The California Online Privacy Protection act released back in 2003 protects the privacy rights of California's residents. This legislation, commonly called CalOPPA, seeks focuses on personally-identifiable information (PII). Meaning, all of a person's digital information that can be traced back to identify its owner.
CalOPPA is arguably the broadest privacy law in the United States, which has no embracing Federal law on the subject. Furthermore, its reach impacts well beyond the state's borders! Virtually all organizations must comply due to the probability of use by a California resident. Specially those with websites, and apps.
When did CalOPPA Begin and What is its Reach?
CalOPPA came into effect in 2004, as the first U.S law requiring websites and online services to display Privacy Policies. Its reach was further extended in 2012 by the California Attorney General's Office, which applied it to mobile applications that collect PII as well.
The law was revisited in 2013 to tackle the unregulated area of online tracking. This change prompted organizations to disclose the tracking and collection of PII of those who navigate their websites and services. Also, they must explain how Do Not Track requests are handled.
Why is CalOPPA’s reach so broad? Well, California has the largest economy of any state in the United States, by far. It even compares with the U.K.'s GDP in the global ranking of top economies. Considering both local and foreign companies must comply with it... We can say it is the primary force for consumer privacy in America.
What's more, CalOPPA just might be the foundation that the Federal government may build upon for future national privacy laws.
Complying With CalOPPA
CalOPPA brings few requirements to the table. However updates are frequent and it soon will grow its reach. It all began with clear Privacy Policies and CalOPPA's own terms. The risk? Civil litigation under the state's Unfair Competition Law.
Soon, its approach will change to extend the user's right to have power over its data. This is similar to those provided by sibling laws, like the Eueropean General Data Protection Regulation (GDPR).
Details on the personally identifiable information collected, and how that data is used.
Information on any third parties who your organizations shares PII with.
Proper instructions on how a consumer can review and request changes to their collected PII.
Details on how you respond to online tracking signals and Do Not Track Requests.
The California Consumer Privacy Act, due in 2020
California recently passed another new privacy law in June 2018, the California Consumer Privacy Act (CCPA). This will take effect January 1, 2020, and it will extend CalOPPA to grant users more control over their data.
The CCPA was born from an activist group's proposal.
If a business falls within CCPA's scope, it must comply with Privacy Policies that includes specific "Do Not Sell my Personal Information" notification link, and update their policies yearly.
Compliance with CCPA is more rigorous, but applies to a much smaller number of organizations. However, it provides a new set of core rights to users subject to data collection. Similar to GDPR's set of user rights, CCPA provides:
- The right to KNOW what personal information is collected. With clear disclosure to consumers of the specific pieces of personal data collected, sold, or disclosed (and to whom).
- The right to SAY NO to the sale of that personal information. Requiring businesses to stop selling a consumer’s information on request. Plus, a stronger, full opt-in for children, rather than an opt-out option.
- The right to DELETION. Mandating that under certain conditions, businesses must provide access and deletion rights for certain information collected.
- The right to NON-DISCRIMINATION. Ensuring that businesses provide equal service and price to those who have exercised these privacy rights.
As for the “Do Not Sell My Personal Information” page, it should provide consumers a way to notify they do not agree to the sale of their personal information.
Complying with California's data privacy regulations will not pose much of a problem, they are basically a consensual standard! However, the arrival of CCPA will bring a glimpse of Europe's strategy with GDPR to the United States.
So, if you're already prepping up for CCPA, you can tackle two birds with one stone and do GDPR too! Here's a checklist of its key requirements to help you do so. They share many similarities in the user rights section.
For additional information and guidance on complying with CalOPPA, CCPA and California data privacy laws, visit the California Attorney General’s webpage on privacy and protection. What's more the AG’s provides links to major privacy protection laws at both State and Federal level.