California Online Privacy Protection Act (CalOPPA)

—updated July 29, 2015

CalOPPAThe first state law in the nation to require commercial websites and online services to post a privacy policy, the California Online Privacy Protection Act (CalOPPA) went into effect in 2004. It was amended in 2013 to require new privacy disclosures regarding tracking of online visits.

CalOPPA applies to any person or company in the United States (and conceivably the world) whose website collects personally identifiable information from California consumers. CalOPPA requires the website to feature a conspicuous privacy policy stating exactly what information is collected and with whom it is shared; it also requires the operator of the website or online service to comply with the site’s privacy policy. Those who fail to do so are at risk of civil litigation under the state’s Unfair Competition Law.

Who does CalOPPA apply to?
CalOPPA applies to any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service. CalOPPA does not apply to Internet service providers or similar entities that transmit or store personally identifiable information for a third party.

In 2012, the California Attorney General’s Office specifically applied CalOPPA to mobile applications for smartphones and tablets that collect personally identifiable information. Hundreds of apps providers were notified that they were in violation of CalOPPA, and they were given 30 days to submit compliance plans or face fines of up to $2,500 for each time their app was downloaded.

What is “personally identifiable information”?
As legally defined, “personally identifiable information” refers to details collected on the Internet about an individual consumer, including an individual’s first and last name, a physical street address, an email address, a telephone number, a Social Security number, or any other information that permits a specific individual to be contacted physically or online. The term extends to details such as a person’s birthday, height, weight or hair color that are collected online and stored by an operator in personally identifiable form.

What is required under CalOPPA?
The operator of a commercial website or online service must conspicuously post a privacy policy on its website. According to CalOPPA, conspicuously posting a privacy policy means:

  • The privacy policy is shown on the website’s homepage; or
  • A link – via an icon that contains the word “privacy” – appears on the homepage and directly takes consumers to the privacy policy. In this instance, the icon must be in a color different from the homepage’s background; or
  • The privacy policy is linked to the homepage via a hypertext link that contains the word “privacy,” is written in capital letters equal to or greater in size than the surrounding text; is displayed in a type, font or color that contrasts with the surrounding text of the same size; or is otherwise distinguishable from surrounding text on the homepage.

CalOPPA also requires website operators to adhere to their stated privacy policy. As May 2014 guidance from the California Attorney General’s Office says, “It requires them to say what they do and do what they say – to conspicuously post a privacy policy and to comply with it.”

To be considered in compliance with CalOPPA, the website’s privacy policy must contain the following:

  • A list of the categories of personally identifiable information the operator collects;
  • A list of the categories of third parties with whom the operator may share such personally identifiable information;
  • A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
  • A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy; and
  • The effective date of the privacy policy.

An operator will be considered in violation of CalOPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance. An operator who fails to comply with CalOPPA or with the terms of its privacy policy will be found to be in violation of CalOPPA only if its noncompliance is either knowing and willful or negligent and material. This means that a non-material (i.e., minor) but deliberate breach can give rise to liability. As a result, minor technical defects in the posting or the contents of a privacy policy could be a basis for liability.

AB 370 Requires New Privacy Disclosures

Assembly Bill 370 (Muratsuchi), signed into law in 2013, amended CalOPPA to require new privacy policy disclosures for websites and online services’ tracking of visitors, defined in the legislative analysis of the bill as “the monitoring of an individual across multiple websites to build a profile of behavior and interests.”

AB 370 was in part driven by the advent of “Do Not Track” computer coding, which can signal websites when visitors indicate they prefer not to be monitored. AB 370 is intended to bring greater transparency and consumer scrutiny to website practices, but it does not limit tracking.

As the bill’s author, Assembly Member Al Muratsuchi (D-Torrance) explained, “This bill would increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps. AB 370 will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service.”

Under AB 370, privacy policies for websites or online services used by California residents (includes mobile apps for smartphones and tablets) are required to:

  • Disclose how a business’s website or online service responds to Do Not Track signals from Web browsers.
  • Disclose whether third parties may collect visitors’ personally identifiable information on a business’s website or online service.
  • Provide “a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

What are the consequences of noncompliance?
CalOPPA does not contain enforcement provisions. It is expected, however, that CalOPPA will be enforced through California’s Unfair Competition Law (UCL), which is located at Business and Professions Code §§ 17200-17209. Under the UCL the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit against businesses for acts of “unfair competition,” which are considered to be any act involving business that violates California law. As a result, violations of CalOPPA may be considered violations of the UCL. Government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. In addition, the UCL provides that private plaintiffs may assert private claims for violations of CalOPPA under the UCL.

Operators who violate CalOPPA may also be susceptible to actions by the Federal Trade Commission, which may bring enforcement action against businesses whose posted privacy policy is deceptive – that is, where a business fails to comply with its posted privacy policy.


Read more: