CCPA vs CalOPPA
The California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) are both California state laws. Both of these acts are in place to protect the personal information of residents of California. Let’s take a look at the similarities and differences between these two acts.Listen to this article in audio format
On this page
Similarities and Differences
|Is a California State Law||is a California State Law|
|WHO DOES IT APPLY TO?||WHO DOES IT APPLY TO|
|applies to any business collections personal information from residents of California who meets one or more of the following:||applies to any website or online service that collects personal information from California residents.|
|KEY REQUIREMENTS FOR BUSINESS||KEY REQUIREMENTS FOR BUSINESS|
|A “Do Not Sell My Information” link must be provided on the homepage of a website to allow users to exercise their right to opt out.||Ensure that your policy contains a section explaining your websites stance on online tracking and ensure it is clearly labelled. Explain how you respond to Do Not Track signals and whether or not you disclose personal information to any third parties.|
|Any financial incentives that are offered in return for personal information must be disclosed in a notice to the consumer.||Disclose all of the ways you use personal data that you collect and provide links, where possible, to any third parties you share personal data with.|
|All businesses are required to keep records for 2 years of consumer requests and how they have responded to these request.||Disclose in your policy, any choices your users have in relation to the collection, use and sharing of their personal information|
|Business can not sell personal information of consumers under the age of 16 unless: consumers aged 13-16 have authorised the sale of this information consumers under the age of 13 have had their parent or guardian authorise this sale||Ensure you are accountable by providing clear contact details so that your users can contact you with any questions or concerns they may have.|
The California Consumer Privacy Act came into effect on the 1st January 2020. It is a California state based privacy legislation which increases the privacy rights and protection of personal information for the residents of California.
Who Does it Apply to
CCPA applies to any business that collects personal information from residents of California and meets one or more of the following:
- has a gross annual revenue of over $25 million
- buys, receives or sells personal information of 50,000 or more California residents, households or devices or
- derives 50% or more of its annual revenue form selling the personal information of California residents.
Key Requirements for Business
The keys requirements for businesses which need to comply with CCPA are:
Businesses will need to update their privacy policies to ensure that they are informing California residents of their new privacy rights. These rights are:
- the right to know: this is the residents right to know what personal information is collected about them and how that information is used and shared by the business.
- the right to delete: this is the right of the California resident to request that their personal information be deleted. However there are a number of reasons this request may be denied. For example if the personal information is required in order to comply with legal obligations or it is required in order to complete your transaction.
- the right to opt out: this allows the Californian resident to opt out of the sale of their personal information
- the right to non discrimination: this means that a resident cannot be denied goods or services, be charged differently or be provided with a different quality of goods or services because they exercised their rights under CCPA.
Disclose Categories of Personal Information Collected
“Do Not Sell My Personal Information”
Businesses are required to provide a “Do Not Sell My Information” link on the home page of their website which takes them to an opt-out page so that they can exercise their right to opt out.
Businesses can offer financial incentives in return for personal information as long as these incentives are disclosed in a notice to the consumer explaining the terms of this incentive.
Under CCPA, businesses are required to keep records of consumer requests and how they respond to these requests. These records must be kept for 2 years.
Parental or Guardian Consent
Businesses must not sell personal information that relates to consumers under the age of 16 unless :
- consumers aged 13-16 have authorised the sale of their personal information or
- consumers under the age of 13 have had their parent or guardian authorise the sale of their personal information.
Who Does it Apply to
If you own a website or online service that collects and maintains personally identifying information from a California resident then CalOPPA applies to you. “Personally identifying information” refers to data collected via the internet that either alone or when collected together can reveal the identify of the individual.
Examples of personally identifying information are: the individuals name, address, email address, telephone number, and social security number.
Key Requirements for Business
- Use an easy to read format
- use plain, easily understood English and avoid technical jargon where possible.
Online Tracking/ Do Not Track
- Explain how you respond to Do Not Track signals.
- Disclose whether any third parties may collect personal identifiable information when on your site.
Data Use and Sharing
- Disclose all of your uses of personal data collected.
- If possible provide a link to privacy policies of any third parties you share personally identifiable information with
Individual Choice and Access
- Disclose the choices a consumer has in relation to the collection, use and sharing of their personal information.
- Ensure you provide contact details for any questions or concerns your users may have.
Both CPPA and CalOPPA are California state laws. They both apply to businesses that collect data from California residents however CCPA only requires compliance if your business has an annual turnover of over $25 million OR buys, sells or receives personal information of 50,000 or more California residents OR derives 50% or more of its annual revenue from selling the personal information from Californian residents.
Your business does not need to be located in California for either of these laws to apply to you. If you have any users or customers who are residents of California then you must ensure you are complying with the laws.