CalOPPA vs CCPA: What You Must Know to Comply With Both

Ensuring data security is essential, especially when it comes to dealing with the personal information of clients and customers who frequent your website on a regular basis.

Unfortunately, there are times when lapses in data security have led to the breach of clients’ sensitive personal information. As an online business, you have to make sure that this does not happen; otherwise, you could risk losing the trust of your clients forever, not to mention financial damages.

In the USA, the state of California has established several laws to make sure that its residents’ personal information is protected at all times. It is even more necessary now, given the fact that California’s GDP is one of the biggest in the world, larger than most nations.

Since there’s a lot at stake, online businesses and websites need to make sure that their systems are strong and stable enough to protect the information and assets of Californian residents.

The Establishment of CalOPPA and CCPA


In its bid to strengthen data security in the state, California has established a couple of laws that seek to govern the ways online businesses and websites treat their clients’ personal information.

California created two main laws that website admins and businesses need to comply with, namely, the California Online Privacy Protection Act (CalOPPA, effective 2004) and California Consumer Privacy Act (CCPA, effective 2020).

Together, these two laws seek to address different but complementary aspects of data security for the benefit of Californian residents.

If you own or manage a website or an online business, you should make sure that you are complying with the guidelines set by CalOPPA and CCPA. To give you a quick background, here’s a look at what the California Online Privacy Protection Act and California Consumer Privacy Act are all about.

California Online Privacy Protection Act

The California Online Privacy Protection Act (CalOPPA) covers websites and online businesses that collect or use personally identifiable information from residents of California. One of the top requirements of CalOPPA is the conspicuous placement of the link to the Privacy Policy of a commercial website.

Your privacy policy should also meet the CalOPPA’s requirements. Those include what type of personal information you collect, the reason you need the personal information, and how you operationalize the collection of such information, among others.

Additionally, you should also disclose if you share their information with any third party, as well as how the sharing process is. As a law, CalOPPA has a broader scope compared to CCPA, so you should ensure compliance across the board at all times.

The California Online Privacy Protection Act has been active since 2004. It remains one of the top online privacy regulations in the United States even today.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a privacy law that took effect at the start of 2020. It seeks to complement the already-existing privacy regulations in California like CalOPPA and Shine the Light law.

Here are some of the essential sections of the CCPA that you should know:

  • It introduces additional rights for consumers that websites and online businesses should comply with and help facilitate.
  • It broadens the definition of “personal information” in its bid to cover as many bases as possible.
  • It strengthens the transparency obligations of companies that deal with the sale of personal information.
  • It presents a new set of fines for websites and online businesses that fail to protect the personal information of their clients.

CCPA has a narrower coverage compared to CalOPPA. Compliance isn’t any easier, but you should be fine as long as you take into mind the critical sections of the law.

While CalOPPA and CCPA do have their differences, they both have the same goal: to protect the data privacy of Californian residents. Now that you have an idea of what these Californian privacy laws are all about, it is time to delve deeper into the similarities and differences of these laws.


As mentioned, The California Online Privacy Protection Act and the California Consumer Privacy Act were both established to protect and uphold the data privacy rights of residents of California.

If you own or manage an online business or website, you should know the differences and similarities between the two so that you will be able to comply with their requirements.

The biggest similarity between CalOPPA and CCPA is their scope. The California Online Privacy Protection Act and the California Consumer Privacy Act are data protection laws that seek to protect all consumers in the state of California.

These laws both consider “consumers” as anyone residing in California. For online businesses and websites, that means these laws can cover you if you host information from Californian residents, regardless of where you are based.

However, while both of these acts seek to address commercial enterprises, they differ in terms of the type of business they target.

Scope of the California Online Privacy Protection Act

This act applies to commercial websites or online services that collect personally identifiable information about consumers residing in California. It doesn’t matter if the company is based in Singapore or New Zealand. As long as the website carries information from Californian residents, all companies must comply.

However, it should be noted that while CalOPPA does have a broad scope, it doesn’t cover ISPs or other types of services that take care of processing such information on behalf of third-party operators.

This law is only targeted to the website and online business owners and operators. Also included are mobile applications and other platforms where Californian residents can digitally access the web pages online.

Scope of the California Consumer Privacy Act

Just like CalOPPA, the California Consumer Privacy Act covers businesses that deal with people residing in California. However, CCPA has a much more stringent qualification when it comes to their target businesses. The businesses that CCPA covers should meet the following qualifications:

  • It is profit-driven.
  • Its operation includes California.
  • It determines and controls how the processing of the clients’ personal information is done. In other words, it regulates the “purposes and means” of consumer data.

Additionally, CCPA businesses should meet one or more of the following criteria:

  • It has an annual gross revenue worth more than $25 million.
  • It makes at least half of its annual revenue by selling the personal information of its users and consumers.
  • It sells, buys, shares, and receives personal information from at least 50,000 households, consumers, or devices.

If the business meets the required and additional qualifications, then they should make sure that they comply with the rules set by CCPA. Upon a closer look, it should be apparent that CCPA is more targeted towards large corporations, data brokers, and big social networking websites or applications.

What does personal information mean?

CalOPPA and CCPA have different definitions when it comes to “personal information.” As a business covered by any of these laws, you should be able to differentiate the two to ensure compliance.

In CalOPPA, personal information is referred to as “personally identifiable information.” It covers individually identifiable information regarding a consumer that is collected and maintained by an operator. Examples of “personally identifiable information” include the following:

  • Full name,
  • Home address,
  • Email address,
  • Contact number, and
  • Social security number, among others (cookies, IP address, etc.)

In CCPA, personal information is any type of information that relates to, describes, identifies, or can be associated or linked with a household or an individual consumer.

In addition to the information needed in CalOPPA, it also includes the search and browsing history, consumer interaction with an application, advertisement, or a website, and other types of data.

Businesses need to make sure that they understand the differences between the two so that they can properly comply with the regulations set by these laws.

What are the requirements under each act?

CalOPPA and CCPA compliance

CalOPPA’s most important requirement is the display of the Privacy Policy and its mandated content. Under CalOPPA, a Privacy Policy should include the categories of collected personal information and the types of third parties that are involved in data gathering or processing.

Operators are also required to include information about the procedures and processes involved in the business, like the effectivity date of the policy and how you update your consumers on Privacy Policy changes.

A privacy policy should be conspicuously posted on the website, meaning that it should be written in noticeable and legible text on one’s homepage. Complying with the requirements under CalOPPA is relatively easy compared to CCPA.

CCPA is more complicated, as it is more specific than CalOPPA. CCPA requires businesses to provide the following rights to their consumers:

  • The right to know
    Businesses are required to disclose the type of personal data that they collect, sell, or share.
  • The right to removal
    Consumers are allowed to remove or delete their information from the database of the operator under certain conditions.
  • The right to refuse
    Consumers have the right to refuse the sale and processing of their information.
  • The right to non-discrimination
    Businesses are not allowed to discriminate against consumers who have used or exercised the rights listed above

The sale or processing of children’s personal data also has an opt-in policy, and businesses should update their privacy policy at least once a year.

What are the penalties for non-compliance?

You should make sure that your online business or website complies with the rules set by CalOPPA and/or CCPA. Non-compliance can lead to penalties — something that you wouldn’t want to wish on your business’ financials.

Under CalOPPA, failure to comply can lead to a maximum of $2,500 per violation. While you may think that this is cheap, you should note that every “violation” counts each consumer visit on your website for the duration of your non-compliance.

If your website had high traffic during that period, it could add up to hundreds of thousands or even millions of dollars.

For CCPA, the Attorney General can issue up to $2,500 as well. Of the total penalty, 20% will be forwarded to a consumer privacy fund to help attorneys in recovering the costs of legal action.

CCPA also fines intentional violators of up to $7,500 per violation, and private consumer claims can lead to fines between $100 and $750.

As a responsible online business owner or manager, you have the duty to monitor your compliance with the following laws. By doing so, you can strengthen your relationship with your customers and avoid paying hefty fines.

Final words

CalOPPA and CCPA are both data protection laws that require commercial enterprises doing business in California to adhere to requirements in order to safeguard the data privacy of its residents.

CalOPPA seeks to address all types of businesses running commercial websites, while CCPA only addresses big businesses and data brokers.

They both have different requirements, but they have the same goal: to make businesses accountable and transparent when it comes to collecting, processing, selling, or sharing the private information of their customers.

As a business owner, manager, or operator, you must make sure that you know the specifics when it comes to the similarities and differences of CalOPPA and CCPA. Doing so ensures that you will remain compliant with the requirements and regulations that each act has set.