A guide to who does CalOPPA apply to

In 2004, the California Online Privacy Protection Act (“CalOPPA”) went into effect and became a national standard for consumer protection. With the passage of CalOPPA, California was the first state to require an online business to post a Privacy Policy.

CalOPPA requires an operator of an online business to provide an explanation of how it collects and shares the data of California residents in its Privacy Policy. To follow the requirements of CalOPPA, a business must understand who does CalOPPA include under the law. In this guide, we will help you understand the scope of CalOPPA and help you answer the following:

  • Who does CalOPPA apply to?
  • How to use CalOPPA to benefit your online business.

Who does CalOPPA apply to?

CalOPPA applies to operators of an online business

CalOPPA applies to an “operator” of a commercial website or online service that collects personally identifiable information (PII) through the website or online service. The operator is also the “owner” of the commercial website or online service. Operators include:

  • Business websites
  • Mobile application developers

To accomplish the law’s goal, CalOPPA requires an operator to conspicuously post a Privacy Policy and comply with it. In other words, operators must do both of the following:

  1. Say what they do
  2. Do what they say

The operator must conspicuously post the Privacy Policy on the online service, or it will be in violation of CalOPPA. If an operator does not follow the requirements of CalOPPA, it runs the risk of civil litigation and large fines under the state’s Unfair Competition Law.

CalOPPA applies to operators in other states that target Californians

Under CalOPPA, an operator includes any person or entity that owns a website located on the Internet that targets California residents. This includes any e-commerce service that collects and maintains PII from Californians.

CalOPPA can apply to your service even if your website is hosted outside of California. Although the focus of CalOPPA is to create a Privacy Policy requirement for online operators, the scope of CalOPPA applies beyond the state borders of California.

The CalOPPA statute does not specify where the operator of a website is located, so the law affects any website that collects data from a California resident. Examples of how CalOPPA affects operators in other states include:

  • Having a contact form that residents of California can submit
  • Collecting an email address of a California resident for a mailing list
  • Processing an order for merchandise that requires collecting PII of a California resident
  • Providing an online service that California residents can use
  • Tracking online visitors from California that do not want to be tracked

To encourage compliance with CalOPPA, the California Attorney General has an online complaint form to encourage consumers to report violators. This crowdsourcing type of enforcement allows residents of California to pressure online service providers to comply with the provisions of the law.

CalOPPA applies to the operator’s use of third-party services

Under CalOPPA, operators must inform consumers in its Privacy Policy about any third-party service that collects personal data from website visitors. Likewise, these third-party providers usually require that the operator post a Privacy Policy as a condition for integrating their services into the operator’s website or mobile app.

Internet businesses use third-party services for a variety of functions to enhance their online presence. As examples, a business may want to monitor its site for hacking attempts or measure the effectiveness of their advertising campaigns.

Third-party services commonly collect a variety of personal data relating to browsing activity. In a Privacy Policy, CalOPPA requires operators to identify the categories of a consumer’s PII that third parties access. The types of data that third parties collect through an operator’s service include:

  • Browser data
  • Device data
  • Geolocation data

There are many types of third-party services that an operator might use that would apply to CalOPPA’s Privacy Policy requirements. Some of the most popular third-party services include:

  • Google Analytics
  • Google Ads
  • Google AdSense
  • Google AdMob
  • YouTube

Google Analytics allow an operator to measure web traffic. To use the tracking service, an operator integrates a tracking code generated by Google into its website. The service prompts a visitor’s browser to automatically send certain information to Google so the operator can sort through the data. Once Google’s code collects data, the operator can use the data to create reports by setting up filters. Operators can use the data gathered by Google Analytics to track:

  • Audience
  • Acquisition
  • Behavior

Many websites run third-party ads that are integrated into their online service. Third-party ads appear in different forms. For example, Google ads can appear as:

  • Native – ads that are designed to integrate with content 
  • Rewarded – ads that users can interact with in exchange for rewards
  • Banner ads – ads that are embedded in the online interface
  • Video – ads in a video format or integrated into a content video
  • Interstitial – ads that are full-screen and cover the interface of their host during a pause, such as when a game has a transition point

Google Ads allow an advertisement for an online service to appear on Google when someone is looking for a specific product. When a visitor performs a Google search and clicks on the operator’s ad, Google records the data generated by the visitor’s browser.

Google AdSense allows an operator to make money by serving ads on its website. The third-party ads appear in various places on the website where the operator has placed Google’s ad-serving code. To boost the operator’s payout, Google will send the highest paying ads by tapping into a large network of online advertisers who bid for the ad space.

Google AdMob allows an operator of a mobile application to earn revenue by serving in-app advertisements to consumers. The service allows an operator to integrate ads seamlessly into its web app. The operator can customize a user experience to earn more revenue by integrating different types of ads.

YouTube allows an operator to embed video content into its website. Like Google services, YouTube uses sensors that track data such as geolocation and IP addresses.

Beyond using Google services and YouTube videos, operators may integrate other types of third-party services on their website. Other types of third party services include:

  • Social media apps
  • Chat utilities
  • Discussion forums

To stay CalOPPA compliant, an operator must inform consumers about any third-party services that track visitors. Operators should explain how its online service uses third parties in its Privacy Policy.

An operator needs to be aware of when its online service interacts with a user’s personal information such as placing cookies in their browsers or sharing the user’s data with third parties. Operators must disclose this information to visitors in its Privacy Policy using plain language that users can understand. In addition to CalOPPA’s requirement of a Privacy Policy, an operator can place a pop-up notice on their service, such as a cookie consent.

CalOPPA does not apply to third-party business functions

CalOPPA requires an operator of an online service to inform consumers of any integrated third-party services that can access consumer data. However, CalOPPA does not apply to a third-party provider of an in-house business function that is not an owner of a covered operator.

The scope of CalOPPA only covers the owner of the online service, website, or mobile app. CalOPPA does not include a third party that operates, hosts, or manages services on the owner’s behalf. These types of third parties are part of the operator’s business that perform functions, such as processing information on behalf of the owner. Examples of third-party business providers include:

  • Website developers
  • Web hosting providers
  • Database architects
  • Technical support services

An owner of a web business has the responsibility of meeting the requirements of CalOPPA. If a third party is assisting a business owner by providing a technical service, the owner must make sure the third party is aware of the Privacy Policy when creating a new area of the service. An example is when an operator wants to add a new section to its website that includes a contact form. The operator needs to make sure that the web developer follows the established business practices in the Privacy Policy when developing a method to collect and use consumer data.

How to use CalOPPA to benefit your business

California enacted CalOPPA to encourage the continued growth of e-commerce. The law allows individuals to rely on the contents of a Privacy Policy and mandates that an operator follow the promises in its policy.

Under CalOPPA, your business must comply with the law if you are a covered operator. CalOPPA provides an opportunity for you to build brand loyalty by providing transparency to your customers. A Privacy Policy allows you to promote the credibility of your online service by giving consumers a choice if they want to opt-out.

Operators that conduct business online with California residents need to post a CalOPPA Privacy Policy that follows the law’s requirements. Termageddon is a Privacy Policy generator that you can easily integrate into your website or mobile app to comply with CalOPPA.