Protecting Your Online Business from CalOPPA Privacy Complaints

Protecting Your Online Business from CalOPPA Privacy Complaints

The California Online Privacy Protection Act (CalOPPA) is currently the primary consumer data privacy law in the United States. It applies to all owners and operators of commercial websites that collect personally identifiable information from users and customers who are located in the state of California.

In this article, we'll take a look at what CalOPPA is and go over its requirements. We'll also discuss the CalOPPA Complaint Form, how your customers can file a complaint against your business, and on what grounds.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

Finally, we'll take a look at how creating a Privacy Policy agreement for your online business can help mitigate the risk of complaints.

What is CalOPPA and What Does It Require?

The California Online Privacy Protection Act (CalOPPA) was enacted in 2003 and requires website and mobile app owners to post and comply with a Privacy Policy. The act applies to businesses collecting any sort of personally identifiable information from their customers residing in California.

Personally identifiable information can include any sort of information which can be used on its own or in combination with other information to identify an individual. This may include a customer's name, email address, street address, phone number, social security number, date of birth, marital status, etc....

CalOPPA Article 22: Definition of Personal Information

CalOPPA details which clauses you need to include in your Privacy Policy, the nature of the information you need to provide, and where you should display your Privacy Policy on your website.

Simply put, if you operate a business that collects personally identifiable information from consumers residing in California, you must make certain disclosures in your Privacy Policy agreement.

More specifically, CalOPPA requires you to provide a distinctive and easily accessible link to your complete Privacy Policy. Usually, this link should be added under a section titled Your California Privacy Rights or something similar.

Your Privacy Policy agreement should explain what type of information your website collects from consumers, how the information is shared (or can potentially be shared) with third-parties, and how consumers can request to review and make changes to the stored information. It also should state the effective date of the policy and any updates.

Since most web businesses collect personally identifiable information from the residents of California, they are required to be in compliance with CalOPPA even if the business isn't based in California.

In addition to this, CalOPPA requires that the contents of your Privacy Policy agreement address how your business allows customer inquiries and how customers can request to receive, transfer, or delete the personal data you store about them.

Allowing Customer Inquiries

An important requirement of CalOPPA is that you must provide a way for your site's visitors and customers to contact you, and let them know how they can do so.

Most website owners simply include a section in their Privacy Policy agreement that states that their visitors and customers can contact the company with any inquiries, questions, or concerns they may have regarding the Privacy Policy or general business practices.

It's recommended that you post a title and address (email or physical address) of a company official (such as the customer service department) who will respond to customer inquiries. Some websites even offer a telephone number or link to their customer service form to give their customers an additional channel to contact them through.

For example, GitHub's Privacy Policy has a Resolving Complaints clause that states that the company's end users can contact the company if they have any questions or concerns.

Privacy Policy of GiftHub: Resolving Complaints clause

Adidas provides another good example for how to do this. Its Privacy Policy includes a contact clause stating that if customers have any questions or comments, they can contact the company by mail or email. It also says customers can contact the customer service department at a different email address for product-related questions. This is nice because in doing this, Adidas is giving customers easy access to personnel who are dedicated to privacy matters.

Adidas Privacy Policy: Contact clause

Request to Receive, Transfer, or Delete Data

According to CalOPPA, if your business maintains a process for allowing customers to review and request changes to their data, then you should detail the procedure for doing so in your Privacy Policy. See this from chapter 22, Internet Privacy Requirements of the California Business and Professions Code (linked above):

California Legislature Rules for allowing users to change personally identifiable information

Most websites do this by including simple instructions in their Privacy Policy that explain how their customers and visitors can review and modify their personally identifiable information. The instructions the website provides depends on how the website collects the customers' personal information.

Some websites (like membership websites) allow users to review and modify their personally identifiable information directly from their user accounts. In these cases, the Privacy Policy often includes a simple instruction for logging into the user account to review or modify data directly.

Microsoft's Privacy Statement lets users know a few different ways that they can access their personal information and make settings adjustments to it. It also includes information for how to contact Microsoft if it's necessary:

Microsoft Privacy Statement: How to Access and Control your Personal Data clause

Forever 21 states that customers can access, correct, update, or delete personally identifiable information, or deactivate their account by emailing the company's customer support department. An email address that customers can use to contact customer support directly is provided:

Privacy Policy of Forever 21: Correcting and updating personal information clause

This is a great tactic in the case that the customer's information is not accessible through a login account or separate web page. Always make sure to at least provide some sort of contact information to allow customers to request to review, receive, transfer, modify or delete it and Microsoft and Forever 21 did above.

Forever 21 has a separate section for California-specific rights that allows California residents to request personal information by contacting the company using one of three methods. The available methods include sending a letter to the given address, sending an email to their customer service department, or filling out a customer service form.

What is the CalOPPA Complaint Form?

In 2016, the Office of the Attorney General of the State of California published a CalOPPA Complaint Form on its official website which the residents of California state could use to file reports of CalOPPA violations online.

The purpose of this complaint form is to enable the Office of the Attorney General to collect information about businesses in violation of CalOPPA and decide whether it needs to take action against the reported business.

According to CalOPPA, a business that (1) fails to post a Privacy Policy or (2) posts an incomplete Privacy Policy and doesn't make necessary changes to it within 30 days of being notified of their non-compliance, is in violation of the law.

The CalOPPA Complaint Form was designed to make it easier for the residents of California state to report alleged violations of CalOPPA. The potential violations against a business can be divided into five categories:

  1. The Privacy Policy isn't posted on the website i.e. it's missing or is inapplicable
  2. The Privacy Policy isn't easily accessible
  3. The Privacy Policy is incomplete
  4. The Privacy Policy has been violated
  5. The business or company failed to provide notice of a change in their Privacy Policy

The CalOPPA Complaint Form allows an individual filing to select any number of boxes when filing their report. It also provides space on the form to specify additional information.

How a Privacy Policy Can Mitigate Risk of Complaints

Having a Privacy Policy that's in compliance with CalOPPA can help your business mitigate the risk of complaints. It also can protect your business in the event of an investigation or litigation. As we mentioned above, the potential violations against a business fall under five different categories.

In order to mitigate the risk of filing complaints against your business you can make sure that:

  1. You have a Privacy Policy posted on your website
  2. Your Privacy Policy is easily accessible
  3. Your Privacy Policy is complete
  4. You do not violate the terms of your Privacy Policy agreement
  5. You provide notice of changes or modifications made to your Privacy Policy

To give you an example of how a complaint process can materialize, let's look at a 2017 case with Uber. In that case, the Federal Trade Commission (FTC) announced through a press release on its website that Uber settled allegations made by the FTC that the company made deceptive privacy and data security claims. According to the press release, Uber failed to monitor access to and provide reasonable security for their customers' data.

2017 online notice of Uber's Privacy deception complaint settlement

If you have a Privacy Center available on your website, make sure you link your Privacy Policy in full here as well.


Having a Privacy Policy agreement published on your website can help you mitigate the risk of customer complaints and protect your online business against litigation. It's important to make sure your Privacy Policy agreement is in compliance with CalOPPA.

You can avoid CalOPPA privacy complaints if you have a complete, accessible Privacy Policy posted on your website, you abide by it, and provide notice of any modifications that you make to it. Provide a way for your users to contact you with questions and concerns, and don't forget to respond to any inquiries you receive from concerned individuals.