The California Online Privacy Protection Act or CalOPPA

The California Online Privacy Protection Act or CalOPPA

The California Online Privacy Protection Act or CalOPPA for short is an online privacy protection law that regulates the ways in which online operators and websites can collect, use, and disclose the personal information or data of California consumers. While the law shares many similarities with the recently passed California Consumer Privacy Act or CCPA, the CalOPPA is generally a less stringent and restrictive law than the CCPA. However, the CalOPPA is a much broader and far reaching law than the CCPA in relation to the number of businesses within the state of California who must maintain compliance with the CalOPPA or face non-compliance fines or penalties.

How is an online operator defined under the CalOPPA?

Under the CalOPPA, online operator’s are defined as “An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service”. The CalOPPA creates no financial threshold in relation to compliance, and also does not mandate that a business interact with a certain number of consumers within the state of California. Additionally, mobile apps are considered to fall under the jurisdiction of the CCPA, as mobile app developers can also face fines and penalties for non-compliance with the CalOPPA.

How is personally identifiable information defined under CalOPPA?

The CalOPPA defines personally identifiable information to mean “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form”. To this end, the following forms of personally identifiable information are covered under the CalOPPA:

  • Full names.
  • Addresses.
  • Email addresses.
  • Phone numbers.
  • Social security numbers.
  • Any other form of identifier that could be used to contact a specific individual or person.
  • Any other form of information that is collected by a website or online service, if said information is stored in a “personally identifiable form” alongside other information.

To the last point, cookies and IP addresses can be considered as personally identifiable information under the CalOPPA, depending on how said information is stored. For example, if a California consumer’s IP address is stored alongside their email address on a particular website, the IP address would then be considered to be personally identifiable information under the CalOPPA. Conversely, a website that simply collects cookies from a California consumer, but does not pair this information with another form of personal information, said cookies would not constitute personally identifiable information under the CalOPPA.

What are the requirements of businesses and organizations under the CalOPPA?

Under the CalOPPA, websites who collect personally identifiable information from California consumers are required to create a privacy policy that discloses basic information in regards to said website’s privacy practices. Furthermore, this privacy policy must also be displayed on the website. Privacy policies under the CalOPPA are required to include the following information and disclosures:

  • The specific categories of information that are to be collected– For example, an ecommerce website would have to clearly state that they collect a person’s full name, address, email address, phone number, and payment information in regards to completing transactions on their website.
  • The specific categories of third-parties who may also receive this information– For example, mail carriers and payment processors would be included in third parties who receive personally identifiable information under the CalOPPA. However, the CalOPPA does not require websites to specifically name these third parties.
  • A detailed description of any processes or procedures that California consumers can take to review and request that changes be made in relation to any personally identifiable information that has been collected from them. Conversely, the CalOPPA does not mandate that websites develop such processes or procedures, but instead requires websites to describe any such mechanisms that may be in place.
  • A detailed description of the processes that will be used to inform California consumers of changes to a website’s privacy policy.
  • The date on which a given privacy policy will go into effect.

What are the penalties for violating the CalOPPA?

The CalOPPA is enforced by the California Attorney General and does not allow for California consumers to bring private right of action cases against websites who violate the CalOPPA. Websites who are found to be in violation of the CalOPPA are subject to a maximum fine of $2,500 per violation. Moreover, violations of the CalOPPA are defined in a different manner than many other privacy laws. Under the CalOPPA, a California consumer simply accessing a non-compliant website or mobile app constitutes a violation under the CalOPPA. Alternatively, many privacy policies around the country have much stricter rules in terms of what can be considered a violation of a particular law or statute.

To provide an example of this, the California Attorney General sued Delta Airlines in 2012 on the grounds that the company had failed to create and display a privacy policy in regards to their mobile app. While this case was ultimately thrown out by the California Court of Appeal and Delta Airlines was able to avoid any monetary penalties or fines, the airline company would have been fined for each person who used the app to that point had a judge ruled in the favor of the California Attorney General. As such, this case demonstrates the potential severity of monetary penalties that can be handed down in relation to CalOPPA violations.

With the combination of the CalOPPA and the CCPA, the state of California has become the leader in America in regards to comprehensive privacy legislation. What’s more, few countries or territories around the world have privacy legislation that is as extensive as the state of California. While the CCPA has been passed more recently and as a result has been given more media attention, the CalOPPA is another effective measure geared towards protecting the personally identifiable information that California consumers provide to websites and online operators.