What is CalOPPA and Why You Should Care

Individual consumers using online websites and mobile apps are increasingly more concerned about their privacy. Personal information like their names and address can be weak points leading to identity theft and fraud.

As such, commercial websites and app developers have the responsibility to help consumers protect their privacy. This is the basis of CalOPPA, or the California Online Protection Act.

CalOPPA is a state law designed to protect the privacy rights and personal information of residents in the state of California. All websites with California users have to comply with this law.

What is CalOPPA?

Privacy has been a rising concern ever since computers and the Internet took the world by storm. Federal laws have been created to protect online consumers, from the Cable Communications Policy Act of 1984, and the Computer Security Act of 1997.

There are also federal laws that protect special groups, such as the Americans with Disabilities Act, and the Children's Online Privacy Protection Act. However, there is no federal law specifically covering data privacy.

The closest and broadest privacy act in the country is the CalOPPA, which is a state law. The California Online Privacy Protection Act became effective 1 July 2004, and it increased the protection of privacy rights and personal data of California residents.

Under this law, commercial websites that collect data from California residents have to conspicuously or clearly link to a privacy policy on their website.

CalOPPA is a pioneering state law that focuses on safeguarding "personally identifiable data." This data can include basic information such as the name and birthday of your consumers.

Browsing habits, purchase history, profile images, product preferences, and similar information can also be collected and should be declared under the privacy policy.

For the purposes of the law, personally identifiable data include:

  • First and last name
  • Birthdays
  • Physical addresses
  • Contact information, including email address, telephone, and mobile numbers
  • Social security numbers
  • Physical appearance identifiers, such as height, weight, and hair color
  • Any other data that may identify an individual

In effect, all websites collecting personal data online, whether they are based in California or even outside the United States, have to comply with CalOPPA because they will likely be used by a resident of California.

Why is the privacy policy needed?

CalOPPA requires websites and apps collecting data from users to link to a privacy policy on their website. A privacy policy is a type of legal agreement which informs visitors of a website or app regarding your collection, processing, storage, and protection of their personal data.

A sufficient privacy policy needs to identify the types of personal information that are collected, how the data is used, how it is kept secure, and who can access the data. For example, websites collecting information about their visitors' purchasing habits need to declare that practice.

Privacy policies are required almost universally. Most countries in the world already have some form of privacy law to protect the residents in their jurisdictions.

As such, it doesn't matter where your business is located or where your website was launched. As long as your users are protected by privacy law from their own country, you need to have a privacy policy.

Aside from complying with local and international legal requirements, a privacy policy is also necessary to build consumer trust.

With more visitors worrying over the misuse of private information and identity theft, you need to demonstrate that you value their privacy. A privacy policy also helps educate consumers about their own privacy rights.

In this day and age, even without the CalOPPA, having a privacy policy is simply the expected practice for trustworthy companies. It is a legal and social standard that needs to be met. Otherwise, you'll be putting your business at serious risk of losing consumer trust and of civil litigation.

How does CalOPPA work?


CalOPPA outlines the minimum requirements to help protect the personal data of California residents. It is an essential framework for any business seeking to serve users from California.

First, websites and app developers collecting data need to have a clearly posted and easily understood privacy policy on their site.

It should be conspicuous, easily accessible, and written in plain English, and easy to understand the text. It should also contain the word "Privacy" outright. This is the main requirement that needs to be complied with.

Second, the privacy policy should contain comprehensive yet concise information for the benefit of the site users. While the requirements of CalOPPA and other privacy laws may seem overwhelming at first, putting up a privacy policy is not that difficult given the right tools.

As long as you present the following information on your privacy policy page, then you will be compliant with CalOPPA:

  • Type of information collected, e.g., names and email addresses through a sign-up form, browsing activities
  • Purpose of data collection, e.g., to improve advertising, to analyze sales
  • Details on information storage, processing, and protection
  • Affiliates and third-party services that may have access to the data
  • Compliance with laws and policies (you may list which laws or standards you are compliant with)
  • If users can opt-out of data collection, request changes to their data, or request for deletion of data, and other user rights (by law, all websites and apps are required to allow users to make changes to their data, and to make the process simple)
  • Whether or not you respond to DNT (Do Not Track) requests (complying with DNT requests is not a requirement under CalOPPA)
  • Process for updating users of any changes to your privacy policy, e.g. posting a prominent notice on the front page or sending an e-mail to all registered users
  • Date of the last update to the policy

All of these components need to be clearly visible on your privacy policy page, which is typically linked from the footer of your website or through the settings menu. You are not limited by this list, but you need to consider the length of your privacy policy. The flow of information should be optimized for easy reading.

As long as the link is prominently displayed, you can assume that visitors to your website agree to your privacy policy the moment they continue to browse or use your website.

For a stronger and clearer form of compliance, you can ask users to actively click a box stating they have read the privacy policy before they can proceed to the rest of your site or app.

Who needs to comply with CalOPPA?

Whether you are a website developer based in California or an ocean away from the state, you almost certainly need to have a privacy policy compliant with CalOPPA. Not only is a privacy policy required in most countries, but it is also highly likely that some of your visitors are residents of California.

Thus, CalOPPA applies to any company or person whose website collects personally identifiable data from California residents. It doesn't matter where you live. The law's jurisdiction involves individual consumers who are residents of the state of California.

Operators of the website or online service need to comply. This does not only include dot com websites. Developers of apps that cover different platforms also need to comply as long as they collect user data.

This includes Facebook apps and mobile apps. App developers are reminded of the privacy policy requirement in the terms and conditions of app marketplaces.

Aside from the creators of the site or app, third-party services that also use the data also need to comply with CalOPPA.

For example, services such as Google Analytics, AdSense, live chat tools, social login integrations, and blog forums need to be part of the privacy policy. These services commonly collect various data, such as browsing activity and IP addresses.

To comply with CalOPPA, most third-party services require website operators and app developers to have a compliant privacy policy in their terms of service agreement.

What are the penalties for non-compliance?

The California Online Privacy Protection Act of 2004 does not specify any penalties for non-compliance. However, having an insufficient privacy policy can create distrust among your online consumers and put you in hot waters under other federal and foreign privacy laws.

Failing to comply with CalOPPA also puts you at risk of civil litigation. The civil charges against you can be filed under California's Unfair Competition, which prohibits false and misleading advertising.

Under the California Business and Professions Code, you can be charged with a civil offense. The penalty can reach up to $2500 for each violation.

For smart and responsible website operators and app developers, having a privacy policy on their page should be an instinct. It's part of the necessary good business practices in this day and age. Instead of waiting for civil litigation, be preemptive in informing and empowering your online visitors.

Luckily, compliance with CalOPPA is not difficult. Having a strong, clear, and prominently linked privacy policy for California residents and the rest of your consumer base is an essential legal and commercial practice.