CalOPPA: California Online Privacy Protection Act

Several laws in the US and abroad apply to websites, blogs, SaaS platforms and mobile apps.

If you own or operate a website or app, chances are you need a Privacy Policy in place to comply with various laws. This is because the bulk of these laws apply to issues of consumer privacy, and having a Privacy Policy is a key way to be transparent and keep consumers informed.

Let's take a look at some of the laws that may affect your site(s).

Federal laws include:

• The Americans With Disabilities Act
• The Cable Communications Policy Act of 1984
• The Children's Internet Protection Act of 2001 (updated in 2013)
• The Computer Fraud and Abuse Act of 1986
• The Computer Security Act of 1997
• The Consumer Credit Reporting Control Act
• The Children's Online Privacy Protection Act of 1998 (COPPA)

Several laws at the state level also exist, including the California Online Privacy Protection Act (CalOPPA).

What is CalOPPA?

The California Online Privacy Protection Act, more commonly referred to as CalOPPA, was drafted to protect the privacy rights and personal data of California residents.

It aims to safeguards "personally identifiable information" and is currently considered to be the broadest privacy law in the US.

Although a California law, virtually all websites collecting personal data online must comply with CalOPPA because of the probability that the site(s) could be used by a resident of California.

The law mandates several requirements. For starters, sites must include a clearly posted and easily understood Privacy Policy.

CalOPPA defines "personally identifiable information" as:

• First and last names
• Physical addresses
• Email addresses
• Telephone numbers
• Social Security numbers
• Any other contact information, both physical or online
• Birthdays
• Details of physical appearance (height, weight, hair color)
• Any other information stored online that may identify an individual

What is a Privacy Policy?

A Privacy Policy is a legal agreement that informs your website and app visitors about your collection and use of their personal data, as well as your efforts to protect it. It must identify the types of personal information you collect, how the data is collected and used and how it is kept secure along with other key pieces of information.

Here is an example of an introduction clause and Information Collected clause in a Privacy Policy from Tesla:

Do I need a Privacy Policy?

You need a Privacy Policy if your business operates a website or app and you collect personal information from your visitors or users. With nearly every website collecting some type of personal data, either directly or indirectly, it is almost certain that your site needs a legally compliant Privacy Policy.

There are 4 primary reasons a Privacy Policy is necessary if you collect this kind of information.

1. It's legally mandated

This is the most important reason to have a Privacy Policy on your website or app.

Most countries in the world have some form of privacy law that mandates Privacy Policies for websites or apps that collect personal information from their users.

The laws protect residents in their jurisdictions, meaning that where your business is located is not as important as where your site visitors live. If your site attracts California residents, then you must comply with CalOPPA regardless of whether you yourself are in California or not.

2. Third-party services require it

Third-party services commonly used by websites almost always require you to post a Privacy Policy to your site. This is necessary for those third parties to ensure their own compliance with CalOPPA and other privacy laws.

Third parties with such requirements can include Google Analytics, AdSense, AdWords, live chat tools, blog forums, social login integrations and even app stores themselves that require a Privacy Policy for all available apps.

In order for those third-party services to perform their functions, they need to collect data from your users. Among other things, third parties may be collecting IP addresses, user location information, user preferences, browsing activity, social platform information, profile images and other personal data.

All of this is protected under CalOPPA and must be disclosed and explained in your Privacy Policy.

The Google Analytics Terms of Service agreement dictates that any online enterprise who uses their services must have and abide by a Privacy Policy, respect all privacy laws, and adhere to Google's privacy restrictions:

Similarly, you will need to have a Privacy Policy in place if you develop apps across platforms that collect user data.

Facebook's Platform Policy states that you must:

Apple's Developer Policy App Store Review Guidelines is another example:

As you can see, every app is required to make a Privacy Policy available within its Apple app store listing.

3. Users care about their privacy

With increasing consumer concern about the potential for identity theft or misuse of private information, more laws are being written to address those concerns.

CalOPPA is just one. In fact, laws around the world require you to have a Privacy Policy on your site and to comply with requirements for the safe handling of consumer data, and new laws are popping up regularly. Some of these key international laws include the following, and each requires a Privacy Policy:

• The GDPR in the EU
• PIPEDA in Canada
• The Privacy Act of 1988 in Australia

Additionally, having a Privacy Policy in place for your users demonstrates that you value their privacy. Consumer confidence is woven into many laws that require you to write your Privacy Policy in simple terms the typical site visitor can understand, as well as to make your Privacy Policy easy to find on your website.

A well-written and legally compliant Privacy Policy provides your users with important information to educate them about their privacy rights and your use of their personal data.

4. Privacy policies are expected

Almost every website today has a clearly visible, easy to find and easy to understand Privacy Policy. If your app or website doesn't have one, you are potentially putting your business at risk.

While the scope of applicable laws and the task of creating a Privacy Policy may seem overwhelming, it is possible to simplify the process.

Consider Rudd Studio's Privacy Policy, for example:

Even though Rudd Studio doesn't collect any personal data, the company still posts a Privacy Policy. Why?

To educate site users, instill confidence and take the safest approach with applicable laws.

What Should a Privacy Policy Say?

The content of your Privacy Policy is determined by:

• Your information collecting activities - What data you're collecting, how you're using it, why you need it and how you protect it
• The countries in which your users are located
• The privacy laws with which you must be compliant
• Your data management policies - data storage, processing, sharing, etc.

At minimum, it is recommended that your Privacy Policy should cover:

• Your identity and contact details
• Exactly what personal data you collect and manage through your website or app
• The purpose for which this data is collected and processed
• How the data is processed
• How you share personal user information with third parties
• A list of privacy laws with which you are compliant
• An explanation of user rights - How they can opt-out of data collection, request changes to their data, request transfers or ask for their data to be deleted

Additionally, your Privacy Policy should be written in plain English, in a way that is easy for your users to understand.

How Can a Privacy Policy Comply with CalOPPA?

In order to comply with CalOPPA, a Privacy Policy must include the following information.

1. Details of exactly what types of personal data are collected through the website or app

If you collect user names and email addresses (or any other information) through a sign-up form, you need to disclose this in your Privacy Policy.

Here's an example of how a Privacy Policy breaks down what information is collected:

It breaks down sections into easy-to-read and well-organized summaries for readers. The more readable your clauses are, the more legally compliant they'll be and the happier your users will be.

2. Any affiliates with whom you share personal data

This could be other companies or partners working with your organization.

For example, Bloomberg's Privacy Policy includes a clause that states they may share collected personal information with affiliates and third parties:

3. A clear explanation of how users can request changes to their personal data on record

User may want to edit their profile information, such as last name, address, email address, phone number, etc. They also might find an error in a record, such as a health record.

You are required to allow users to make changes to their data, and to make it simple for them to do so.

Here's an example of how to construct a clause that discloses this:

If you have a user interface where users can log in and adjust their own personal information, note this here.

4. The process for informing users of any changes to your Privacy Policy

You will inevitably make changes to your Privacy Policy, either to respect changing laws or to accommodate changes in your business practices. When you change your Privacy Policy, you must notify your users.

How you will notify your users of changes to your Privacy Policy should be clearly stated.

See how CNN does this:

5. The date of the last update

It is important to include the date when your Privacy Policy was last updated.

Disney shows this at the top of its Privacy Policy:

6. How you handle "Do Not Track" (DNT) requests

A Do Not Track request is a setting any user can trigger from their device. The purpose is to allow consumers to limit or prevent the collection of their personal data.

Interestingly, there is no law requiring websites to respect a DNT setting. In fact, it is generally recommended that websites should not respect DNT settings due to software complexities and resulting challenges in enforcing a DNT request.

However, CalOPPA does require you to acknowledge whether you do or do not respect DNT settings.

To meet this requirement, you simply need to state that your website does or does not respond to "Do Not Track" requests. Here's a simple way of how to do this. The clause doesn't need to be long. Just a single statement will work:

7. Details of third parties who collect personal data through the website or app

As discussed above, the probability that your site is using third party services is very high. Examples include services such as Google Analytics to track your user stats, or AdSense for advertising revenue. There are many, many others.

You should thoroughly assess your third party providers in order to identify them, understand how you share data with them, how they use it and how your users can opt-out entirely.

Here's an example of how this can be done:

Each mention of a third party can be linked to the Privacy Policy for that third party so users can find out more information if they wish.

My Business is Not Located in California

Regardless of whether your business is located in California, you very likely attract site visitors from California.

CalOPPA is designed to protect the personal information belonging to residents of the state of California. Therefore, if your site attracts Californians, you need to comply with CalOPPA requirements.

Compliant Presentation of Your Privacy Policy

In order to comply with CalOPPA, your Privacy Policy must:

• Be clearly visible and easily accessible for visitors to your website or users of your app, and
• Contain the word 'privacy'

You should always get agreement to your Policy using the clickwrap method.

Clickwrap

Clickwrap requires an action from users to register their informed consent to your policies. Typically, a user would be required to click to accept terms before using a site, or check a box to acknowledge having read, understood and agreed to a policy.

Here is an example from Sky:

In this example, users must check a box to confirm they have read and agree to Sky's terms and conditions.

For apps, clickwrap is usually applied in the form of an "I agree" button presented at sign-up and is accompanied by a link to the agreement.

Here's an example of the HSBC's banking app sign-up screen:

Clickwrap represents a much stronger and legally enforceable method for getting consent to collect personal information from your website visitors or app users. Therefore, it's highly recommended while browsewrap is not.

Penalties for Non-compliance with CalOPPA

Violating CalOPPA, for example by failing to display a Privacy Policy, can come with a maximum $2,500 fine per violation, pursuant to Section 17206 of the Business and Professions Code,

Important

Compliance with CalOPPA is important for protecting your customer relationships and limiting your potential legal liability.

If your website or app collects personal data from US citizens who may be residents of California, make sure you have a Privacy Policy that:

• Adheres to the requirements of CalOPPA, including a DNT clause and other information
• Is clearly visible and easily accessible for visitors to your website or users of your app
• Is accessible by a hyperlink containing the word "privacy"
• Is presented with the clickwrap method