Operators Covered
CalOPPA applies to any business that runs a commercial website or online service and collects and maintains personally identifiable information from California consumers through that site or service. A business can operate anywhere and still fall under CalOPPA when its site collects covered information from California users. “Operator” is the term CalOPPA uses to refer to the company behind the site or service that decides what information it collects and who gets access to it. Each operator needs to post a privacy policy in a conspicuous place on the site or service, and the privacy policy needs to describe information collection and sharing practices.
Personally Identifiable Information Under CalOPPA
CalOPPA covers information that identifies a specific person and provides a direct way to reach them. Sites generally don’t store individual pieces of personally identifiable information in isolation. Rather, they usually store personally identifiable information alongside other details in a form submission or account record tied to a user.
Examples of personally identifiable information under CalOPPA include a user’s:
- Name.
- Home address.
- Email address.
- Telephone number.
- Social Security number.
Sites can collect information that does not identify anyone on its own, like the text a user enters into a “Contact Us” box to explain a grievance. The message becomes identifying when the site stores it with the user’s email address or phone number. The email address or phone number identifies the sender, so the site connects the grievance text to that user when it saves the message.
Conspicuous Posting and Access
Website Placement
Under CalOPPA, operators are required to post a privacy policy where an average user can find it without digging. A footer link labeled “Privacy” works when every page includes the footer and the link stays visible on desktop and on mobile screens. Mobile layouts can hide links without anyone noticing during publishing. Collapsed menus, sticky buttons, cookie banners, and short footers can push the “Privacy” link out of view or make it hard to reach. Operators should check the live mobile layout to confirm the privacy policy link stays easy to find and easy to tap.
Ad campaign landing pages sometimes remove the usual menu and footer, which can remove the privacy policy link on the first page a user sees. Overlays like cookie banners and chat widgets can also cover the header or footer on mobile screens, so operators should confirm users can reach the privacy policy link without fighting the interface.
App and Online Service Access
CalOPPA also applies to apps and other online services that collect personally identifiable information from California users. Each operator should place the privacy policy link inside the app or service in a spot users can reach from normal navigation, like Settings or Account. App store pages can include a privacy policy link, but the app should also include a privacy policy link inside the app itself. Users should be able to open the privacy policy before signing up and after signing in.
Required Policy Disclosures
Categories of Information Collected
A privacy policy needs to state the categories of personally identifiable information the operator collects from California consumers through the website or online service. CalOPPA also requires an accurate description of how the site or service collects that information, so the policy needs to reflect the site’s real collection points, like a contact form, newsletter sign-up, scheduling form, live chat, or support request, and it should not confuse users by mentioning collection methods the site does not actually use.
Privacy policies also need to address information that does not identify a user on its own when the operator stores it with personally identifiable information in the same record. Sites can store a message or device data in the same saved record as an email address or phone number, which links the added details to a specific user. Operators can address this by adding a sentence like, “We may connect this information to your account when you create an account or submit a form.”
Third Parties With Access to Personally Identifiable Information
Operators are required to include privacy policy provision that describes the categories of third parties that the operator shares personally identifiable information with. Third parties can also collect information through features the operator adds to the site, like a website analytics tag, an advertising pixel, a live chat box, a scheduling widget, an embedded map, or an embedded video player.
Third parties that commonly have access to information include:
- Analytics companies can collect data about how users interact with pages.
- Hosting and infrastructure vendors can access data that runs through the site.
- Payment processors can collect billing information when the site processes payments.
- Customer support platforms can store messages and contact details when users ask for help.
A site can include third party features that come from other companies, like an embedded video player or an embedded map. When the page loads third party features, the other company can collect information about the visit through that feature.
Privacy policies also need to acknowledge when third parties may collect personally identifiable information through embedded features and similar integrations on the site.
Material Change Notices
CalOPPA requires the privacy policy to explain how an operator will notify users about material changes to the policy, but does not specify a specific notification channel. An operator can satisfy this requirement by posting a notice on the website or inside the app that links to the updated policy and identifies the effective date of the change.
Effective Date
Operators are also required to include an effective date in the privacy policy so users can confirm they read the current version. Operators keep the effective date accurate by updating it whenever they change the privacy policy in a way that affects what information the site collects from users or which third parties can access that information.
Do Not Track and Online Tracking Disclosures
CalOPPA adds extra disclosure duties when tracking tools used on a site can recognize a user’s browser on later visits, or recognize that browser on third party websites that use the same tools. Cross-site recognition helps an operator understand which ads or links led a user to the site and whether the user came back later. Advertisers also use it to show ads to users who visited a site before and to avoid showing ads to users who already completed an action.
A Do Not Track signal is a browser setting a user can turn on that sends a request to websites not to track online activity across other websites. When an operator collects personally identifiable information about a user’s online activities over time and across third party websites or online services, CalOPPA requires the privacy policy to disclose how the operator responds to Do Not Track signals. The privacy policy should state whether the operator honors the signal or continues tracking.
Notice-and-Cure Window for Posting Issues
Sometimes an operator receives notice that a user could not find the site’s privacy policy because the site never posted one or because the privacy policy link is hard to find in the site layout. CalOPPA gives an operator 30 days after receiving notice to correct the posting issue by placing a compliant privacy policy in a conspicuous place.
CalOPPA Compliance Checklist
Operators can use this checklist to confirm the site meets CalOPPA posting and disclosure requirements before a user or regulator flags a problem. The checklist can also help operators identify when a privacy policy no longer reflects the site’s current information collection and sharing practices.
1. Placement Review
- Privacy policy link appears in a conspicuous place on every page template, including mobile layouts.
- Ad landing pages include a clear privacy policy link that a user can find without digging.
- Cookie banners and chat widgets do not block access to the privacy policy link on mobile screens.
- App or online service includes a privacy policy link inside normal navigation, and users can open it before sign-up and after sign-in.
2. Disclosure Review
Privacy policy:
- Lists the categories of personally identifiable information collected.
- Describes how the site collects personally identifiable information through the collection points the site uses.
- Describes the categories of third parties the operator shares personally identifiable information with.
- Acknowledges when third parties may collect personally identifiable information through embedded features and similar integrations on the site.
- Explains how the operator provides notice of material changes.
- Includes an effective date and keeps it accurate after policy changes.
- Discloses how the operator responds to Do Not Track signals when cross-site tracking occurs.
- States whether third parties collect personally identifiable information about online activity over time across different websites during site use.
3. Accuracy Review
- Current forms match the policy description of what the site collects.
- Current tracking tags match the policy description of tracking and third party collection.
- Vendor access matches the third party categories listed in the policy.
- Policy stays current after the operator adds or removes tracking tools or changes sharing settings.
CalOPPA compliance usually depends on two things: whether users can find the privacy policy, and the privacy policy matches how the site collects information and who can access it. Operators can use the checklist above to compare the privacy policy to the site’s current setup, then revise the policy when the site starts collecting new information or adds new third party access.
Conn Maciel Carey LLP’s national Labor & Employment Practice Group advises employers on compliance issues that affect online operations and workplace risk management. Contact the firm at (202) 715-6244 for guidance on CalOPPA privacy policy requirements and related compliance questions.