- Who does CalOPPA apply to?
- How to use CalOPPA to benefit your online business.
Table of Contents
- Who does CalOPPA apply to?
- How to use CalOPPA to benefit your business
Who does CalOPPA apply to?
CalOPPA applies to operators of an online business
CalOPPA applies to an “operator” of a commercial website or online service that collects personally identifiable information (PII) through the website or online service. The operator is also the “owner” of the commercial website or online service. Operators include:
- Business websites
- Mobile application developers
- Say what they do
- Do what they say
CalOPPA applies to operators in other states that target Californians
Under CalOPPA, an operator includes any person or entity that owns a website located on the Internet that targets California residents. This includes any e-commerce service that collects and maintains PII from Californians.
The CalOPPA statute does not specify where the operator of a website is located, so the law affects any website that collects data from a California resident. Examples of how CalOPPA affects operators in other states include:
- Having a contact form that residents of California can submit
- Collecting an email address of a California resident for a mailing list
- Processing an order for merchandise that requires collecting PII of a California resident
- Providing an online service that California residents can use
- Tracking online visitors from California that do not want to be tracked
To encourage compliance with CalOPPA, the California Attorney General has an online complaint form to encourage consumers to report violators. This crowdsourcing type of enforcement allows residents of California to pressure online service providers to comply with the provisions of the law.
CalOPPA applies to the operator’s use of third-party services
Internet businesses use third-party services for a variety of functions to enhance their online presence. As examples, a business may want to monitor its site for hacking attempts or measure the effectiveness of their advertising campaigns.
- Browser data
- Device data
- Geolocation data
- Google Analytics
- Google Ads
- Google AdSense
- Google AdMob
Google Analytics allow an operator to measure web traffic. To use the tracking service, an operator integrates a tracking code generated by Google into its website. The service prompts a visitor’s browser to automatically send certain information to Google so the operator can sort through the data. Once Google’s code collects data, the operator can use the data to create reports by setting up filters. Operators can use the data gathered by Google Analytics to track:
Many websites run third-party ads that are integrated into their online service. Third-party ads appear in different forms. For example, Google ads can appear as:
- Native – ads that are designed to integrate with content
- Rewarded – ads that users can interact with in exchange for rewards
- Banner ads – ads that are embedded in the online interface
- Video – ads in a video format or integrated into a content video
- Interstitial – ads that are full-screen and cover the interface of their host during a pause, such as when a game has a transition point
Google Ads allow an advertisement for an online service to appear on Google when someone is looking for a specific product. When a visitor performs a Google search and clicks on the operator’s ad, Google records the data generated by the visitor’s browser.
Google AdSense allows an operator to make money by serving ads on its website. The third-party ads appear in various places on the website where the operator has placed Google’s ad-serving code. To boost the operator’s payout, Google will send the highest paying ads by tapping into a large network of online advertisers who bid for the ad space.
Google AdMob allows an operator of a mobile application to earn revenue by serving in-app advertisements to consumers. The service allows an operator to integrate ads seamlessly into its web app. The operator can customize a user experience to earn more revenue by integrating different types of ads.
YouTube allows an operator to embed video content into its website. Like Google services, YouTube uses sensors that track data such as geolocation and IP addresses.
Beyond using Google services and YouTube videos, operators may integrate other types of third-party services on their website. Other types of third party services include:
- Social media apps
- Chat utilities
- Discussion forums
CalOPPA does not apply to third-party business functions
CalOPPA requires an operator of an online service to inform consumers of any integrated third-party services that can access consumer data. However, CalOPPA does not apply to a third-party provider of an in-house business function that is not an owner of a covered operator.
The scope of CalOPPA only covers the owner of the online service, website, or mobile app. CalOPPA does not include a third party that operates, hosts, or manages services on the owner’s behalf. These types of third parties are part of the operator’s business that perform functions, such as processing information on behalf of the owner. Examples of third-party business providers include:
- Website developers
- Web hosting providers
- Database architects
- Technical support services
How to use CalOPPA to benefit your business
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.