Overview
The California Online Privacy Protection Act (CalOPPA), enacted in 2003 and amended in 2013, was the first state law in the United States to require commercial websites and online services to post a privacy policy. Despite being a California law, CalOPPA effectively has national reach because any website that collects personal information from California residents must comply, regardless of where the business is located.
CalOPPA focuses specifically on transparency. It does not regulate how businesses may use personal information, but it requires that businesses clearly disclose their data collection and sharing practices through a conspicuously posted privacy policy.
Who Does It Apply To?
CalOPPA applies to:
- Any operator of a commercial website or online service that collects personally identifiable information (PII) from California residents
- Businesses located anywhere in the United States or internationally, as long as they collect PII from California residents through their website or online service
- Mobile applications and other online services, not just traditional websites
- Third-party services that collect PII through another operator's site or app
Because California has the largest population of any US state and nearly every website is accessible to California residents, CalOPPA effectively requires any commercial website operating in the United States to comply.
Key Requirements
Conspicuous Privacy Policy
The most fundamental requirement of CalOPPA is that your website or online service must post a privacy policy that is conspicuously available. Specifically:
- The privacy policy must be accessible through a conspicuous link on the homepage or the first significant page after entering the site
- The link must use the word "privacy" and be distinguishable from surrounding text through font size, color, or other visual formatting
- The policy must be accessible without requiring the user to navigate through multiple pages
Required Disclosures
Your privacy policy must include the following information:
- Categories of PII collected: List the types of personally identifiable information your site collects, such as names, email addresses, physical addresses, and phone numbers
- Categories of third parties with whom PII is shared: Disclose any third parties that receive the personal information you collect
- Process for reviewing and requesting changes: Describe how users can review the PII you have collected about them and request changes
- Effective date: Include the effective date of the privacy policy
- Notification of changes: Describe how you will notify users of material changes to the privacy policy
- Do Not Track disclosures: Disclose how your site responds to Do Not Track (DNT) browser signals and whether third parties may collect PII about users' online activities over time and across different websites
Do Not Track Response
Since the 2013 amendment, CalOPPA requires that your privacy policy disclose how your website responds to Do Not Track signals. You are not required to honor DNT requests, but you must disclose your practice. Your options include:
- Honoring DNT signals by ceasing tracking when a signal is detected
- Not honoring DNT signals and disclosing this to users
- Disclosing that you do not currently respond to DNT signals
Timely Updates
Your privacy policy must be updated whenever your data practices change materially. While CalOPPA does not specify a review schedule, best practice is to review and update your policy at least annually and whenever you introduce new data collection methods or third-party integrations.
Individual Rights
CalOPPA itself provides limited individual rights compared to more recent privacy laws like CCPA. However, it establishes baseline transparency rights:
- Right to know: Users have the right to see your privacy policy and understand what personal information you collect and how it is shared
- Right to review and correct: Your privacy policy must describe how users can review the PII collected about them and request corrections
- Right to be notified of changes: Users must be notified when material changes are made to your privacy practices
Enforcement and Penalties
CalOPPA is enforced by the California Attorney General's Office:
- 30-day cure period: Before taking action, the Attorney General must notify the operator of the alleged non-compliance and allow 30 days to correct the issue
- Unfair business practice: Failure to comply with CalOPPA after the cure period is treated as a deceptive business practice under California's Unfair Competition Law (Business and Professions Code Section 17200)
- Penalties: Violations can result in penalties of up to $2,500 per violation. Because each individual visit to a non-compliant website can constitute a separate violation, potential liability can accumulate rapidly for high-traffic sites
- Injunctive relief: Courts can issue injunctions requiring the operator to post a compliant privacy policy
- No private right of action: Individual consumers cannot sue directly under CalOPPA. Enforcement is limited to the Attorney General
How Apidly Helps
Apidly makes CalOPPA compliance straightforward:
- Privacy policy generation creates a CalOPPA-compliant privacy policy that includes all required disclosures, formatted with a conspicuous link structure suitable for your website
- PII category mapping scans your website and third-party integrations to identify all categories of personally identifiable information being collected, ensuring your privacy policy accurately reflects your practices
- Third-party disclosure tracking monitors the third parties integrated with your site and flags when new services are added that may require updates to your privacy policy
- Do Not Track disclosure management helps you document and disclose your DNT response practices as required by the 2013 amendment
- Change monitoring alerts you when your data collection practices change and prompts you to update your privacy policy to stay in compliance