What is CalOPPA?
Complete guide to the California Online Privacy Protection Act - the first state law requiring privacy policies for commercial websites and online services.
What is CalOPPA?
The California Online Privacy Protection Act (CalOPPA) is a state law that came into effect on July 1, 2004. It was the first state law in the United States to require commercial websites and online services to post a privacy policy.
CalOPPA applies to any person or company that operates websites or online services that collect personally identifiable information from California consumers. This includes businesses located anywhere in the world, not just California.
Key Fact
CalOPPA is considered the foundation for privacy policy requirements in the United States. It set the precedent that websites must be transparent about their data collection practices.
Who Does CalOPPA Apply To?
CalOPPA has an extremely broad reach. If you collect personal information from California residents through your website or online service, you must comply - regardless of where your business is located.
Commercial Websites & Services
Any website or online service that collects personal information from California residents
Examples: E-commerce sites, blogs with contact forms, SaaS platforms
Mobile Applications
Apps that collect personally identifiable information from California users
Examples: iOS apps, Android apps, cross-platform mobile applications
Online Services
Any internet-based service accessible by California residents
Examples: Web apps, APIs, cloud services, online platforms
Important Note
Because California has such a large population, virtually any website or online service accessible globally is subject to CalOPPA if it collects personal information.
Key Requirements Under CalOPPA
Privacy Policy Requirement
Must post a conspicuous privacy policy on your website or online service
Conspicuous Posting
Privacy policy link must be clearly visible and accessible from every page
Required Disclosures
Must disclose data collection practices, sharing, and user rights
Do Not Track Disclosure
Must disclose how you respond to Do Not Track signals from browsers
What Must Be Disclosed in Your Privacy Policy?
CalOPPA requires your privacy policy to include specific information about your data practices:
- Categories of personal information collected
- Purpose for collecting or using personal information
- Categories of third parties with whom personal information is shared
- Process for users to review and request changes to their personal information
- Process for notifying users of material changes to the privacy policy
- Effective date of the privacy policy
- How the business responds to Do Not Track signals
- Whether third parties collect personal information through the site
Conspicuous Posting Requirements
CalOPPA requires that your privacy policy be "conspicuously posted." This means:
- •The privacy policy link must be easily visible and accessible
- •It should be available from the homepage and every page where personal information is collected
- •The link text should clearly indicate it leads to the privacy policy (e.g., "Privacy Policy," not "Legal")
- •The font size should be large enough to be easily readable
Do Not Track Disclosure
One unique aspect of CalOPPA is the requirement to disclose how your website responds to "Do Not Track" (DNT) signals sent by web browsers. You must state:
If You Honor DNT
Explain how your website responds to DNT signals and what changes in tracking behavior occur when users enable DNT.
If You Don't Honor DNT
Clearly state that your website does not respond to DNT signals and that tracking continues regardless of the user's browser settings.
Penalties for Non-Compliance
While CalOPPA itself doesn't specify monetary penalties, non-compliance can result in:
Legal Action
The California Attorney General can bring action against non-compliant operators for unfair or deceptive practices.
Cure Period
Operators receive a 30-day cure period to remedy any non-compliance issues before penalties are imposed.
CalOPPA vs CCPA: What's the Difference?
California now has two major privacy laws. Here's how they differ:
| Aspect | CalOPPA | CCPA |
|---|---|---|
| Effective Date | July 1, 2004 | January 1, 2020 |
| Who It Applies To | All websites collecting personal info from CA residents | Larger businesses meeting revenue/data thresholds |
| Main Requirement | Post a privacy policy | Consumer data rights (access, deletion, opt-out) |
| Penalties | Enforcement by AG after 30-day cure period | Up to $7,500 per intentional violation |
Note: If your business is subject to CCPA, you still need to comply with CalOPPA. The laws work together, with CCPA providing additional consumer rights on top of CalOPPA's transparency requirements.
How to Comply with CalOPPA
Create a Comprehensive Privacy Policy
Include all required disclosures about your data collection, use, and sharing practices.
Post It Conspicuously
Place a clearly labeled link to your privacy policy in your website footer and on every data collection page.
Address Do Not Track
Include a clear statement about how your website responds (or doesn't respond) to DNT signals.
Keep It Updated
Review and update your privacy policy whenever your data practices change, and notify users of material changes.
Implement User Request Processes
Establish procedures for users to review and request changes to their personal information as disclosed in your policy.
Generate Your CalOPPA-Compliant Privacy Policy
Create a professional privacy policy that meets all CalOPPA requirements in minutes
Related Articles
What is CCPA?
Learn about California's comprehensive consumer privacy law and how it differs from CalOPPA.
What is GDPR?
Understand the European Union's General Data Protection Regulation and its global impact.