Introduction

The California Online Privacy Protection Act (CalOPPA) is a state statutory law that establishes the data privacy notice and transparency standards for the collection of the personally identifiable information of California consumers.

Applicability

CalOPPA applies to operators of a commercial website or online service that collects personally identifiable information through the internet about individual consumers residing in California.

The term “personally identifiable information” (PII) is defined as individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form. An operator may be any person or entity that owns a website or online service that is operated for commercial purposes.

Requirements

Operators must satisfy three general requirements:

  1. Conspicuously post a privacy policy
  2. Include required disclosures in the privacy policy
  3. Comply with its own privacy policy

Operators are obligated to conspicuously post a privacy policy and include certain disclosures in the privacy policy. Conspicuous posting for websites requires placement of the privacy policy on the website’s homepage or accessible through an icon link or text link from the website’s homepage. Online services simply must use any reasonably accessible means to post the privacy policy.

The privacy policy must identify the categories of PII, the third parties with whom the PII is shared, a description of the data subject access request process, the privacy policy update process and effective date, how the website responds to users’ internet browser Do Not Track mechanisms, and whether third parties conduct online tracking of website users.

Operators cannot merely post a privacy policy but must comply with its stated privacy practices. For example, if an operator’s privacy policy states that PII s not shared with any third parties, then the operator’s actual privacy practices must conform to the stated standard by prohibiting disclosures to third parties.

Enforcement & Liability

An operator in violation of this statute must be notified of noncompliance by the California Attorney General. The operator then has 30 days to attain compliance. If compliance is achieved, the operator then has an affirmative defense available. Further, a violation must be negligent and material or knowingly and willfully. Injunctive relief may be available to 

Penalties

The California Attorney General enforcing the statute may seek civil fines under Bus. & Prof. Code § 17200, because violation of Cal-OPPA constitutes an unlawful business practice under the California Unfair Competition Law (UCL).