- Why was CalOPPA passed?
- Who does CalOPPA apply to?
- What are the penalties for not complying with CalOPPA?
Why was CalOPPA passed?
CalOPPA was amended in 2013 to address online tracking by requiring Privacy Policies to disclose how that website responds to “Do Not Track” signals and similar technologies.
Who does CalOPPA apply to?
CalOPPA has an extremely broad reach, potentially applying to any modern website with something as simple as a contact form. CalOPPA applies to an “operator” of a commercial website that collects personally identifiable information about individual consumers residing in California. The law defines an “operator” as any person or entity that owns a website that collects the PII of residents of California and the website is operated for commercial purposes.
CalOPPA defines “personally identifiable information” as “individually identifiable information about an individual consumer collected online by the operator in an accessible form, including any of the following:
- A first and last name;
- A home or other physical address, including street name and name of a city or town;
- An e-mail address;
- A telephone number;
- A social security number;
- Any other identifier that permits the physical or online contacting of a specific individual;
- Information concerning a user that the website collects and maintains in personally identifiable form in combination with any of the above.”
If your website has a contact form or an email newsletter sign up form, you are collecting Personally Identifiable Information.
- Identify the categories of PII that you collect and the categories of third parties with whom you may share the PII;
- If you maintain a process by which a consumer can review and request changes to any of their PII, provide a description of that process;
- Identify its effective date;
- Disclose how you respond to web browser “do not track” signals or other mechanisms tharp provide consumers the ability to exercise choice regarding the collection of PII about the consumer’s online activities over time and across third-party websites, if you engage in such collection;
- Disclose whether other parties may collect PII about consumer’s online activities over time and across different websites when a consumer uses your website.
- Your home page or the first significant page after entering your website;
- Includes the word “privacy”;
- Is written in capital letters equal to or greater in size than the surrounding text;
- Is written in larger type than the surrounding text, or in contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
What are the penalties for not complying with CalOPPA?
CalOPPA is enforced by the California Attorney General, who can impose a penalty of $2,500 per violation for failure to comply (source). In this case, “per violation” means per website visitor from California. Even if you have a few dozen California residents visit your website per month, you can see how these fines can add up to a really large amount.
California’s Attorney General is committed to finding companies that violate CalOPPA and, to that end, has created an online form tool that consumers can use to report any company whose website, mobile application, or other online presence:
- Do you do business in California?
- Do you collect the PII of California consumers?
Hans Skillrud is the cofounder and Vice President of Termageddon. Hans is the Vice President of Termageddon, overseeing sales & marketing. Hans ran a 12-person web design agency in downtown Chicago for 7 years, and sold it in March of 2019 to focus all of his attention on Termageddon. In his free-time, Hans enjoys history, philosophy, reading, and drinking whiskey with friends.