# [CalOPPA: Understanding the California Online Privacy Protection Act](https://usercentrics.com/knowledge-hub/california-online-privacy-protection-act-caloppa/) **Build a CalOPPA-ready privacy policy — Customize your privacy policy to meet CalOPPA requirements and transparently communicate your data practices to California residents.** [Generate Policy Now](https://usercentrics.com/privacy-policy-generator-wordpress/) --- If your website collects personally identifiable information from California residents, you may be subject to the California Online Privacy Protection Act (CalOPPA). We break down who must comply, what the law requires, and how to create a privacy policy that aligns with CalOPPA's standards. The [California Online Privacy Protection Act (CalOPPA)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=8.&chapter=22.&lawCode=BPC) is a privacy law that sets requirements related to privacy policies for certain entities that collect personal information from California residents. Passed in 2003 and effective as of July 1, 2004, CalOPPA predates both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California's more expansive privacy laws that give consumers more control over their personal data and place additional obligations on businesses. Notably, CalOPPA was the first US law to require privacy policies on websites. In 2013, it was amended to address online tracking, which involves collecting personal information from consumers as they navigate different websites or services. In this article, we'll go over CalOPPA's requirements, who it applies to, and how to stay compliant. --- ## What is the purpose of CalOPPA? CalOPPA aims to increase transparency in how websites and online services handle [personally identifiable information (PII)](https://usercentrics.com/knowledge-hub/personally-identifiable-information-vs-personal-data/) collected from California residents. It sets requirements for what must be included in a [privacy policy](https://usercentrics.com/knowledge-hub/what-is-a-privacy-policy-and-why-do-you-need-one/) and how that policy should be displayed to consumers. Under the law, a "consumer" is defined as "*any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.*" "Personally identifiable information" refers to information that can be used to identify a specific person, particularly when it is collected online and maintained in an accessible form. Examples of PII include: - first and last name - home address or any other physical address (including a street name and city) - email address - phone number - Social Security number - any other information that allows someone to contact a specific individual, whether in person or online - details about users that a website or online service collects and maintains, when combined with one of the identifiers listed above --- ## Who must comply with CalOPPA? CalOPPA applies to any person or entity that: - operates a website, mobile app, or online service for commercial purposes and - collects and maintains PII from California residents Entities that meet these criteria are referred to as "operators" under the regulation. However, third parties that simply operate, host, or manage a website or online service on behalf of the owner are not held responsible for CalOPPA compliance. Like many other data privacy laws globally, CalOPPA has extraterritorial reach. It applies to operators located anywhere in the world if they collect PII from California residents. --- ## CalOPPA requirements for a privacy policy CalOPPA details what must be included in a privacy policy and how consumers must be able to access it. ### CalOPPA privacy policy content requirements Operators must include the following information in their privacy policies. - **Information collected**: The policy should list the types of PII collected from users and identify any third parties with whom they may share this information. - **Review process**: If there is a process for consumers to review and request changes to their PII, the policy must explain how this process works. - **Notification of changes**: The policy should describe how the operator will inform users about significant changes to said policy. - **Effective date**: The operator must state when the privacy policy goes into effect. While not required by CalOPPA, it is advisable to also publish the date the policy was last updated. - **Response to "Do Not Track" signals**: The policy should explain how the operator handles "Do Not Track" browser signals if it collects data about users' online activities over time and across different websites. If the operator does collect this type of data, they can meet this requirement by including a link in the privacy policy to a page that explains how they handle those requests. - **Third-party data collection**: The policy should clarify whether third parties can collect PII about users' online activities while using the operator's website or online service. ### CalOPPA privacy policy accessibility and display requirements Operators must conspicuously post their privacy policy so that it is easy for visitors to find. Here are acceptable ways to do so under CalOPPA. #### Post it directly on a key page The privacy policy may be displayed on the homepage or the first significant page users see when they visit a website. #### Use an icon Operators can use an icon that links to the privacy policy if it: - includes the word "privacy" - is located on the homepage or the first important page the user sees when they visit the website - stands out by using a color that contrasts against the website's background #### Use a text link CalOPPA permits a clickable text link to a privacy policy if it appears on the homepage or first significant page and: - includes the word "privacy" - is written in capital letters in the same or greater size text than the other text near it - uses a different color, font, or style to stand out, or is set apart by symbols or other markers This is one of the most common ways that privacy policies are published. Links are often placed in the website's footer for the most accessibility and visibility across all pages. #### Use another obvious link Any other link that is clearly visible and would catch a reasonable person's attention can also count as conspicuous. #### Other methods for online services For online services that don't have a traditional website, the privacy policy must still be reasonably accessible to users. Mobile apps, for example, may link the privacy policy directly from somewhere in the app that is easy to find, such as the app's settings. --- ## CalOPPA enforcement and penalties CalOPPA does not have its own enforcement provisions. Instead, it is enforced under California's [Unfair Competition Law (UCL)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=7.&chapter=5.&part=2.&lawCode=BPC). This means that violations of CalOPPA can be treated as acts of unfair competition, which allows the California Attorney General (AG), District Attorneys, County Counsel, or City Attorneys to bring legal actions against businesses that fail to comply. If an entity is found to be in violation of CalOPPA, it will receive a notification of noncompliance from the Attorney General's office. Notified businesses have a 30-day cure period to correct the identified issues. If a business fails to rectify any issues within the 30 days, they may face legal action and penalties. The UCL allows for civil penalties of up to USD 2,500 for each violation. --- ## Steps for CalOPPA compliance Businesses that must comply with CalOPPA can take certain steps to meet requirements. - Add a clear link on the website's homepage that includes the word "privacy." For mobile apps, add a link to the policy from somewhere users can easily access, like the settings or on a menu. - State the date on which the privacy policy took effect. - List the types of PII collected and any third parties with whom it may be shared. - Inform users if the business collects data about their online activity across different websites and how it responds to "Do Not Track" browser settings. - Inform users if third parties can collect PII about them while they're using the business's website or app. - Describe how the business will notify users about significant changes to the privacy policy. - If users can review or request changes to their PII, explain how they can do so. [The AG's office published recommendations](https://usercentrics.com/knowledge-hub/personally-identifiable-information-vs-personal-data/) on how businesses can create and publish a meaningful privacy policy. While these recommendations are not legally binding, they represent best practices to help operators be transparent about their privacy practices through their privacy policies. Some of the privacy policy best practices in the AG's recommendations include: - explaining whether the privacy policy only covers online data collection and use or if it includes offline data practices as well - making it easy for users to find information about "Do Not Track" browser signals by using a clear header for the section that includes the words "Do Not Track" - using a mobile-friendly format that's easy to navigate and read, even on small screens - using clear, straightforward language that avoids legal or technical jargon - letting users know whom to reach out to with privacy questions or concerns and including that person's title and an email or mailing address --- ## What is the difference between CalOPPA vs CCPA/CPRA? CalOPPA, the CCPA, and the CPRA are all privacy laws designed to protect the information of California residents, but they differ in scope, requirements, and focus. While CalOPPA emphasizes transparency through privacy policies, the CCPA and CPRA grant broader consumer rights and place stricter obligations on businesses. | | CalOPPA | CCPA/CPRA | | --- | --- | --- | | **Scope** | Websites, apps, and online services collecting PII of California residents for commercial purposes. | For-profit businesses meeting any of the following compliance thresholds: Have an annual gross revenue of USD 25M or more; process personal information from 100,000+ consumers or households; earn more than 50% of their annual revenue from selling or sharing personal information | | **Focus** | Transparency through privacy policy requirements. | Consumer rights and data protection, including access, deletion, correction, and opt-out rights. | | **Privacy policy requirements** | Must include types of PII collected, third-party sharing, review process, "Do Not Track" disclosures, website tracking, how updates will be communicated, and effective date. Must also be conspicuously posted so that it's easy for users to find. | Must include categories of personal data collected, purposes for collection, consumer rights and how to exercise them, data retention periods, and opt-out mechanisms, among other information. | | **Enforcement** | Enforced through California's Unfair Competition Law (UCL) 30-day cure period. Legal action can be brought by the California Attorney General, District Attorneys, County Counsel, or City Attorneys. | Typically enforced by the California Attorney General and the California Privacy Protection Agency (CPPA). No right to cure period. Fines of up to USD 2,500 per unintentional violation and USD 7,500 for intentional violations or those involving minors. | | **Applicability to small businesses** | Applies to businesses with online activities, regardless of size, as long as PII is collected. | Applies only to businesses meeting specific thresholds. Small businesses are generally exempt unless they meet criteria like revenue from data sales or processing volume. | | **Sensitive information** | No specific requirements. | Introduces protections for sensitive personal information, including health, biometric, and geolocation data (CPRA). | --- ## Achieve CalOPPA compliance with Usercentrics Usercentrics Web CMP, Usercentrics App CMP, and Usercentrics Cookiebot CMP all support CalOPPA compliance, as well as CCPA/CPRA requirements. Our [privacy policy generator](https://usercentrics.com/privacy-policy-generator-wordpress/) will help you create a policy that aligns with your business's specific privacy practices while meeting CalOPPA's requirements. You can also use the [cookie banner](https://usercentrics.com/knowledge-hub/cookie-banner/) to share a clear, conspicuous link to your privacy policy, so that users can find it easily. *Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.* --- ## Frequently asked questions ### Who is required to comply with CalOPPA? CalOPPA applies to any individual or entity operating a website, mobile app, or online service for commercial purposes that collects and maintains personally identifiable information (PII) from California residents. It applies regardless of whether or not the operator is based in California, as long as California residents' PII is collected. ### What types of information are considered personally identifiable information (PII) under CalOPPA? PII under CalOPPA includes information that can be used to identify or contact a specific individual. Examples include first and last names, home addresses, email addresses, phone numbers, Social Security numbers, or any other details that, when combined with other data, could uniquely identify someone. ### What must a privacy policy include to comply with CalOPPA? A CalOPPA-compliant privacy policy must disclose the types of PII collected, any third parties with whom the information is shared, and whether users can review or request changes to their data. It must also explain how users will be notified of changes to the policy, clearly state the effective date of the policy, and address the business's response to "Do Not Track" signals or similar mechanisms. ### How should a business display its privacy policy to meet CalOPPA's requirements? The privacy policy must be conspicuously posted where users can easily find it. This can be achieved by displaying it on the homepage, using a prominent link or icon labeled "Privacy," or ensuring it is accessible from a mobile app's settings or menu. Links must be clearly visible, stand out from surrounding content, and use text or design elements that draw attention. ### Does CalOPPA apply to businesses outside of California? Yes, CalOPPA has extraterritorial reach. It applies to businesses outside California, including those in other states or countries, if they collect PII from California residents through websites, mobile apps, or online services used for commercial purposes. ### How does CalOPPA address "Do Not Track" browser signals? CalOPPA requires businesses to disclose in their privacy policies how they respond to "Do Not Track" signals or other mechanisms that allow users to opt out of tracking across websites. If the business engages in online tracking, it must either honor these signals or clearly explain how tracking is handled, even if the signals are not honored. ### What are the penalties for failing to comply with CalOPPA? Violations of CalOPPA are enforced under California's Unfair Competition Law (UCL). Businesses found to be noncompliant receive a 30-day notice to fix the issues. If they fail to address the violations within this period, they may face legal action and civil penalties of up to USD 2,500 per violation. ### What is the purpose of CalOPPA? The purpose of CalOPPA is to promote transparency in how websites, apps, and online services collect, use, and share personal information from California residents. By requiring businesses to disclose their data practices through privacy policies, the law helps users understand how their personal data is handled and make informed choices. ### Why was CalOPPA considered a groundbreaking California internet privacy law? CalOPPA was the first US law to mandate privacy policies for websites and online services that collect personally identifiable information. It established transparency as a legal standard and highlighted the importance of protecting online consumer data. --- ## Products - [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/) - [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/) - [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/) - [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/) - [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/) - [Preference Manager](https://usercentrics.com/preference-management/) - [Audience Unlocker](https://usercentrics.com/audience-unlocker/) - [Integrations](https://usercentrics.com/integrations/) - [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/) - [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/) - [ROAS Calculator](https://usercentrics.com/roas-calculator/) ## Solutions - [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/) - [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/) - [Migration](https://usercentrics.com/migration/) - [Media & Publishing](https://usercentrics.com/media-publishing/) - [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/) - [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/) - [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/) - [Gaming](https://usercentrics.com/gaming/) - [Education](https://usercentrics.com/education/) - [Automotive](https://usercentrics.com/automotive/) - [Travel & Hospitality](https://usercentrics.com/travel/) ## Regulations & Frameworks - [GDPR (EU)](https://usercentrics.com/gdpr/) - [GDPR (UK)](https://usercentrics.com/uk-gdpr/) - [CCPA (California)](https://usercentrics.com/ccpa/) - [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/) - [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/) - [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/) - [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/) - [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/) - [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/) - [View all regulations](https://usercentrics.com/regulations-and-frameworks/) ## Resources - [Blog](https://usercentrics.com/knowledge-hub/) - [Whitepapers](https://usercentrics.com/whitepapers/) - [Checklists](https://usercentrics.com/checklists/) - [Courses](https://courses.usercentrics.com/) - [Case Studies](https://usercentrics.com/case-studies/) - [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/) - [Events](https://usercentrics.com/webinar/) - [CONSENTED Podcast](https://usercentrics.com/consented/) - [Guides](https://usercentrics.com/guides/) - [Release Notes](https://releases.usercentrics.com/en) - [Developer Documentation](https://usercentrics.com/docs/) - [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/) - [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/) ## Company - [About Us](https://usercentrics.com/about-us/) - [Press](https://usercentrics.com/press/) - [Our Offices](https://usercentrics.com/contact/) - [Trust Center](https://trust.usercentrics.com/) - [Careers](https://usercentrics.com/career/) - [Open Positions](https://apply.workable.com/usercentrics/) - [Diversity & Inclusion](https://usercentrics.com/dei/) ## Support - [General Support](https://support.usercentrics.com/hc/en-us) - [Contact Sales](https://usercentrics.com/book-a-consultation/) - [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new) - [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing) - [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340) - [Partner Login](https://partnerportal.usercentrics.com/) - [Partner Program](https://usercentrics.com/partner-program-overview/) - [Affiliate Program](https://usercentrics.com/affiliates/) ## Legal - [Terms & Conditions](https://usercentrics.com/terms-and-conditions/) - [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/) - [Privacy Policy](https://usercentrics.com/privacy-policy/) - [Legal Notice](https://usercentrics.com/legal-notice/) - [Legal Documents](https://usercentrics.com/legal-documents/) - [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/) © 2026 Usercentrics GmbH