What is CalOPPA?

CalOPPA stands for California Online Privacy Act. It is a state law of California which came into effect in 2004 and was amended to extend it’s reach in 2012. It requires websites and online services to post a privacy policy on their websites if they collect any personally identifying information from residents in California, and to comply with their privacy policy. They must also disclose how they handle Do Not Track requests.

Does CalOPPA apply to you?

Do you own a website or online service that collects and maintains personal data from a California resident? Then CalOPPA applies to you. Your website or business does not need to be in California for this law to apply, you just need to have users or visitors from California. If you are unsure whether this applies to you or not, it’s best for you to err on the side of caution and have a privacy policy in place that has you covered.

What is Personal Data?

Personal data is information about an individual that either alone or when collected together can reveal the identify of the individual.

Personal Data

Examples of personal data are:

  • full name
  • home address
  • email address
  • telephone number
  • birth date
  • social security number
  • height
  • weight

What are your requirements?

In order to be compliant with the CalOPPA you will need to ensure that your website has the following:

  1. A conspicuous privacy policy
  2. Disclosure of Do Not Track signals
  3. Privacy Policy requirements

A Conspicuous Privacy Policy

One of the main requirements under CalOPPA is having a conspicuous privacy policy on your website. In order for your privacy policy to comply with CalOPPA you need to:

  • have a conspicuous link on your homepage that includes the word “privacy
  • make the link stand out by increasing the size of the font, using a contrasting colour or a symbol that calls attention to it

Not only must you post your CalOPPA compliant privacy policy but you must ensure that you adhere to it also to be CalOPPA compliant.

Your privacy policy, according to the California Attorney General’s office “It requires them to say what they do and do what they say – to conspicuously post a privacy policy and to comply with it”.

Disclosure of Do Not Track Signals

In order to comply with the requirements of CalOPPA, you are required to disclose how you respond to Do Not Track signals. Specifically you are required to:

  • ensure it’s easy for your users to locate the section that discloses your practices in your privacy policy by labelling it clearly, for example “California Do Not Track Disclosure”.
  • explain how you respond to a browsers Do Not Track signal
  • state whether any third parties may be collecting personal data on your website.

Privacy Policy Requirements

Insurance policy concept, data security, business concept vector illustration

In order for your privacy policy to comply with CalOPPA’s requirements it needs to contain the following:

  • use an easy to read format: consider adding an index to make it easy for your users to find the appropriate clauses
  • ensure the policy is in a format that can be easily printed
  • list what personal data you collect
  • list how you collect that data
  • provide a retention period for personal data
  • explain what you use the personal data for
  • list third parties you share data with and if possible provide a link to their privacy policy
  • if you use cookies, list which cookies you use
  • list the rights and choices of the consumer with regards to their personal data
  • outline what security measures are in place to help safeguard your users data
  • a description of how you notify your users of changes to your privacy policy
  • your contact details if your user has any queries relating to your privacy policy
  • the privacy policies effective date

Privacy Policy Clauses

To ensure your privacy policy is compliant the following clauses should be included.

Personal Data Collection

In this clause you outline what personal data you collect from your users and the ways in which you collect it.

Examples of the types of personal data collected could be: full name and address, residential address, mailing address social security number or passport number.

The ways in which personal data might be collected are: registering for an account, requesting a service, or signing up to receive emails for examples.

Use of Personal Data

Explain to your users in your privacy policy how you use their personal data once collected. Some ways your website might use data include: providing products and services, verifying users identities, tracking sales data or investigating complaints amongst many others.

Sharing of Your Data

Do you share your users data with a third party? if so you will need to include this clause in your privacy policy. Third party services you may supply personal data to include, but are not limited to: insurers, third party suppliers and payment service providers.

If you share data with any third party services you are required to list that service. Examples of third party services you may share personal data with are advertising services, analytics services (such as Google Analytics), debt collection services or data storage services.

Retaining and Deleting Personal Data

Outline to your users how long you retain their personal data for. It’s not always possible to know in advance how long you will need to retain your users data. In that case you will need to specify the criteria for retention, this might be until the user no longer holds an account with you, for example.

Your Rights and Choices

It is important that your users and visitors are aware of their choices and rights.

Examples of choices for your users may be that they can opt out of email marketing or they can opt out of some service related communications.

The rights for US based citizens, that you will need to include, are: Your Rights to Access, Your Right to Withdraw Consent, and Your Right to Update, Correct or Delete.

California Privacy Rights

In this clause you will list the specific rights of California residents, which have not already been listed above, including the Do Not Track Disclosure clause.

California residents are permitted to obtain, information regarding third parties, who you disclose personal data to, once a year, free of charge. Residents who are under 18 years of age are allowed to request and have removed any content they have posted publicly.


As part of your cookie policy, you will need to explain what cookies are, the types of cookies you use, the purpose of using cookies, cookies used by third party service providers (if any), and how to manage cookies.

There are a number of different cookies that may be used on your website, they include session cookies, persistent cookies, functionality cookies, performance cookies, advertising tracking cookies and affiliate tracking cookies.

The purposes of using cookies may include: authentication, advertising and analysis, for example.

It is important that you give your users information on how they can opt out of cookie tracking with any third party services you share their personal data with.

For more information on cookies see our article: What are Cookies and What do They do?

Data Security

Outlining the ways in which your website does its best to secure personal data is another requirement for your CalOPPA compliant privacy policy. As there is no foolproof method of securing online data, so it is important to add this into your clause, along with any security measures in place.

Changes and Updates

Let users and visitors know how you will make any changes to your privacy policy.

Our Details

Ensure your users can contact you if they have any questions regarding your privacy policy. Include an email address and/or contact page in your policy.

Consequences of not Complying

There are no enforcement provisions of it’s own, so CalOPPA is expected to be enforced through California’s Unfair Competition Law. This law “prohibits unlawful, unfair or fraudulent business acts or practices.”

Any violations to CalOPPA can be reported to the California Attorney general’s office website.


In order to be compliant with this California Privacy Law your website will need to ensure it has a privacy policy which contains all of the information listed above. You will also need to ensure that the link to your privacy policy is placed conspicuously for your users to see.

Our privacy policy meets all of the requirements to comply with CalOPPA.

Your Legal Toolkit

Latest Articles

What is the Data Protection Act 2018?

The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]

Where to put a Privacy Policy on your Website?

A Privacy Policy is a legal requirement for any business or website, but where should you put your Privacy Policy on your website? To be compliant with a number of International laws, including GDPR, CalOPPA and Australian Privacy Act 1988, your privacy policy is required to be in a prominent, easily located place on your […]

3 Reasons Your Website Needs a Privacy Policy

Whether you own a website, blog or eCommerce store you may find yourself wondering, do I need a privacy policy? The short answer is, if you collect personal data from your readers or users in any form, then yes you do need a privacy policy. The three most important reasons you will require a privacy […]