The California Online Privacy Protection Act (CalOPPA) is a privacy law that went into effect on July 1st, 2014 and protects the Personally Identifiable Information (PII) of residents of California. CalOPPA was the first state law in the United States that requires business websites to have a Privacy Policy. This law requires websites to have a number of specific disclosures in their Privacy Policy and to display it in a very specific way. In this guide, we will help you understand CalOPPA better and will help you answer the following:
- Why was CalOPPA passed?
- Who does CalOPPA apply to?
- What does a Privacy Policy need to include to be CalOPPA compliant?
- What are the Privacy Policy display requirements under CalOPPA?
- What are the penalties for not complying with CalOPPA?
- How you can use Termageddon to generate a CalOPPA compliant Privacy Policy.
Table of Contents
Why was CalOPPA passed?
California is a state that has a deep-rooted respect for privacy by the legislature. In fact, California’s Constitution includes an “inalienable right” to privacy to each citizen of the State (source). It should come as no surprise that California was the first state in the United States to pass a privacy law governing business websites by requiring them to have a Privacy Policy.
According to the California Attorney General, “meaningful Privacy Policy statements safeguard consumers by helping them make informed decisions about which companies they will trust with their personal information”. CalOPPA was enacted to help “foster the continued growth of the Internet economy…by allowing individuals to rely on a Privacy Policy posted online.” The law is meant to reassure consumers who were unsure of doing business online.
CalOPPA was amended in 2013 to address online tracking by requiring Privacy Policies to disclose how that website responds to “Do Not Track” signals and similar technologies.
Who does CalOPPA apply to?
CalOPPA has an extremely broad reach, potentially applying to any modern website with something as simple as a contact form. CalOPPA applies to an “operator” of a commercial website that collects personally identifiable information about individual consumers residing in California. The law defines an “operator” as any person or entity that owns a website that collects the PII of residents of California and the website is operated for commercial purposes.
CalOPPA defines “personally identifiable information” as “individually identifiable information about an individual consumer collected online by the operator in an accessible form, including any of the following:
- A first and last name;
- A home or other physical address, including street name and name of a city or town;
- An e-mail address;
- A telephone number;
- A social security number;
- Any other identifier that permits the physical or online contacting of a specific individual;
- Information concerning a user that the website collects and maintains in personally identifiable form in combination with any of the above.”
If your website has a contact form or an email newsletter sign up form, you are collecting Personally Identifiable Information.
Note that CalOPPA does not discuss where the operator of the website is located. This means that the law is so broad that it can apply to you regardless of where you are located, in California or elsewhere. If your website has a contact form that could be collecting the PII of California consumers, you need to have a CalOPPA compliant Privacy Policy.
What does a Privacy Policy need to include to be CalOPPA compliant?
Since CalOPPA was enacted to reassure consumers that online shopping is safe from a privacy perspective, it is no surprise that this law prescribes specific requirements on what a Privacy Policy needs to include. A CalOPPA compliant Privacy Policy needs to make the following disclosures:
- Identify the categories of PII that you collect and the categories of third parties with whom you may share the PII;
- If you maintain a process by which a consumer can review and request changes to any of their PII, provide a description of that process;
- Describe the process by which you notify consumers of material changes to your website’s Privacy Policy;
- Identify its effective date;
- Disclose how you respond to web browser “do not track” signals or other mechanisms tharp provide consumers the ability to exercise choice regarding the collection of PII about the consumer’s online activities over time and across third-party websites, if you engage in such collection;
- Disclose whether other parties may collect PII about consumer’s online activities over time and across different websites when a consumer uses your website.
A Privacy Policy that does not include these disclosures is in violation of CalOPPA, which can lead to significant fines.
What are the Privacy Policy display requirements under CalOPPA?
While a Privacy Policy that makes all of the required disclosures is great, it is not much use if consumers cannot find it to read those disclosures. That is why CalOPPA requires operators to “conspicuously post” the Privacy Policy on their websites. Because there may be different interpretations as to what it means to “conspicuously post” a Privacy Policy, CalOPPA actually defines this term so that there is no confusion. It includes posting a Privacy Policy through any of the following:
- Your home page or the first significant page after entering your website;
- An icon that hyperlinks to a web page on which the Privacy Policy is posted, if the icon is located on the homepage or the first significant page after entering the website, and if the icon contains the word “privacy.” The icon must also use a color that contrasts with the background color of the webpage or must be otherwise distinguishable;
- A text that hyperlinks to a webpage on which the Privacy Policy is posted, if the text link is located on the homepage or the first significant page after entering the website and the link does one of the following:
- Includes the word “privacy”;
- Is written in capital letters equal to or greater in size than the surrounding text;
- Is written in larger type than the surrounding text, or in contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
It is extremely important that you follow the guidelines above because if your Privacy Policy is not “conspicuously posted”, then you are not complying with CalOPPA, which can lead to significant fines.
What are the penalties for not complying with CalOPPA?
CalOPPA is enforced by the California Attorney General, who can impose a penalty of $2,500 per violation for failure to comply (source). In this case, “per violation” means per website visitor from California. Even if you have a few dozen California residents visit your website per month, you can see how these fines can add up to a really large amount.
California’s Attorney General is committed to finding companies that violate CalOPPA and, to that end, has created an online form tool that consumers can use to report any company whose website, mobile application, or other online presence:
- Lacks a Privacy Policy;
- Has a Privacy Policy that is hard to find;
- Has a Privacy Policy that does not contain the required disclosures;
- Does not follow its own Privacy Policy;
- Does not notify users of significant changes to its Privacy Policy.
Remember that you need to have a CalOPPA compliant Privacy Policy and to display it correctly to avoid the fines.
How you can use Termageddon to get a CalOPPA compliant Privacy Policy
Termageddon is a Privacy Policy generator that you can use to create a CalOPPA compliant Privacy Policy. When you start generating your Privacy Policy, simply answer “yes” to one or both of the following questions:
- Do you do business in California?
- Do you collect the PII of California consumers?
Once you answer “yes”, the generator will ask you some additional questions that will help craft the disclosures required by CalOPPA. Once you answer those questions and click “submit”, an embed code will be generated. Copy and paste the embed code onto your Privacy Policy page, and the Privacy Policy will display. The embed code allows us to make updates to your Privacy Policy whenever new privacy laws go into effect or existing privacy laws change, ensuring that you stay compliant.