, PII includes information that is collected passively by an online service. A Privacy Policy should disclose all the ways that the website collects PII. Automatically collected data includes:

  • Cookies
  • IP addresses
  • Web beacons
  • Device types
  • Browser types
  • Operating systems
  • Geo-location data

Assessing the PII that you collect is an important step before creating the disclosures in your Privacy Policy. Also, you should be aware of the PII that you are passively sharing with a third party, such as a web analytics provider that tracks visitor data. 

How to use CalOPPA to create a Privacy Policy

Operators should use the CalOPPA Privacy Policy requirements to create a basic policy that complies with the law of California. In addition, the operator should include other useful information, such as links to third parties.

In 2014, the California Attorney General issued guidelines to provide a deeper insight into how to create a Privacy Policy that complies with CalOPPA. These guidelines are not part of the statute, and some of the recommendations exceed the requirements of the law. However, the guideline’s intention is to encourage operators to create a meaningful Privacy Policy for their online service. According to the guidelines, a Privacy Policy should:

  • Have a readable format. 
  • Use plain language that is straightforward.
  • Avoid legal language or technical jargon.
  • Provide contact information for questions regarding privacy practices. 

The contents of a Privacy Policy should conform to your business practices. An operator should never make a false claim in the policy, or it could face penalties. To stay compliant, use version control procedures to ensure that your Privacy Policy is up-to-date and compliant with CalOPPA.

Having a Privacy Policy is a necessity for operators of websites and mobile apps that conduct business with California residents. Termageddon is a Privacy Policy generator that you can easily use to meet the CalOPPA Privacy Policy requirements for your online service.