Does Your Privacy Policy Comply with CalOPPA?

Does Your Privacy Policy Comply with CalOPPA?

One of the strictest set of consumer privacy guidelines in the world was enacted in 2003 by the state of California. The California Online Privacy Protection Act, or CalOPPA, was the first law in the United States to establish far-reaching consumer data handling laws for online businesses.

It includes legal requirements for the safe handling and protection of private consumer data. It also provides special considerations for minors and for user controls.

CalOPPA applies to all ecommerce stores, blog sites and websites that collect and manage information from California residents, including sites that are not located in California.

If you own or operate a commercial website that collects or uses personal information from residents of California, you must have a Privacy Policy conspicuously posted on your site that meets all requirements of CalOPPA.

This article takes an in-depth look at CalOPPA and its implications for your site or mobile app.


What is a Privacy Policy?

What is a Privacy Policy?

A Privacy Policy discloses all of the various types of personally identifiable information you collect, store, use, share, sell and disseminate. It also clearly communicates how you use the information you collect and how you keep it safe.

A Privacy Policy lets your audience know about how you collect personal information. This collection can happen directly from the user, such as when someone fills out a form on your website. It can also happen indirectly, such as through website cookies and other electronic means. Both collection methods need to be disclosed in your Policy.

It's important to determine the complete list of the types of information you currently collect, or may collect in the future, and thoroughly itemize it in your company's Privacy Policy. Personal information can include a number of criteria such as names, addresses, email addresses, government ID's, etc.

Following is a partial list of personally identifiable data:

  • Education history
  • Healthcare information
  • Licenses and certifications
  • Government identification
  • Family history or genetic information
  • Mother's maiden name or next of kin
  • Bank, credit or other financial account information
  • Biometric identification
  • Criminal history
  • Web cookies
  • Social platform accounts
  • Chat threads and online content

However, the types of data your Privacy Policy must address is not limited to personally identifiable information.

Non-personally identifiable data that is trackable to a California resident also needs to be addressed by your Privacy Policy.

Information that might be trackable or assignable to personal data includes but may not be limited to:

  • IP addresses
  • Passwords
  • Browser activity
  • Product descriptions viewed
  • Forms submitted
  • Videos watched
  • Security answers
  • Shopping cart data
  • User preferences
  • Location data

You might be collecting both personally identifiable information as well as trackable non-personally identifiable data. Both types of personal data are subject to CalOPPA.

Understanding CalOPPA

Understanding CalOPPA

CalOPPA imposes strict rules for a range of website data collection and management protocols and provides important rights and protections to California consumers.

It requires websites to protect personally identifiable information collected from website visitors and to post an easy-to-find and easy-to-understand Privacy Policy on the website.

In addition to specific rules for protecting the private information of Californians, CalOPPA also imposes specific rules for how to structure a compliant Privacy Policy including organization, required disclosures and even language.

In general, a CalOPPA-compliant Privacy Policy will accomplish the following:

  1. It will be on the website in a conspicuous location. The law places the burden for easy access to your Privacy Policy on you, and not on your website visitors to find it.

  2. It will be simply worded so that your typical website visitor will be able to understand it. Complex jargon and legaleze are discouraged.

  3. It will be organized simply and in such a way that your typical website visitor can easily find the information he needs. The state recommends using specific headers throughout a Privacy Policy in order to help users find and understand each clause on its own.

  4. It should include a sub-section or clause that states your Do Not Track (DNT) policy. Whether your website does or does not respect DNT settings of your users is up to you, but the law requires you to disclose what you do.

Do Not Track (DNT) Provisions of CalOPPA

Do Not Track (DNT) Provisions of CalOPPA

A 2013 amendment to CalOPPA introduced a new mandate for websites to disclose their procedures for handling Do Not Track (DNT) settings.

DNT refers to digital tracking of how a website visitor navigates across a site and to/from other sites. For example, If a user clicks a link on your website which takes them elsewhere in your site or externally to another site such as an advertisement or external link and your website records those activities, this is tracking.

Tracking website browsing patterns is useful for improving a user's overall experience on your site and on the web in general. It allows advertisers to target consumers with relevant ads, even reminding them of items they previously saw or similar items available from a competitor.

However, some users do not want websites to track their browsing history and have pressured browsing platforms for better user controls. In response to this pressure, Microsoft, Google, Mozilla and others introduced user controls allowing consumers to set DNT to "on" or "off."

The 2013 amendments to CalOPPA were created because it's assumed that the average consumer does not understand tracking or its implications on their privacy. It's also assumed that the average user is not aware of DNT browser settings.

To address this lack of understanding about DNT, CalOPPA requires websites doing business with Californians to disclose their DNT policies, specifically identifying whether the website does or does not acknowledge DNT settings.

CalOPPA does not require websites to respect user DNT settings. It only requires websites to disclose whether or not they do respect those settings.

CA Attorney General Recommendations for CalOPPA Compliance

The California Attorney General issued a handbook with recommended best practices for complying with CalOPPA. The handbook has a "Highlights of Recommendations" section that provides a useful summary of the document.

California Attorney General: Highlights of recommendations to comply with CalOPPA

Let's take a look at a few of these recommendations in further detail.

Your Privacy Policy Must be Easy to Read

CA Attorney General’s Making Your Privacy Practices Public: Readability

The key to readability is plain and simple language the "average" website visitor can understand. The state's Attorney General recommends using plain language, short sentences and to consider posting your Privacy Policy in multiple languages.

Other recommendations include using titles and headers to organize your Privacy Policy neatly, and to use graphics and icons to support text.

Here's a simple but clear example from Apple's California Privacy Policy, with plain language and a bold header:

Apple's CA Privacy Disclosure: Notice for Minors clause

Target's approach is a little different, combining the legally required notice to minors within a general notice to Californians, while still using a bold header to introduce the clause:

Target Privacy Policy: California Residents clause

Both are adequate, though Apple's approach is better. Because CalOPPA specifically mandates ease of finding applicable notices, Apple's approach to creating a specific clause for minors is the recommended approach.

Your Privacy Policy Must be Easy to Find

CalOPPA requires you to post your Privacy Policy in a conspicuous location on your website. The responsibility for ensuring your typical website visitor can locate your Privacy Policy is on you. Your visitors should not have to go looking for it.

The most common location for your Privacy Policy is in your website footer.

Target posts its Privacy Policy in its website footer. While the Privacy Policy contains a sub-section dedicated to California Privacy, Target also links directly to the California clause in its footer.

This makes it easy for users in California to locate the information they need:

Target website footer-links

Like Target and many others, Gap provides a link to its Privacy Policy and its California Privacy Policy in its website footer:

Gap: Highlighted link to the Your California Privacy Rights page in the footer

How Does Your Site Share Personal Data with Third Parties

Virtually every website interacts with third parties. From the platform hosting your website to analytical tools, advertisers, payments processors and communication tools, it is a near certainty that your site is sharing personal customer information with third parties.

The types of information third parties might be collecting through your site, how you transfer the information to those third parties and how the information is used must be disclosed in your Privacy Policy.

The California Attorney General recommends the following:

CA Attorney General's Making Your Privacy Practices Public: Data Use and Sharing

Additionally, many third parties will have their own Terms requiring you to make certain privacy disclosures in order to ensure that they, too, are protected.

Email marketing giant Constant Contact is a good example of this.

In order to use their email marketing software, you must first agree to their Terms of Use, which includes a sub-section specifically addressing third parties:

Constant Contact Terms of Use: Third Party Websites and Services clause

Other third parties, such as Google Analytics, payments processors and advertisers require similar terms.

This means that all instances of third party information sharing on your site must be disclosed in your Privacy Policy.

This is necessary to comply with CalOPPA and the requirements of third-party vendors equally interested in limiting legal liability.

Choices and Rights of Individuals

CalOPPA requires that you give users rights and choices when it comes to:

  • Collecting their personal information, and
  • Giving them access to the information you've collected from them.

Here's an example of how you can accomplish this with two short clauses that each link to more detailed information:

Constant Contact Privacy Statement: Choice and Opt-out and Access to personal and Storage of Information clauses

Of course you could always make these clauses more detailed if you don't have a link to further information. As long as you make the information accessible and easy to find, you'll be doing well.

Contact Information

Your Privacy Policy needs to include contact information for whom a user can contact if he has questions or concerns about his privacy and your privacy practices.

Here's an example from TransLink's Privacy Statement:

Translink Privacy Policy: Contact Us clause

This can be a dedicated privacy manager or a general contact at your business. Just make sure you're active with responding to concerned users.

Creating your CalOPPA-compliant Privacy Policy

Creating your CalOPPA-compliant Privacy Policy

The first step in creating a compliant CalOPPA Privacy Policy is to identify the following:

  • Personal data your site is collecting from California residents
  • Personal data your site is sharing with third parties
  • How the data is being collected
  • How the data is being shared
  • How your website handles DNT settings
  • Whether your website attracts minors
  • How your website gives users access to their personal data upon request (and that you perform this mandatory service at no charge)
  • How your website transfers personal data to other websites if requested by the individual who owns the data
  • How you delete personal data when requested by the individual

Next, ensure your Privacy Policy addresses each of the following topics, as recommended by the state of California:

  1. Scope of Policy - Spell out what your policy covers
  2. Data Collection - Identify all types of data your site collects now or might collect in the future
  3. Do Not Track - Identify whether your site does or does not acknowledge user DNT settings
  4. Data Use and Sharing - Identify all third parties which share your user data
  5. Individual Choice and Access - Provide instructions for opting out of sharing data with your site, as well as for requesting a copy or transfer of data
  6. Security Safeguards - Identify your efforts to protect data and prevent data breaches
  7. Effective Date - Identify the date of your policy and date(s) of updates to the policy
  8. Accountability - Clearly state how your website visitors can contact you for information about their data.

Next, be sure to use language throughout your policy that is easily understood by your typical website customer. If your website attracts minors, give special consideration to them.

Finally, be sure to post your Privacy Policy in a conspicuous location on your website such as in the website footer to ensure ease of access. Providing additional access with a search bar or as a link inside your Terms of Use helps further ensure compliance.

California Attorney General Availability Recommendations summary

By following these guidelines, you can rest assured that you will be in compliance with CalOPPA and virtually every other state and federal privacy mandate in the United States. You'll also have a good start on complying with privacy laws around the world such as the GDPR that protects your users who are located in the EU.

PrivacyPolicies.com: Privacy Policy Generator - How to Create your Privacy Policy

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.


Last updated on 12 March 2020

Article categories