CalOPPA: California Online Privacy Protection Act


With online commercial transactions increasing exponentially over the past several years, data privacy has gradually become a focal point in our society today. Countries in the European Union (EU) and the United Kingdom (UK) have very strong data privacy laws that aim to protect the personal data of countless users who are accessing the internet. Their data privacy legislation likewise regulate how a person’s data is legally collected and handled.

While the EU and the UK have very stringent data privacy laws, the United States is playing catch up at the moment. One of the foremost privacy legislation in the US today is actually not a federal law but a state law. It is the California Online Privacy Protection Act of 2003 or commonly known as the CalOPPA.

Table of Contents

What is CalOPPA?

If this is the first time that you have come across the term CalOPPA, it is a law passed in the state of California which took effect on July 1, 2004. The CalOPPA aims to protect the privacy and personal data of residents of California who access the internet. It became the first state law in the US to require commercial websites that collect what is defined as Personally Identifiable Information (PII) to have a privacy policy that must satisfy specific requirements be conspicuously posted on their website.

  1. First and last names
  2. Home or other physical addresses
  3. E-mail addresses
  4. Telephone numbers
  5. Social security numbers
  6. Any other information that permits the physical or online contacting of a person

How Can a Privacy Policy Be Conspicuously Posted Under CalOPPA?

Under CalOPPA, commercial websites or online services are required to post a privacy policy on its website. The requirement for a privacy policy though is not as simple as it seems. This is because the law further requires that the privacy policy be conspicuously posted. So, how exactly can the privacy policy be considered as conspicuously posted under CalOPPA? Fortunately, the law itself mentions how it can be done. The CalOPPA states that a commercial website’s privacy policy shall be considered as being conspicuously posted if any of the following are done:

  1. The privacy policy is posted on the homepage or the first significant page after accessing the website.
  2. Having an icon on the website’s homepage that hyperlinks to the webpage where the privacy policy is actually posted. The icon needs to contain the word “privacy” and it must be in a color that contrasts with the color of the homepage’s background.
  3. Having a text link in the website’s homepage that would take visitors to the page where the privacy policy is posted. It must also either:
  • contain the word “privacy”;
  • be written in capital letters or is equal to or greater in size than the surrounding text on the page; or
  • written in a larger type than the surrounding text, or uses a type, font or color that contrasts with the surrounding text, or is clearly distinguishable from surrounding text of the same size by symbols or other means.

What Should a Privacy Policy Contain?

The CalOPPA does not only require commercial websites to post a privacy policy, it likewise provides specific requirements on what the privacy policy must contain. Even if a commercial website has a privacy policy, it will still not be compliant with CalOPPA if it does not contain the information that is specifically required by the law. Here are some of the important details that you should include in your website’s privacy policy to be compliant with CalOPPA:
  • The categories of Personally Identifiable Information the website or mobile app collects from its users
  • The reason why the information is being collected
  • The process how the website or mobile app collects the information
  • The list of third parties with whom the website may share the information
  • The process on how a user can review and update their information collected by the website or mobile app
  • A description of how the website notifies its users of any material changes to its privacy policy
  • Disclosure on whether or not the website honors Do Not Track (DNT) requests
  • The privacy policy’s effective date and the date it was last updated

What are the Consequences for Not Complying with CalOPPA?

While the CalOPPA does not contain any provisions for penalties and enforcement thereof, non-compliance of its provisions falls under the scope of the State of California’s Unfair Competition Law (UCL). The UCL provides that “unfair competition shall mean and include any unlawful, unfair or fraudulent business act or practice”, therefore violating the CalOPPA falls squarely under the said definition.

As a result, the California Attorney General’s Office may file a suit against operators of commercial websites which do not comply with CalOPPA for “unfair competition” which carries a possible civil penalty in an amount not exceeding Two Thousand Five Hundred Dollars ($2,500.00) for every violation. That penalty may not sound like much but when you considering that a violation occurs each time a user will access the website without a proper privacy policy, it can add up to quite a huge sum.

Aside from having to deal with a civil suit, an even bigger consequence of failing to comply with CalOPPA is the loss of trust and confidence of consumers in your business. A privacy policy may not seem like much but it can have a significant impact on the success or failure of your business.

You can get your Privacy Policy, Terms & Conditions and Disclaimer all with Plug and Law’s Legal Bundle.

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest

Download the free legal guide

Learn how to avoid these 4 costly legal mistakes, so you can legally protect your business...

…Without Hiring an Expensive Lawyer


For Our Valued Customers:

Access Your Bundle

If you have any issues accessing your account, please contact us.