CalOPPA: What is it & How to Comply in 2024?

Table of Contents


If your business is located in California or you offer services in California, you’ve more than likely encountered the California Online Privacy Protection Act (CalOPPA). While this is not a federal law but a state law, your business will need to remain compliant with it.

Non-compliance with the CalOPPA can result in costly fines and penalties, which can pile up quickly depending on the number of violations. In this guide, we’ll explore the CalOPPA, who it applies to, and how your business can stay compliant with it.

Let’s jump in.

Key Takeaways

  • CalOPPA (California Online Privacy Protection Act) is a data privacy law that lets users know where their collected personally identifiable information is being used.
  • Businesses that are based in California or offer services to Californians online through a website or mobile app are required to follow CalOPPA.
  • CalOPPA requires that businesses have a privacy policy, instructions on how users can change or update information, and provide information on whether you do or do not respond to “Do Not Track” requests.

What is CalOPPA?

Because there is no federal data privacy law in the U.S., some states have created their own data privacy laws, and California was one of the first to do so. California created the state’s first data privacy law in 2003, called CalOPPA, which was implemented on July 1, 2004.

This new privacy law would give consumers more control over how and where their personal data is collected and stored.

California’s data privacy law establishes guidelines for what personal information can be collected and how it’s shared. Overall, the CalOPPA is a basic form of data subject rights found in data privacy regulations such as the GDPR.

In 2013, an amendment required businesses to disclose tracking of online visits.

CalOPPA was last updated in 2016, and a clause was added requiring businesses to let users or consumers know that their privacy policy has been updated and how they will be affected by these changes.

What is the Purpose of CalOPPA?

CalOPPA was created to give California consumers more control over their personal data and hold businesses accountable for storing, processing, and sharing personal information.

The purpose of CalOPPA is to do the following:

  • To determine what types of personal information can be collected and how this information can be shared
  • To allow users the opportunity to request changes to the personal information that was collected
  • To outline how businesses have to notify users of any changes or updates to the privacy policy
  • To determine if businesses respond to “Do Not Track” requests
  • To determine whether third parties may collect personally identifiable information via the business

This is done by creating a privacy policy that is compliant with data privacy law.

CalOPPA sets the legal standards for a business’s privacy policy presentation, wording, and implementation. The privacy law holds businesses and online service providers accountable for not implementing or following a privacy policy.

Who Does CalOPPA Apply to?

CalOPPA applies to all operators (businesses) that own a website on the internet, mobile app, or online service that collects and uses personally identifiable information from a consumer currently living in California.

However, this data privacy law does not apply to third parties that operate, host, or manage a website or online service on behalf of the business owner.

CalOPPA identifies seven types of personally identifiable information protected under the data privacy law. These are:

  1. First and last names
  2. Home or physical addresses that include street names as well as town and city names
  3. Email addresses
  4. Telephone numbers
  5. Social security numbers
  6. Other identifiers allow physical or online contact with an individual
  7. Information about a user that was collected from a website or online service that remains in personally identifiable form in combination with an identifier outlined in no.6

If your business is collecting any of the above, CalOPPA applies to your business, and failure to comply with this guideline will result in fines and penalties.

The only exemptions are non-commercial websites that do not collect personally identifiable information or services that are not available in the state.

CalOPPA Requirements Checklist

Unlike other data privacy laws like the GDPR or CPRA (California Privacy Rights Act), CalOPPA does not have hundreds of pages of requirements that businesses need to meet. There are a few very important things that businesses need to check off the checklist:

  • Create a privacy policy that is compliant with CalOPPA
  • Provide clear instructions on how users can review and update their information
  • Provide information if you do respond to Do Not Track (DNT) requests

Privacy Policy

CalOPPA sets out some requirements that your privacy policy needs to meet. Firstly, if your business collects any of the seven mentioned types of personally identifiable information, you will need to disclose this information in your privacy policy.

Your privacy policy must be displayed in a visible place for all users to find, with a hyperlink containing the word “privacy.” It also needs to have an option to obtain an agreement from the user.

Two ways of doing this are:

  • Clickwrap: Links are posted alongside a textbox or button that says “I agree.”
  • Browsewrap: Does not require the user to do anything

Clickwraps are the best way to obtain consent and are enforced by courts in the U.S., whereas browsewrap is a less effective consent tool.

For example, the privacy policy could include a list of information to show the user where and what information is collected:

  • Contact information
  • Usage information: this includes link clicks, language preferences, and other actions taken on the website or mobile app
  • Device and browser data: Includes information like IP address, operating system, browser type, performer information, and UUID for mobile apps
  • Information from page tags: Information gathered from third parties like cookies and page tags
  • Information from log data: Includes information like IP addresses, internet service providers, operating systems, device type, and files viewed on the website

Your privacy policy will also need to disclose what your business uses this information for and how it is used. For example, if your business is using the collected information for marketing purposes, this needs to be made clear.

If your business is using third parties to store or process personally identifiable information, this will need to be disclosed as well.

Instructions on How Users Can Review or Update Their Information

Your business needs to provide clear and simple instructions for users on how to review or update their personal data.

There are two ways of going about this:

  • Proving a link where all users and customers may access, update, or delete their collected personal data
  • Providing contact information so that users can reach out to access, update, or delete their collected personal data

If someone contacts your business to access, update, or delete their personal information, it is recommended to notify them that you have received their receipt immediately and to provide them their data in a reasonable time period (typically within a month).

Responding to “Do Not Track” Requests

CalOPPA requires businesses to provide a clause stating whether they will or will not respond to “Do Not Track” requests. No federal or state law requires businesses to honor these requests, but they do have to disclose their stance.

We recommend you respond to these requests to build trust with your consumers and to avoid any potential complaints.

Fines for Non-Compliance of CalOPPA

Compared to other data privacy regulations, CalOPPA requirements are much simpler, and businesses need to make sure they have a clear privacy policy and text that stands out from the surrounding text on their homepage.

The California Attorney General’s office enforces the provisions in CalOPPA, and issues of non-compliance are addressed through provisions made in California’s Unfair Competition law.

The California Attorney General’s office issues businesses 30 days to rectify any instances of non-compliance.

Failure to address the issues of non-compliance within the 30-day grace period will result in a fine worth $2,500 per individual violation. This can add up quickly if your business has multiple violations, potentially leading to hundreds or thousands or millions lost.

This could mean if you don’t have a valid privacy policy on your website, every visit to your website is counted as a violation. So, even one day of not being compliant with CalOPPA requirements can result in multiple violations, which can add up very quickly.

For example, in 2012, Delta Airlines failed to meet the privacy policy visibility requirements on their mobile app. The case was eventually dismissed as the airline industry is exempt. If the case hadn’t been dismissed, the company would face fines of up to $2.5 million.

Frequently Asked Questions (FAQs)

What is the difference between the CCPA and the California Online Privacy Protection Act?

Both data privacy laws are used to give consumers the right to know how, where and why their personal data is being collected. However, the CalOPPA only does this through a privacy policy while the CCPA is more comprehensive.

Do you understand CCPA regulations? Check here.

Does the CCPA Apply to Businesses Outside of California?

Yes, businesses that are not based in California but offer services or collect personal data from California residents are subject to this data privacy law.

Make sure your business is CCPA compliant with Captain Compliance.

Does CalOPPA Require Explicit Consent?

Unlike other data privacy laws, CalOPPA does not require explicit consent, but businesses must disclose in a privacy policy where and how collected personal data is being used.

Learn how to implement cookie consent.

Can Businesses Be Held Liable for Data Breaches Under CalOPPA?

No, CalOPPA provides information on where and how collected information is used through a privacy policy. Other laws, such as the CCPA, deal with data breach liability.

Explore how your business can prevent data breaches.

How Can Captain Compliance Help You?

While CalOPPA may not be as comprehensive as other data privacy regulations like the CPRA or GDPR, failure to comply with the privacy policy requirements can result in your business having to pay fines and penalties.

Avoid this by choosing Captain Compliance as your compliance partner. We offer outsourced compliance solutions to ensure your business complies with relevant data privacy regulations.

Contact Captain Compliance today for a free consultation.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.