CalOPPA: Privacy Policies Closer to Home

We’ve talked before about GDPR, the European General Data Protection Regulation which came into effect in May 2018. The GDPR was a big step forward for data privacy and privacy by design, and aims to be very far-reaching.

But there is another privacy regulation that predates the GDPR by fifteen years and also affects your website. Unlike GDPR, which is an overarching policy about consumer privacy both online and offline, California Online Privacy Protection Act of 2003 (CalOPPA) focuses on consumer data protection through clear website privacy policies about how websites handle personal identifiable information. Personal identifiable information includes name, date of birth, address, social security number, email, phone number, IP address, and any number of other elements which would allow a physical person to be identified.

Like GDPR, however, CalOPPA has a broad scope: it applies to any website accessible to a user from California. This means it affects every website out there, just as GDPR applies to any websites European users may visit.

How can your website comply with CalOPPA?

To comply with CalOPPA and the Assembly Bill 370 (Muratsuchi), which amended CalOPPA in 2013, a website privacy policy must be conspicuously posted on the website. The privacy policy must:

  • Include the categories of personally identifiable information collected by the website owner.
  • Note the categories of third parties with whom the website owner may share that information.
  • Explain how the user can review and request changes to his or her personally identifiable information.
  • Tell how the website owner will notify consumers of changes to the website’s privacy policy.
  • Explain how the website responds to Do Not Track signals from browsers.
  • Tell whether third parties may collect visitors’ personally identifiable information on the website.
  • Note the effective date of the privacy policy.

CalOPPA and GDPR can enhance your trustworthy reputation with your visitorsThe privacy policy may also provide a clear link to allow users to opt out of tracking, if such opting out is available on the website.

If you’ve read our posts on GDPR, you’ll notice that there is a lot of overlap here. Privacy by design and transparency with your visitors is the name of the game.

Whether or not your website has visitors from California or Europe, we encourage you to use your privacy policy to inform your visitors and enhance their trust in your organization.

As with GDPR, we recommend you retain a historical record of your website’s privacy policy so you can refer back to the version in effect at any specific date, should questions arise.

If you need help making your website compliant with CalOPPA or GDPR, get in touch.

For further reading:

Like it? Share it!


Alisa Cognard

Alisa was one of the first team members to join Red Earth Design, Inc. in early 2004. From data entry, she progressed to MySQL database manipulation and PHP coding. Alisa is responsible for all kinds of odds and ends: installing new websites, adding features to them, programming databases, PHP coding, website troubleshooting, website security, and organizational tasks for Red Earth Design.

Leave a Reply

Your email address will not be published. Required fields are marked *