The California Online Privacy Protection Act or CalOPPA

September 01, 2021 | 5 minutes read
The California Online Privacy Protection Act or CalOPPA

The California Online Privacy Protection Act or CalOPPA for short is an online privacy protection law that regulates the ways in which online operators and websites can collect, use, and disclose the personal information or data of California consumers. While the law shares many similarities with the recently passed California Consumer Privacy Act or CCPA, the CalOPPA is generally a less stringent and restrictive law than the CCPA. However, the CalOPPA is a much broader and far-reaching law than the CCPA in relation to the number of businesses within the state of California who must maintain compliance with the CalOPPA or face non-compliance fines or penalties.

How is an online operator defined under the CalOPPA?

Under the CalOPPA, online operators are defined as “An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service”. The CalOPPA creates no financial threshold in relation to compliance and also does not mandate that a business interacts with a certain number of consumers within the state of California. Additionally, mobile apps are considered to fall under the jurisdiction of the CCPA, as mobile app developers can also face fines and penalties for non-compliance with the CalOPPA.

How is personally identifiable information defined under CalOPPA?

The CalOPPA defines personally identifiable information to mean “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form”. To this end, the following forms of personally identifiable information are covered under the CalOPPA:

To the last point, cookies and IP addresses can be considered personally identifiable information under the CalOPPA, depending on how said information is stored. For example, if a California consumer’s IP address is stored alongside their email address on a particular website, the IP address would then be considered to be personally identifiable information under the CalOPPA. Conversely, a website that simply collects cookies from a California consumer, but does not pair this information with another form of personal information, said cookies would not constitute personally identifiable information under the CalOPPA.

What are the requirements of businesses and organizations under the CalOPPA?

Under the CalOPPA, websites that collect personally identifiable information from California consumers are required to create a privacy policy that discloses basic information in regards to said website’s privacy practices. Furthermore, this privacy policy must also be displayed on the website. Privacy policies under the CalOPPA are required to include the following information and disclosures:

What are the penalties for violating the CalOPPA?

The CalOPPA is enforced by the California Attorney General and does not allow for California consumers to bring a private right of action cases against websites that violate the CalOPPA. Websites that are found to be in violation of the CalOPPA are subject to a maximum fine of $2,500 per violation. Moreover, violations of the CalOPPA are defined in a different manner than many other privacy laws. Under the CalOPPA, a California consumer simply accessing a non-compliant website or mobile app constitutes a violation under the CalOPPA. Alternatively, many privacy policies around the country have much stricter rules in terms of what can be considered a violation of a particular law or statute.

To provide an example of this, the California Attorney General sued Delta Airlines in 2012 on the grounds that the company had failed to create and display a privacy policy in regard to their mobile app. While this case was ultimately thrown out by the California Court of Appeal and Delta Airlines was able to avoid any monetary penalties or fines, the airline company would have been fined for each person who used the app to that point had a judge ruled in the favor of the California Attorney General. As such, this case demonstrates the potential severity of monetary penalties that can be handed down in relation to CalOPPA violations.

With the combination of the CalOPPA and the CCPA, the state of California has become the leader in America in regard to comprehensive privacy legislation. What’s more, few countries or territories around the world have privacy legislation that is as extensive as the state of California. While the CCPA has been passed more recently and as a result has been given more media attention, the CalOPPA is another effective measure geared towards protecting the personally identifiable information that California consumers provide to websites and online operators.

 

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »