The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]
What is CalOPPA?
On this page
Does CalOPPA apply to you?
What is Personal Data?
Personal data is information about an individual that either alone or when collected together can reveal the identify of the individual.
Examples of personal data are:
- full name
- home address
- email address
- telephone number
- birth date
- social security number
What are your requirements?
In order to be compliant with the CalOPPA you will need to ensure that your website has the following:
- Disclosure of Do Not Track signals
- have a conspicuous link on your homepage that includes the word “privacy“
- make the link stand out by increasing the size of the font, using a contrasting colour or a symbol that calls attention to it
Disclosure of Do Not Track Signals
In order to comply with the requirements of CalOPPA, you are required to disclose how you respond to Do Not Track signals. Specifically you are required to:
- explain how you respond to a browsers Do Not Track signal
- state whether any third parties may be collecting personal data on your website.
- use an easy to read format: consider adding an index to make it easy for your users to find the appropriate clauses
- ensure the policy is in a format that can be easily printed
- list what personal data you collect
- list how you collect that data
- provide a retention period for personal data
- explain what you use the personal data for
- list the rights and choices of the consumer with regards to their personal data
- outline what security measures are in place to help safeguard your users data
- the privacy policies effective date
Personal Data Collection
In this clause you outline what personal data you collect from your users and the ways in which you collect it.
Examples of the types of personal data collected could be: full name and address, residential address, mailing address social security number or passport number.
The ways in which personal data might be collected are: registering for an account, requesting a service, or signing up to receive emails for examples.
Use of Personal Data
Sharing of Your Data
If you share data with any third party services you are required to list that service. Examples of third party services you may share personal data with are advertising services, analytics services (such as Google Analytics), debt collection services or data storage services.
Retaining and Deleting Personal Data
Outline to your users how long you retain their personal data for. It’s not always possible to know in advance how long you will need to retain your users data. In that case you will need to specify the criteria for retention, this might be until the user no longer holds an account with you, for example.
Your Rights and Choices
It is important that your users and visitors are aware of their choices and rights.
Examples of choices for your users may be that they can opt out of email marketing or they can opt out of some service related communications.
The rights for US based citizens, that you will need to include, are: Your Rights to Access, Your Right to Withdraw Consent, and Your Right to Update, Correct or Delete.
California Privacy Rights
In this clause you will list the specific rights of California residents, which have not already been listed above, including the Do Not Track Disclosure clause.
California residents are permitted to obtain, information regarding third parties, who you disclose personal data to, once a year, free of charge. Residents who are under 18 years of age are allowed to request and have removed any content they have posted publicly.
There are a number of different cookies that may be used on your website, they include session cookies, persistent cookies, functionality cookies, performance cookies, advertising tracking cookies and affiliate tracking cookies.
The purposes of using cookies may include: authentication, advertising and analysis, for example.
It is important that you give your users information on how they can opt out of cookie tracking with any third party services you share their personal data with.
For more information on cookies see our article: What are Cookies and What do They do?
Changes and Updates
Consequences of not Complying
There are no enforcement provisions of it’s own, so CalOPPA is expected to be enforced through California’s Unfair Competition Law. This law “prohibits unlawful, unfair or fraudulent business acts or practices.”
Any violations to CalOPPA can be reported to the California Attorney general’s office website.