The Data Protection Act (DPA) 2018 is the UK's updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom's exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]
CCPA vs CalOPPA
The California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) are both California state laws. Both of these acts are in place to protect the personal information of residents of California. Let's take a look at the similarities and differences between these two acts.
Listen to this article in audio formatOn this page
Similarities and Differences
CCPA | CalOPPA |
---|---|
Is a California State Law | is a California State Law |
WHO DOES IT APPLY TO? | WHO DOES IT APPLY TO |
applies to any business collections personal information from residents of California who meets one or more of the following:
| applies to any website or online service that collects personal information from California residents. |
KEY REQUIREMENTS FOR BUSINESS | KEY REQUIREMENTS FOR BUSINESS |
Privacy policies will need to include Individuals Privacy Rights. These are the right to: know delete opt out non discrimination | Post a privacy policy on your website in a conspicuous manner by: having privacy policy on the homepage OR having a link including the word PRIVACY on the homepage, which takes users directly to the privacy policy OR the privacy policy is linked to the homepage via a hyperlink containing the word PRIVACY written in capital letters or a font that is larger than the surrounding font |
Businesses are required to disclose categories of information they collect and this information must be available in their privacy policy | The privacy policy needs to be easy to read, using easy to read font and plain English, avoiding technical jargon where possible |
A “Do Not Sell My Information” link must be provided on the homepage of a website to allow users to exercise their right to opt out. | Ensure that your policy contains a section explaining your websites stance on online tracking and ensure it is clearly labelled. Explain how you respond to Do Not Track signals and whether or not you disclose personal information to any third parties. |
Any financial incentives that are offered in return for personal information must be disclosed in a notice to the consumer. | Disclose all of the ways you use personal data that you collect and provide links, where possible, to any third parties you share personal data with. |
All businesses are required to keep records for 2 years of consumer requests and how they have responded to these request. | Disclose in your policy, any choices your users have in relation to the collection, use and sharing of their personal information |
Business can not sell personal information of consumers under the age of 16 unless: consumers aged 13-16 have authorised the sale of this information consumers under the age of 13 have had their parent or guardian authorise this sale | Ensure you are accountable by providing clear contact details so that your users can contact you with any questions or concerns they may have. |
CCPA
The California Consumer Privacy Act came into effect on the 1st January 2020. It is a California state based privacy legislation which increases the privacy rights and protection of personal information for the residents of California.
Who Does it Apply to
CCPA applies to any business that collects personal information from residents of California and meets one or more of the following:
- has a gross annual revenue of over $25 million
- buys, receives or sells personal information of 50,000 or more California residents, households or devices or
- derives 50% or more of its annual revenue form selling the personal information of California residents.
Key Requirements for Business
The keys requirements for businesses which need to comply with CCPA are:
Privacy Policy Updates
Businesses will need to update their privacy policies to ensure that they are informing California residents of their new privacy rights. These rights are:
- the right to know: this is the residents right to know what personal information is collected about them and how that information is used and shared by the business.
- the right to delete: this is the right of the California resident to request that their personal information be deleted. However there are a number of reasons this request may be denied. For example if the personal information is required in order to comply with legal obligations or it is required in order to complete your transaction.
- the right to opt out: this allows the Californian resident to opt out of the sale of their personal information
- the right to non discrimination: this means that a resident cannot be denied goods or services, be charged differently or be provided with a different quality of goods or services because they exercised their rights under CCPA.
Disclose Categories of Personal Information Collected
Under CCPA businesses are required to notify the consumer of the categories of information that they collect and what the purpose for collecting the information is.. This can be done at the time or before collection takes place. The information must be readily available on the privacy policy and be updated every 12 months.
"Do Not Sell My Personal Information"
Businesses are required to provide a "Do Not Sell My Information" link on the home page of their website which takes them to an opt-out page so that they can exercise their right to opt out.
Financial Incentives
Businesses can offer financial incentives in return for personal information as long as these incentives are disclosed in a notice to the consumer explaining the terms of this incentive.
Records
Under CCPA, businesses are required to keep records of consumer requests and how they respond to these requests. These records must be kept for 2 years.
Parental or Guardian Consent
Businesses must not sell personal information that relates to consumers under the age of 16 unless :
- consumers aged 13-16 have authorized the sale of their personal information or
- consumers under the age of 13 have had their parent or guardian authorize the sale of their personal information.
CalOPPA
The California Online Privacy Protection Act came into effect in 2004 but was amended in 2013 to reflect new privacy disclosures regarding tracking online visits. It is the first state law to make it mandatory for websites and online services to post a privacy policy.
Who Does it Apply to
If you own a website or online service that collects and maintains personally identifying information from a California resident then CalOPPA applies to you. "Personally identifying information" refers to data collected via the internet that either alone or when collected together can reveal the identify of the individual.
Examples of personally identifying information are: the individuals name, address, email address, telephone number, and social security number.
Key Requirements for Business
If you own or operate a website or online service then you are required to post a privacy policy on your website in a conspicuous manner. To comply you must:
- ensure the privacy policy is shown on the homepage of the website or
- have a link via an icon containing the word Privacy on the homepage that takes users directly to the privacy policy or
- the privacy policy is linked to the homepage via a hyperlink text containing the word PRIVACY written in capital letters or in greater size font than surrounding text.
You are also required to stick with what is stated in your privacy policy. As stated by the General California Department of Justice "It requires them to say what they do and do what they say—to conspicuously post a privacy policy and to comply with the terms of the policy."
Privacy Policy Recommendations
To comply with CalOPPA your privacy policy needs to comply with the following recommendations from the General California Department of Justice:
Readability
- Use an easy to read format
- use plain, easily understood English and avoid technical jargon where possible.
Online Tracking/ Do Not Track
- Ensure the part in your privacy policy that explains your stance on online tracking is labeled clearly for your consumer. Example "California Do Not Track Disclosures"
- Explain how you respond to Do Not Track signals.
- Disclose whether any third parties may collect personal identifiable information when on your site.
Data Use and Sharing
- Disclose all of your uses of personal data collected.
- If possible provide a link to privacy policies of any third parties you share personally identifiable information with
Individual Choice and Access
- Disclose the choices a consumer has in relation to the collection, use and sharing of their personal information.
Accountability
- Ensure you provide contact details for any questions or concerns your users may have.
Conclusion
Both CPPA and CalOPPA are California state laws. They both apply to businesses that collect data from California residents however CCPA only requires compliance if your business has an annual turnover of over $25 million OR buys, sells or receives personal information of 50,000 or more California residents OR derives 50% or more of its annual revenue from selling the personal information from Californian residents.
Both CCPA and CalOPPA require that your business has a privacy policy, however each law requires different specific requirements. Check out our table above for the specific requirements of each of these Acts.
Your business does not need to be located in California for either of these laws to apply to you. If you have any users or customers who are residents of California then you must ensure you are complying with the laws.
For your CalOPPa and CCPA compliant privacy policy please check out our generators.
Disclaimer
The information in this article is for informational purposes only and should not be construed as legal advice on any matter and does not create a lawyer-client relationship