Nineteen years later, CalOPPA is still basically the only game in town in the US.
You might be thinking something like… “Wait, didn’t California pass a privacy law in the past couple of years too?”
In fact, it did. In 2020, the California Consumer Privacy Act (“CCPA” for short) went into effect. You’ll be excused for thinking that CCPA might impose some restrictions on you… some online lawyers went into a fear-mongering mode to use CCPA as a reason for you to buy something from them.
Back to the law that actually does apply…
CalOPPA is an amazing law. It’s amazing because it was passed back when about 75% of Americans were still using dial-up internet and more than 90% of people were browsing the web with Internet Explorer.
What’s even more amazing is CalOPPA’s simplicity.
But I’m guessing you’d rather not read a statute… I get it. I’m a lawyer, and I don’t really like reading statutes (but it’s kinda my job).
Luckily for you, this guide will break CalOPPA down into plain English so you know exactly what you need to do to comply.
Let’s dive in.
Are You Required To Comply With CalOPPA?
If you’re building an online business, the short answer is… Yes.
Or at least the answer is that you will be subject to CalOPPA at SOME point in the life of your online business.
Here’s the long explanation…
CalOPPA’s language is pretty clear (at least for a law!):
- you operate a commercial Web site or online service;
- that site or service collects personally identifiable information through the Internet; and
- that includes information about consumers residing in California.
A business website will obviously meet the first prong.
Assuming you aren’t a local business in some other part of the country… you are going to have folks from California visiting your site. So if you’re collecting personally identifiable information, the third prong will be met.
So the only question is whether you are collecting “personally identifiable information” about people who visit your site.
CalOPPA defines that terms as including any of the following:
- First AND Last Name
- Email Address
- Phone Number
- Social Security Number
- Anything that would allow you to contact a specific person
- Information collected by a website or service if it is stored alongside one of the other pieces of personal information
Every business website should be set up to collect one or more of the first four categories of information. Whether it’s email addresses for your email marketing or names and addresses for purchases… I’m guessing you are collecting at least one category of information.
That means you are subject to CalOPPA.
That wasn’t so bad, now was it??
- What Information Your Website Collects
- Who You Might Share The Information With
- How Someone Can Review & Revise The Information (if applicable)
- How You’ll Tell People About Changes To Your Policy
- The Effective Date Of Your Policy
- How You Handle Do Not Track Requests
A quick note… CalOPPA is not really about guaranteeing or protecting privacy. It does not set any rules for what may be collected, with whom it may be shared, or how you’ll answer any other privacy issues.
CalOPPA is simply about transparency.
It requires you to provide a notice to website visitors so they can assess your privacy policies for themselves.
Let’s dive into the specific information you are required to disclose.
What Information Your Website Collects
Some of the information you collect should be pretty obvious. I mean, if a user fills out a form with their name and email address, that’s personal information you are collecting.
But some of the data collection is happening behind the scenes as a result of tracking or analytics software like Google Analytics. Web-savvy online marketers understand that this kind of information collection is happening… normal folks, not so much.
Just make sure to include the statement about automatic data collection and that your system will likely associate that with the information they provide manually.
Who You Might Share The Information With
Next up, you need to explain who, outside your company, might get their hands on the information.
A lot of people think this is simple and just want to say that they won’t share the information they collect with anyone. I mean, that sounds great on an opt-in form, right?
Not sure about you, but A LOT of the opt-in forms I see have something like this one:
The trouble is that it is basically never true.
Chances are pretty stinking good that you will share some of the personal information you collect with folks outside your company. And you need to leave open the possibility that you might at some point in the future.
You’ll notice that it starts with a statement that the company generally will not share private information, but it defines instances in which it might, including:
- With subsidiaries, affiliates, and service providers to serve customers
- With a lawyer or collection agency to enforce an agreement
- To a “successor in interest” if the company is sold
- If legally required to do so
This more complete picture is the way to go. You are providing accurate information and also building trust by providing a thoughtfully constructed explanation.
If Applicable… How Someone Can Review & Revise The Information
How You’ll Tell People About Changes To Your Policy
Under CalOPPA, your policy needs to tell people how you’ll notify users of those changes.
Here’s an example of the change clause that has the best of both worlds:
We put some lawyer hedge language in saying that we’ll only email about “material changes,” which is lawyer-speak for big changes. But we also tell people that it is their responsibility to check the page periodically.
The Effective Date Of Your Policy
No reason to belabor this one!
How You Handle Do Not Track Requests
Certain web browsers have a functionality called “Do Not Track.” It’s a pretty technical functionality that really just sends a request to websites not to track. There’s nothing mandatory about it.
In 2013, CalOPPA was changed to require website owners to tell visitors how they will respond to “do not track” signals.
To be clear, you are NOT required to honor those requests… you just have to tell people whether your website will honor these requests or not.
That being said, there are other laws that cover “cookies” and require that we give notice that cookies are in use on our sites. On our site, we use a plug-in that allows users to select which cookie categories to accept:
What… we figure that a cookie notice doesn’t have to be boring! Might as well have a bit of fun. And who doesn’t like Cookie Monster?!?!
Here’s guessing you have better things to do with your time than to try to write a legal policy for your website.
(And you can always go in and edit it if you really want to!)
The most obvious way to do this is to post a link in the universal footer that appears on all pages of your website. This is how we do it:
Since we have a universal footer, that appears on every page without us having to give it another thought.
That’s a wrap on the requirements of CalOPPA.
What About CCPA?
Now that we’ve got you all covered when it comes to CalOPPA, let’s take a bit to talk about why you almost certainly don’t have to worry about the CCPA.
The CCPA was passed in 2018 and went into effect on January 1, 2020.
My simple answer was no.
But don’t worry… that almost certainly isn’t you.
Unlike CalOPPA, the CCPA is a beast of a law… both in terms of its complexity and in terms of the burdens it imposes upon businesses.
You could try reading the entire law… but I don’t recommend it. If you don’t fall asleep, you’re likely to find yourself smashing your head against the wall trying to understand the dang thing.
As a lawyer, I get why the CCPA freaked everyone out. It begins with what sounds like some pretty freaking broad language:
a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
c) A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.
d) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.
That language seems to pretty clearly say we are all subject to the CCPA. I mean, we are all businesses, right?
And we are collecting information from consumers, right?
So clearly this law applies to us, right?
A normal human being reading the law would obviously answer yes.
But laws can’t always be interpreted correctly from the perspective of a regular human.
If you think lawyers are annoying, the people who write laws are sometimes even MORE annoying… and this is one of those cases.
To understand what the CCPA actually says, you have to sift through the long, boring, and complex definitions. Specifically, the definitions of “business” and “consumer.”
In the CCPA, the term “business” doesn’t actually mean business.
Weird. I know.
In CCPA land, “business” only includes a business that meets one or more of these thresholds:
- Your annual gross revenue is more than twenty-five million dollars ($25,000,000);
- You buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices; or
- You derive 50% or more of your annual revenues from selling consumers’ personal information.
Are you starting to see why I’m pretty sure the CCPA doesn’t apply to you… and why you should really be talking to a lawyer if it does?
I mean… if your business is raking in $25 million or more per year, you really should be talking to your lawyer about CCPA and other legal issues rather than reading legal guides about them. (Even really awesome guides like this one!)
And if you’re a data broker who makes a living by collecting and selling data… you really should have a privacy lawyer on speed dial.
The only threshold that you might come close to is the second one, so the question is whether your business is buying, receiving, selling, or sharing personal information from at least 50,000 consumers each year.
The CCPA defines personal information as:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It then provides a list of categories, that includes (among other things):
“Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
This section is considerably broader than the CalOPPA definition, most notably because it includes IP addresses.
Without getting all technical, you should just assume that your website is collecting data about the IP addresses of visitors (and collecting even more data if you have analytics installed).
So, the only remaining question is whether you are collecting information from at least 50,000 consumers.
You might think this means you just have to look at your Google Analytics to see how many website visitors you had in the last year.
And… you would be wrong.
Just like “business” doesn’t mean business, “consumer” doesn’t really mean consumer. The CCPA defines “consumer” to only include people living in California.
So, the net result is that you only qualify as a “business” if you are collecting personal information from 50,000 California residents each year.
Although each business is different, chances are that you won’t come close to qualifying as a “business” that is subject to the CCPA until you have a high-seven or low-eight-figure business.
If that’s you… probably a good idea to stop reading this really cool guide and call your lawyer.
If you’ve made it down to the bottom of this post, you’re a trooper in my book. And if you’re still awake, I may have just made it entertaining enough.