Compliance

Complying With California's Privacy Protection Laws: CalOPPA and CCPA

California's gigantic role in the online consumer world makes its privacy protection regulations, CalOPPA and CCPA, a must-comply-to for any business. Learn what these legislation cover and how to work towards compliance.

March 26, 2019


The California Online Privacy Protection act released back in 2003 protects the privacy rights of California's residents. This legislation, commonly called CalOPPA, seeks focuses on personally-identifiable information (PII). Meaning, all of a person's digital information that can be traced back to identify its owner.

CalOPPA is arguably the broadest privacy law in the United States, which has no embracing Federal law on the subject. Furthermore, its reach impacts well beyond the state's borders! Virtually all organizations must comply due to the probability of use by a California resident. Specially those with websites, and apps.

When did CalOPPA Begin and What is its Reach?

CalOPPA came into effect in 2004, as the first U.S law requiring websites and online services to display Privacy Policies. Its reach was further extended in 2012 by the California Attorney General's Office, which applied it to mobile applications that collect PII as well.

The law was revisited in 2013 to tackle the unregulated area of online tracking. This change prompted organizations to disclose the tracking and collection of PII of those who navigate their websites and services. Also, they must explain how Do Not Track requests are handled.

Why is CalOPPA’s reach so broad? Well, California has the largest economy of any state in the United States, by far. It even compares with the U.K.'s GDP in the global ranking of top economies. Considering both local and foreign companies must comply with it... We can say it is the primary force for consumer privacy in America.

What's more, CalOPPA just might be the foundation that the Federal government may build upon for future national privacy laws.

Complying With CalOPPA

CalOPPA brings few requirements to the table. However updates are frequent and it soon will grow its reach. It all began with clear Privacy Policies and CalOPPA's own terms. The risk? Civil litigation under the state's Unfair Competition Law.

Soon, its approach will change to extend the user's right to have power over its data. This is similar to those provided by sibling laws, like the Eueropean General Data Protection Regulation (GDPR).

Have a Clear and Accessible Privacy Policy

So how do you comply with the base requirements of CalOPPA? Start with a clear Privacy Policy, easily accesible. Go for the standard "PRIVACY POLICY" link on the footer, menu, and/or app download page. Furthermore, you must ensure it contains the following:

Details on the personally identifiable information collected, and how that data is used.

Information on any third parties who your organizations shares PII with.

Proper instructions on how a consumer can review and request changes to their collected PII.

Details on how you respond to online tracking signals and Do Not Track Requests.

The effective date of the privacy policy.

An overview of how consumers will be notified of material changes to the privacy policy.

Above all things, consult with a legal expert before publishing your Privacy Policy and ask about any additional requirement that might be specific to your industry. For example, it is important to disclose how third-party partners you interact with handle their privacy policies. View Prey's privacy policies for an example of this

The California Consumer Privacy Act, due in 2020

California recently passed another new privacy law in June 2018, the California Consumer Privacy Act (CCPA). This will take effect January 1, 2020, and it will extend CalOPPA to grant users more control over their data.

The CCPA was born from an activist group's proposal.

If a business falls within CCPA's scope, it must comply with Privacy Policies that includes specific "Do Not Sell my Personal Information" notification link, and update their policies yearly.

Compliance with CCPA is more rigorous, but applies to a much smaller number of organizations. However, it provides a new set of core rights to users subject to data collection. Similar to GDPR's set of user rights, CCPA provides:

  1. The right to KNOW what personal information is collected. With clear disclosure to consumers of the specific pieces of personal data collected, sold, or disclosed (and to whom).
  2. The right to SAY NO to the sale of that personal information. Requiring businesses to stop selling a consumer’s information on request. Plus, a stronger, full opt-in for children, rather than an opt-out option.
  3. The right to DELETION. Mandating that under certain conditions, businesses must provide access and deletion rights for certain information collected.
  4. The right to NON-DISCRIMINATION. Ensuring that businesses provide equal service and price to those who have exercised these privacy rights.

As for the  “Do Not Sell My Personal Information” page, it should provide consumers a way to notify they do not agree to the sale of their personal information.

Takeaways

Complying with California's data privacy regulations will not pose much of a problem, they are basically a consensual standard! However, the arrival of CCPA will bring a glimpse of Europe's strategy with GDPR to the United States.

So, if you're already prepping up for CCPA, you can tackle two birds with one stone and do GDPR too! Here's a checklist of its key requirements to help you do so. They share many similarities in the user rights section.

For additional information and guidance on complying with CalOPPA, CCPA and California data privacy laws, visit the California Attorney General’s webpage on privacy and protection. What's more the AG’s provides links to major privacy protection laws at both State and Federal level.

On the same Issue

HIPAA Checklist: Maintaining Security and Complying with Patient Data Privacy

Navigate through the Health Insurance Portability and Accountability Act requirements and learn which ones are a must-apply for your organization.

February 12, 2022
keep reading
Expert Guide to Online Student Data Protection

The breach of a student's data privacy is not a recent concern, but one that is only now starting to gain attention due to the consequences of a public lack of concern. It is time to understand this issue, and treat it

November 2, 2021
keep reading
Three Laws That Protect Students' Online Data and Privacy

Controlling the privacy of students was a matter of locking records up back then. Now, in the digital classroom era, the risk of leaks increased, and the unwanted collection of data through unregulated online platforms and software caused the need for smarter privacy laws.

February 4, 2021
keep reading
The EU-US Privacy Shield Is No More: What It Means To Our Personal Data

The ruling that governed data protection between the EU and the US is in shambles. What are the consequences for the US organizations dealing with european data?

August 31, 2020
keep reading