Do you do business in the state of California? If so, you need to keep up with the state's ever-evolving privacy laws.
The Golden State is a national leader in privacy legislation. Not only is it one of the earliest states to enact regulations designed to put the power of data back in the public's hands, but it's one of the few bodies to put teeth in the laws.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. CalOPPA, COPPA and the CCPA (CPRA): What's the Difference?
- 5.1. Data Categories
- 5.2. How You Use Data
- 5.3. Data Security Practices
- 5.4. Contact Details
- 5.5. Use of Google Analytics and Amazon Affiliates
- 6. Are You Ready to Meet California Privacy Requirements?
CalOPPA, COPPA and the CCPA (CPRA): What's the Difference?
At present, there are three main digital privacy laws in California that you need to know about.
All of the laws impact businesses with a digital footprint in California, regardless of whether or not you have an office in the state. If you count Californians among your customers or data subjects, then you need to keep up-to-date with these laws.
COPPA (the Children's Online Privacy Protection Act) isn't California law. It's a federal law from 1998 that applies in all 50 states, including California. It protects children under 13 by requiring companies that knowingly collect and use data from children to:
- Publish special Privacy Policies that are "clear and comprehensive"
- Ask for parental consent before collecting information
- Ensure any children's information is secure
The CCPA (California Consumer Privacy Act) went into effect on January 1, 2020, and was amended and expanded by the CPRA. The law is similar to the EU's General Data Protection Regulation (GDPR). It's different from the other two in its provisions.
The goal of the law is to further establish transparency and accountability among businesses (with a focus on big tech). As a result, it:
- Creates new rights for California residents regarding their data
- Extends the fines in relation to children's information
- Provides more transparency among profiling and automated decision-making
Like the GDPR, it aims to give people back the ownership of their data by allowing them to opt-out of sales or sharing. It also offers more control over what data companies collect. Finally, it has extra provisions for security practices to better protect people.
The biggest of these is the Do Not Track (DNT) requirement that came about in 2013.
All the major web browser creators added the feature, even though it was voluntary. However, those same companies didn't advertise the DNT feature, and in 2012, Microsoft made "on" the default setting for its DNT feature, which protected the privacy of its users. Mozilla's Firefox browser, however, keeps the DNT feature off by default.
You're required to do two things:
- Disclose how you respond to a browser's DNT signals, and
- Disclose whether other parties collect information via your site and across other websites when visitors use your site
What does this clause look like?
Target's DNT clause informs visitors of the feature and says that Target doesn't respond to the signals (i.e., they track you anyway). However, you can opt-out of it's advertising.
Like Target, Twitter doesn't support DNT browser options.
Like the others, it does not follow DNT signals. However, its statement is the most transparent and direct.
One example of a site that does follow DNT signals is Healthcare.gov, which is a site run by the U.S. Centers for Medicare and Medicaid Services and manages the Affordable Care Act.
Remember that CalOPPA doesn't require you to respect DNT settings. It only requires you to tell users whether you do or do not interpret them. You should also, for transparency's sake, describe what other choices users have when protecting their privacy, as several of these examples do.
You'll often see some of these choices and rights under a section or clause titled "Your California Privacy Rights."
This section, page or clause must state that:
- California consumers have rights when it comes to third party sharing
- California residents can contact the business to ask questions about direct marketing
It also must include a way for users to contact the business to ask questions about their data and privacy.
Whole Foods includes this clause and provides both email addresses and postal addresses for users to contact the business:
Upwork, on the other hand, describes the law, cites the statute and tells people how they can contact the company:
The focus of COPPA is on protecting children who are below the age of 13 and on empowering parents to understand how sites collect and use their child's data.
If you run a general website and you don't directly market to children or operate in a way that the FTC deems as 'attractive to children,' then all you need is a clause that says you acknowledge COPPA and you comply with it.
The most helpful way to do this is to give it a distinct clause, name the legislation, and state that you have a general audience and don't knowingly collect data from children under 13.
For example, Walmart added a clause that ticks all of the above and provides a function for contacting the company if you discover it's collecting your child's data:
Because Walmart is a general audience website, this serves as a fine COPPA notification, so long as it uses other features that prevent it from purposely collecting the data of young children.
However, if you run a site or app whose audience is very likely to be children (e.g., you run kids games, advertise with cartoon characters, etc.), then you need a much more stringent disclosure.
DisneyNow.com does this well by first segmenting its audience between Disney programs for all ages and Disney Junior for younger kids.
Doing so allows the site to automatically switch on the correct data functions and not collect any data from any users that click the 'for younger kids' option.
It includes three clauses that are all required for businesses that fall under the scope of COPPA:
- What information you collect
- Whether your share children's information
- How parents can exercise choice and control
In this clause, Disney acknowledges that parents can choose to stop the collection of their children's data and request the right to delete it. It also provides the steps available to parents to make these requests, including how to do it through their account or how to ask Disney to do so on their behalf.
For example, you need to not only say you collect data, but you now need to identify the categories of data you collected and processed over the past 12 months.
There are a few new provisions:
- An explanation of the new consumer rights provided by the CCPA (CPRA) (including the right not to be discriminated against)
- An explanation of how consumers can exercise their rights
- An explanation of information sold in the past 12 months
- An explanation of the rights of children aged 13-16
- A Do Not Sell My Personal Information clause (to explain the required standalone web page)
After describing the data it collects in granular detail, it details any disclosures and sales in the previous 12 months:
Then, it jumps into a full explanation of all available rights:
The rights covered include:
- Right to access and data portability
- Deletion request rights
- Personal information sales and opt-out information
- How to exert these rights
Finally, the document explains that PetSuites of America won't discriminate against residents who exercise their rights:
These clauses can get rather long and detailed as you take time to briefly explain the rights, what they entail and how they can be asserted by the user.
All of the major California privacy laws require some of the same clauses. These include:
- The categories of data you collect
- How you use that data
- How you secure the data
- How users can contact you with privacy questions
- Whether you use Google Analytics or Amazon Affiliates (or other similar services)
These are generally required across all Privacy Policies, but some require a California twist like completeness and regular updates.
You can conduct a privacy law self-audit to put together the information you need to create these clauses and inform your users of your practices.
At the top, Gap says it collects information like contact details and payment information. The team then added a drop down menu that provides clear examples of what it collects:
How You Use Data
You also need to provide information on how you use the data you collect.
Like the GDPR, new California legislation focuses on data minimization. If you don't have a use for the data, then you shouldn't have it. However, you don't need to provide a legal basis to comply with California law as you do with European law.
Peet's Coffee, a California-based chain, provides an example of all the ways it uses data to justify its data collection practices:
Data Security Practices
Sharing your data security practices is always a good idea, but because the CCPA (CPRA) mentions security breaches for the first time, it's a good clause to start to include if you haven't already.
You don't have to give the game away. However, it's helpful to make two points:
- Inform customers that you take appropriate steps to protect their data, and
- Tell customers how to help keep their own data safe
Converse does both of these in its security clause:
Nike also keeps it short and sweet. It only says that the company uses encryption:
You should have a way for customers to reach you if they have concerns about their privacy or questions about your privacy practices. This applies to both California residents and to customers in general regardless of where they're located. Including contact details allows them to ask questions, but it also gives them a place to go if they suspect a data breach has ocurred.
Consider putting the contact clause at the beginning or end of your policy so it's easy to find and doesn't get lost in a wall of text.
Use of Google Analytics and Amazon Affiliates
If you use programs like Google Analytics or Amazon Affiliates, then you may need to add clauses that state your participation. Why? Because Google Analytics and others stipulate it as part of the Terms and Conditions of using such services.
Make sure you keep up-to-date with these programs and any changes to their T&Cs that require you to disclose specific information.
Are You Ready to Meet California Privacy Requirements?
California is a key leader in U.S. privacy laws. Each new law attempts to put control of your data back in your hands by forcing businesses to be honest about how they use it. The latest law, the CCPA (CPRA), gives California residents new rights designed to allow them to protect their data. It also makes it easier for Californians to seek legal remedies when businesses fail to protect their data.
If you have users or customers who reside in California, you'll need to become familiar with these privacy laws, regardless of where your business itself is located.
- Post the document somewhere customers will find it very easily (such as in the footer of your site) (CalOPPA)
- Write the policy in language that's easy to understand (think 8th to 10th grade reading level) (CalOPPA)
- Add "Privacy" into the name of the document and on the link to the document (CalOPPA)
- Get suitable parental consent before collecting data from children in California (COPPA)