One of the strictest set of consumer privacy guidelines in the world was enacted in 2003 by the state of California. The California Online Privacy Protection Act, or CalOPPA, was the first law in the United States to establish far-reaching consumer data handling laws for online businesses.
It includes legal requirements for the safe handling and protection of private consumer data. It also provides special considerations for minors and for user controls.
CalOPPA applies to all ecommerce stores, blog sites and websites that collect and manage information from California residents, including sites that are not located in California.
This article takes an in-depth look at CalOPPA and its implications for your site or mobile app.
- 2. Understanding CalOPPA
- 2.1. Do Not Track (DNT) Provisions of CalOPPA
- 3. CA Attorney General Recommendations for CalOPPA Compliance
- 3.3. How Does Your Site Share Personal Data with Third Parties
- 3.4. Choices and Rights of Individuals
- 3.5. Contact Information
Following is a partial list of personally identifiable data:
- Education history
- Healthcare information
- Licenses and certifications
- Government identification
- Family history or genetic information
- Mother's maiden name or next of kin
- Bank, credit or other financial account information
- Biometric identification
- Criminal history
- Web cookies
- Social platform accounts
- Chat threads and online content
Information that might be trackable or assignable to personal data includes but may not be limited to:
- IP addresses
- Browser activity
- Product descriptions viewed
- Forms submitted
- Videos watched
- Security answers
- Shopping cart data
- User preferences
- Location data
You might be collecting both personally identifiable information as well as trackable non-personally identifiable data. Both types of personal data are subject to CalOPPA.
CalOPPA imposes strict rules for a range of website data collection and management protocols and provides important rights and protections to California consumers.
It will be simply worded so that your typical website visitor will be able to understand it. Complex jargon and legaleze are discouraged.
It should include a sub-section or clause that states your Do Not Track (DNT) policy. Whether your website does or does not respect DNT settings of your users is up to you, but the law requires you to disclose what you do.
Do Not Track (DNT) Provisions of CalOPPA
A 2013 amendment to CalOPPA introduced a new mandate for websites to disclose their procedures for handling Do Not Track (DNT) settings.
DNT refers to digital tracking of how a website visitor navigates across a site and to/from other sites. For example, If a user clicks a link on your website which takes them elsewhere in your site or externally to another site such as an advertisement or external link and your website records those activities, this is tracking.
Tracking website browsing patterns is useful for improving a user's overall experience on your site and on the web in general. It allows advertisers to target consumers with relevant ads, even reminding them of items they previously saw or similar items available from a competitor.
However, some users do not want websites to track their browsing history and have pressured browsing platforms for better user controls. In response to this pressure, Microsoft, Google, Mozilla and others introduced user controls allowing consumers to set DNT to "on" or "off."
The 2013 amendments to CalOPPA were created because it's assumed that the average consumer does not understand tracking or its implications on their privacy. It's also assumed that the average user is not aware of DNT browser settings.
To address this lack of understanding about DNT, CalOPPA requires websites doing business with Californians to disclose their DNT policies, specifically identifying whether the website does or does not acknowledge DNT settings.
CalOPPA does not require websites to respect user DNT settings. It only requires websites to disclose whether or not they do respect those settings.
CA Attorney General Recommendations for CalOPPA Compliance
The California Attorney General issued a handbook with recommended best practices for complying with CalOPPA. The handbook has a "Highlights of Recommendations" section that provides a useful summary of the document.
Let's take a look at a few of these recommendations in further detail.
Target's approach is a little different, combining the legally required notice to minors within a general notice to Californians, while still using a bold header to introduce the clause:
Both are adequate, though Apple's approach is better. Because CalOPPA specifically mandates ease of finding applicable notices, Apple's approach to creating a specific clause for minors is the recommended approach.
This makes it easy for users in California to locate the information they need:
How Does Your Site Share Personal Data with Third Parties
Virtually every website interacts with third parties. From the platform hosting your website to analytical tools, advertisers, payments processors and communication tools, it is a near certainty that your site is sharing personal customer information with third parties.
The California Attorney General recommends the following:
Additionally, many third parties will have their own Terms requiring you to make certain privacy disclosures in order to ensure that they, too, are protected.
Email marketing giant Constant Contact is a good example of this.
Other third parties, such as Google Analytics, payments processors and advertisers require similar terms.
This is necessary to comply with CalOPPA and the requirements of third-party vendors equally interested in limiting legal liability.
Choices and Rights of Individuals
CalOPPA requires that you give users rights and choices when it comes to:
- Collecting their personal information, and
- Giving them access to the information you've collected from them.
Here's an example of how you can accomplish this with two short clauses that each link to more detailed information:
Of course you could always make these clauses more detailed if you don't have a link to further information. As long as you make the information accessible and easy to find, you'll be doing well.
Here's an example from TransLink's Privacy Statement:
This can be a dedicated privacy manager or a general contact at your business. Just make sure you're active with responding to concerned users.
- Personal data your site is collecting from California residents
- Personal data your site is sharing with third parties
- How the data is being collected
- How the data is being shared
- How your website handles DNT settings
- Whether your website attracts minors
- How your website gives users access to their personal data upon request (and that you perform this mandatory service at no charge)
- How your website transfers personal data to other websites if requested by the individual who owns the data
- How you delete personal data when requested by the individual
- Scope of Policy - Spell out what your policy covers
- Data Collection - Identify all types of data your site collects now or might collect in the future
- Do Not Track - Identify whether your site does or does not acknowledge user DNT settings
- Data Use and Sharing - Identify all third parties which share your user data
- Individual Choice and Access - Provide instructions for opting out of sharing data with your site, as well as for requesting a copy or transfer of data
- Security Safeguards - Identify your efforts to protect data and prevent data breaches
- Effective Date - Identify the date of your policy and date(s) of updates to the policy
- Accountability - Clearly state how your website visitors can contact you for information about their data.
Next, be sure to use language throughout your policy that is easily understood by your typical website customer. If your website attracts minors, give special consideration to them.
By following these guidelines, you can rest assured that you will be in compliance with CalOPPA and virtually every other state and federal privacy mandate in the United States. You'll also have a good start on complying with privacy laws around the world such as the GDPR that protects your users who are located in the EU.
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.