The California Online Privacy Protection Act (CalOPPA) is a privacy law that sets requirements related to privacy policies for certain entities that collect personal information from California residents.
Passed in 2003 and effective as of July 1, 2004, CalOPPA predates both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California’s more expansive privacy laws that give consumers more control over their personal data and place additional obligations on businesses.
Notably, CalOPPA was the first US law to require privacy policies on websites. In 2013, it was amended to address online tracking, which involves collecting personal information from consumers as they navigate different websites or services.
In this article, we’ll go over CalOPPA’s requirements, who it applies to, and how to stay compliant.
What is the purpose of CalOPPA?
CalOPPA aims to increase transparency in how websites and online services handle personally identifiable information (PII) collected from California residents. It sets requirements for what must be included in a privacy policy and how that policy should be displayed to consumers. Under the law, a “consumer” is defined as “any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.“
“Personally identifiable information” refers to information that can be used to identify a specific person, particularly when it is collected online and maintained in an accessible form. Examples of PII include:
- first and last name
- home address or any other physical address (including a street name and city)
- email address
- phone number
- Social Security number
- any other information that allows someone to contact a specific individual, whether in person or online
- details about users that a website or online service collects and maintains, when combined with one of the identifiers listed above
Who must comply with CalOPPA?
CalOPPA applies to any person or entity that:
- operates a website, mobile app, or online service for commercial purposes
and
- collects and maintains PII from California residents
Entities that meet these criteria are referred to as “operators” under the regulation.
However, third parties that simply operate, host, or manage a website or online service on behalf of the owner are not held responsible for CalOPPA compliance.
Like many other data privacy laws globally, CalOPPA has extraterritorial reach. It applies to operators located anywhere in the world if they collect PII from California residents.
CalOPPA requirements for a privacy policy
CalOPPA details what must be included in a privacy policy and how consumers must be able to access it.
CalOPPA privacy policy content requirements
Operators must include the following information in their privacy policies.
- Information collected: The policy should list the types of PII collected from users and identify any third parties with whom they may share this information.
- Review process: If there is a process for consumers to review and request changes to their PII, the policy must explain how this process works.
- Notification of changes: The policy should describe how the operator will inform users about significant changes to said policy.
- Effective date: The operator must state when the privacy policy goes into effect. While not required by CalOPPA, it is advisable to also publish the date the policy was last updated.
- Response to “Do Not Track” signals: The policy should explain how the operator handles “Do Not Track” browser signals if it collects data about users’ online activities over time and across different websites. If the operator does collect this type of data, they can meet this requirement by including a link in the privacy policy to a page that explains how they handle those requests.
- Third-party data collection: The policy should clarify whether third parties can collect PII about users’ online activities while using the operator’s website or online service.
CalOPPA privacy policy accessibility and display requirements
Operators must conspicuously post their privacy policy so that it is easy for visitors to find. Here are acceptable ways to do so under CalOPPA.
Post it directly on a key page
The privacy policy may be displayed on the homepage or the first significant page users see when they visit a website.
Use an icon
Operators can use an icon that links to the privacy policy if it:
- includes the word “privacy”
- is located on the homepage or the first important page the user sees when they visit the website
- stands out by using a color that contrasts against the website’s background
Use a text link
CalOPPA permits a clickable text link to a privacy policy if it appears on the homepage or first significant page and:
- includes the word “privacy”
- is written in capital letters in the same or greater size text than the other text near it
- uses a different color, font, or style to stand out, or is set apart by symbols or other markers
This is one of the most common ways that privacy policies are published. Links are often placed in the website’s footer for the most accessibility and visibility across all pages.
Use another obvious link
Any other link that is clearly visible and would catch a reasonable person’s attention can also count as conspicuous.
Other methods for online services
For online services that don’t have a traditional website, the privacy policy must still be reasonably accessible to users. Mobile apps, for example, may link the privacy policy directly from somewhere in the app that is easy to find, such as the app’s settings.
CalOPPA enforcement and penalties
CalOPPA does not have its own enforcement provisions. Instead, it is enforced under California’s Unfair Competition Law (UCL). This means that violations of CalOPPA can be treated as acts of unfair competition, which allows the California Attorney General (AG), District Attorneys, County Counsel, or City Attorneys to bring legal actions against businesses that fail to comply.
If an entity is found to be in violation of CalOPPA, it will receive a notification of noncompliance from the Attorney General’s office. Notified businesses have a 30-day cure period to correct the identified issues. If a business fails to rectify any issues within the 30 days, they may face legal action and penalties.
The UCL allows for civil penalties of up to USD 2,500 for each violation.
Steps for CalOPPA compliance
Businesses that must comply with CalOPPA can take certain steps to meet requirements.
- Add a clear link on the website’s homepage that includes the word “privacy.” For mobile apps, add a link to the policy from somewhere users can easily access, like the settings or on a menu.
- State the date on which the privacy policy took effect.
- List the types of PII collected and any third parties with whom it may be shared.
- Inform users if the business collects data about their online activity across different websites and how it responds to “Do Not Track” browser settings.
- Inform users if third parties can collect PII about them while they’re using the business’s website or app.
- Describe how the business will notify users about significant changes to the privacy policy.
- If users can review or request changes to their PII, explain how they can do so.
The AG’s office published recommendations on how businesses can create and publish a meaningful privacy policy. While these recommendations are not legally binding, they represent best practices to help operators be transparent about their privacy practices through their privacy policies.
Some of the privacy policy best practices in the AG’s recommendations include:
- explaining whether the privacy policy only covers online data collection and use or if it includes offline data practices as well
- making it easy for users to find information about “Do Not Track” browser signals by using a clear header for the section that includes the words “Do Not Track”
- using a mobile-friendly format that’s easy to navigate and read, even on small screens
- using clear, straightforward language that avoids legal or technical jargon
- letting users know whom to reach out to with privacy questions or concerns and including that person’s title and an email or mailing address
What is the difference between CalOPPA vs CCPA/CPRA?
CalOPPA, the CCPA, and the CPRA are all privacy laws designed to protect the information of California residents, but they differ in scope, requirements, and focus. While CalOPPA emphasizes transparency through privacy policies, the CCPA and CPRA grant broader consumer rights and place stricter obligations on businesses.
| CalOPPA | CCPA/CPRA | |
| Scope | Websites, apps, and online services collecting PII of California residents for commercial purposes. | For-profit businesses meeting any of the following compliance thresholds:Have an annual gross revenue of USD 25M or moreprocess personal information from 100,000+ consumers or householdsearn more than 50% of their annual revenue from selling or sharing personal information |
| Focus | Transparency through privacy policy requirements. | Consumer rights and data protection, including access, deletion, correction, and opt-out rights. |
| Privacy policy requirements | Must include types of PII collected, third-party sharing, review process, “Do Not Track” disclosures, website tracking, how updates will be communicated, and effective date. Must also be conspicuously posted so that it’s easy for users to find. | Must include categories of personal data collected, purposes for collection, consumer rights and how to exercise them, data retention periods, and opt-out mechanisms, among other information. |
| Enforcement | Enforced through California’s Unfair Competition Law (UCL).30-day cure period.Legal action can be brought by the California Attorney General, District Attorneys, County Counsel, or City Attorneys. | Typically enforced by the California Attorney General and the California Privacy Protection Agency (CPPA).No right to cure period. Fines of up to USD 2,500 per unintentional violation and USD 7,500 for intentional violations or those involving minors. |
| Applicability to small businesses | Applies to businesses with online activities, regardless of size, as long as PII is collected. | Applies only to businesses meeting specific thresholds. Small businesses are generally exempt unless they meet criteria like revenue from data sales or processing volume. |
| Sensitive information | No specific requirements. | Introduces protections for sensitive personal information, including health, biometric, and geolocation data (CPRA). |
Achieve CalOPPA compliance with Usercentrics
Usercentrics Web CMP, Usercentrics App CMP, and Usercentrics Cookiebot CMP all support CalOPPA compliance, as well as CCPA/CPRA requirements. Our privacy policy generator will help you create a policy that aligns with your business’s specific privacy practices while meeting CalOPPA’s requirements. You can also use the cookie banner to share a clear, conspicuous link to your privacy policy, so that users can find it easily.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.