If you don’t live, work, own a business, or host a website in California, you may be breaking CalOPPA, a California law intended to protect the online privacy of the state’s residents.

Since 2003, California has had a bill on the books commonly called the Online Privacy Protection Act (CalOPPA), which dictates that website owners must have a written privacy policy and must display that policy prominently on the website. It was the first law of its kind in the nation, and applies to all websites that collect personally identifiable information about California residents, regardless of where the website is hosted or accessed.


Are you prepared for CalOPPA

This act was amended in 2013 to add specific details about how the website responds to “Do Not Track” signals sent from the user’s web browser, and the law now applies to all commercial websites and online services, including mobile apps.

This affects you

If your website or mobile app can be accessed by California residents, and it collects any of the following information, then this law affects you:

  • First and last name
  • Home or other physical address (street name and name of city or town)
  • Email address
  • Telephone number
  • Social Security number
  • Any other identifier that permits physically or electronically contacting a specific individual


You are probably in violation

If you answer “no” to any of these questions, then you are probably breaking the law:

  • Do you have a written privacy policy?
  • Is your privacy policy “conspicuous” on your website or in your mobile app?
    • For mobile apps, the privacy policy can be on your website, as long as a link to your app’s website is conspicuous within the app itself.
  • Does your privacy policy:
    • Describe all of the personally identifiable information your website/mobile app collects?
    • Describe how a consumer can access and request changes to their information, if available?
    • Describe how you will notify consumers of any material changes to the privacy policy?
    • Contain its effective date?
    • Disclose all third party data collection tools and policies in use?
    • Explain how your website responds to browser Do Not Track (DNT) signals?

Don’t start panicking yet, though. Operators are only in violation if they fail to comply within 30 days of receiving notice of non-compliance.

Non-compliance could cost you

Penalties for violation are currently categorized under the California Unfair Competition Law, which allows for a penalty of up to $2,500 per violation.

Maybe you are thinking to yourself “That doesn’t sound like very much.” Keep in mind that each copy of the “unlawful” mobile app that was downloaded by California consumers is considered a violation. The calculus behind the number of violations for website usage is more of a gray area, but every individual on which your website has collected data for could be considered a separate violation.

Here’s how to fix it

  • Write a privacy policy
  • Link to your privacy policy from a standard navigation section on your website (like a prominent link in the footer)
  • Link to, or include, your privacy policy in your mobile app, and make sure the link is easy to find (like from the help or about screen)
  • When writing your privacy policy…
    • Consult a lawyer with experience in internet privacy concerns
    • Include a section about DNT signals, and make it easy to find (like with the heading “Online Tracking”)
    • Disclose whether third parties may be collecting personal information, and how to find their policies (provide a link whenever possible)
    • Explain how you use personal information (beyond what is necessary for the clear customer transactions)
    • Explain what options they have for changing their collected personal information or controlling how it is used
    • Provide a contact phone number or email address in case they have questions or concerns
    • Follow what you have agreed to in your privacy policy!

It is highly recommended that you consult with a lawyer when writing your privacy policy, but there are a number of templates online to help you get started.

Do this now

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>