CalOPPA: California Online Privacy Protection Act
Several laws in the US and abroad apply to websites, blogs, SaaS platforms and mobile apps.
Let's take a look at some of the laws that may affect your site(s).
Federal laws include:
- The Americans With Disabilities Act
- The Cable Communications Policy Act of 1984
- The Children's Internet Protection Act of 2001 (updated in 2013)
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- The Children's Online Privacy Protection Act of 1998 (COPPA)
Several laws at the state level also exist, including the California Online Privacy Protection Act (CalOPPA).
- 1. What is CalOPPA?
- 3.1. 1. It's legally mandated
- 3.2. 2. Third-party services require it
- 3.3. 3. Users care about their privacy
- 3.4. 4. Privacy policies are expected
- 6. My Business is Not Located in California
- 7.1. Clickwrap
- 8. Penalties for Non-compliance with CalOPPA
- 9. Important
What is CalOPPA?
The California Online Privacy Protection Act, more commonly referred to as CalOPPA, was drafted to protect the privacy rights and personal data of California residents.
It aims to safeguards "personally identifiable information" and is currently considered to be the broadest privacy law in the US.
Although a California law, virtually all websites collecting personal data online must comply with CalOPPA because of the probability that the site(s) could be used by a resident of California.
CalOPPA defines "personally identifiable information" as:
- First and last names
- Physical addresses
- Email addresses
- Telephone numbers
- Social Security numbers
- Any other contact information, both physical or online
- Details of physical appearance (height, weight, hair color)
- Any other information stored online that may identify an individual
1. It's legally mandated
Most countries in the world have some form of privacy law that mandates Privacy Policies for websites or apps that collect personal information from their users.
The laws protect residents in their jurisdictions, meaning that where your business is located is not as important as where your site visitors live. If your site attracts California residents, then you must comply with CalOPPA regardless of whether you yourself are in California or not.
2. Third-party services require it
In order for those third-party services to perform their functions, they need to collect data from your users. Among other things, third parties may be collecting IP addresses, user location information, user preferences, browsing activity, social platform information, profile images and other personal data.
Facebook's Platform Policy states that you must:
Apple's Developer Policy App Store Review Guidelines is another example:
3. Users care about their privacy
With increasing consumer concern about the potential for identity theft or misuse of private information, more laws are being written to address those concerns.
4. Privacy policies are expected
To educate site users, instill confidence and take the safest approach with applicable laws.
- Your information collecting activities - What data you're collecting, how you're using it, why you need it and how you protect it
- The countries in which your users are located
- The privacy laws with which you must be compliant
- Your data management policies - data storage, processing, sharing, etc.
- Your identity and contact details
- Exactly what personal data you collect and manage through your website or app
- The purpose for which this data is collected and processed
- How the data is processed
- How you share personal user information with third parties
- A list of privacy laws with which you are compliant
- An explanation of user rights - How they can opt-out of data collection, request changes to their data, request transfers or ask for their data to be deleted
1. Details of exactly what types of personal data are collected through the website or app
It breaks down sections into easy-to-read and well-organized summaries for readers. The more readable your clauses are, the more legally compliant they'll be and the happier your users will be.
2. Any affiliates with whom you share personal data
This could be other companies or partners working with your organization.
3. A clear explanation of how users can request changes to their personal data on record
User may want to edit their profile information, such as last name, address, email address, phone number, etc. They also might find an error in a record, such as a health record.
You are required to allow users to make changes to their data, and to make it simple for them to do so.
Here's an example of how to construct a clause that discloses this:
If you have a user interface where users can log in and adjust their own personal information, note this here.
See how CNN does this:
5. The date of the last update
6. How you handle "Do Not Track" (DNT) requests
A Do Not Track request is a setting any user can trigger from their device. The purpose is to allow consumers to limit or prevent the collection of their personal data.
Interestingly, there is no law requiring websites to respect a DNT setting. In fact, it is generally recommended that websites should not respect DNT settings due to software complexities and resulting challenges in enforcing a DNT request.
However, CalOPPA does require you to acknowledge whether you do or do not respect DNT settings.
To meet this requirement, you simply need to state that your website does or does not respond to "Do Not Track" requests. Here's a simple way of how to do this. The clause doesn't need to be long. Just a single statement will work:
7. Details of third parties who collect personal data through the website or app
As discussed above, the probability that your site is using third party services is very high. Examples include services such as Google Analytics to track your user stats, or AdSense for advertising revenue. There are many, many others.
You should thoroughly assess your third party providers in order to identify them, understand how you share data with them, how they use it and how your users can opt-out entirely.
Here's an example of how this can be done:
My Business is Not Located in California
Regardless of whether your business is located in California, you very likely attract site visitors from California.
CalOPPA is designed to protect the personal information belonging to residents of the state of California. Therefore, if your site attracts Californians, you need to comply with CalOPPA requirements.
- Be clearly visible and easily accessible for visitors to your website or users of your app, and
- Contain the word 'privacy'
You should always get agreement to your Policy using the clickwrap method.
Clickwrap requires an action from users to register their informed consent to your policies. Typically, a user would be required to click to accept terms before using a site, or check a box to acknowledge having read, understood and agreed to a policy.
Here is an example from Sky:
In this example, users must check a box to confirm they have read and agree to Sky's terms and conditions.
For apps, clickwrap is usually applied in the form of an "I agree" button presented at sign-up and is accompanied by a link to the agreement.
Here's an example of the HSBC's banking app sign-up screen:
Clickwrap represents a much stronger and legally enforceable method for getting consent to collect personal information from your website visitors or app users. Therefore, it's highly recommended while browsewrap is not.
Penalties for Non-compliance with CalOPPA
Compliance with CalOPPA is important for protecting your customer relationships and limiting your potential legal liability.
- Adheres to the requirements of CalOPPA, including a DNT clause and other information
- Is clearly visible and easily accessible for visitors to your website or users of your app
- Is accessible by a hyperlink containing the word "privacy"
- Is presented with the clickwrap method