CCPA vs CalOPPA

The California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) are both California state laws. Both of these acts are in place to protect the personal information of residents of California. Let's take a look at the similarities and differences between these two acts.

map of California
Listen to this article in audio format

Similarities and Differences

CCPACalOPPA
Is a California State Lawis a California State Law
WHO DOES IT APPLY TO?WHO DOES IT APPLY TO
applies to any business collections personal information from residents of California who meets one or more of the following:
  • gross annual turnover of over $25 million
  • buys, receive or sells personal information of 50,000 or more California residents
  • derives 50% or more of its annual revenue for the sale of personal information from Californian residents
applies to any website or online service that collects personal information from California residents.
KEY REQUIREMENTS FOR BUSINESSKEY REQUIREMENTS FOR BUSINESS
Privacy policies will need to include Individuals Privacy Rights. These are the right to: know delete opt out non discriminationPost a privacy policy on your website in a conspicuous manner by: having privacy policy on the homepage OR having a link including the word PRIVACY on the homepage, which takes users directly to the privacy policy OR the privacy policy is linked to the homepage via a hyperlink containing the word PRIVACY written in capital letters or a font that is larger than the surrounding font
Businesses are required to disclose categories of information they collect and this information must be available in their privacy policyThe privacy policy needs to be easy to read, using easy to read font and plain English, avoiding technical jargon where possible 
A “Do Not Sell My Information” link must be provided on the homepage of a website to allow users to exercise their right to opt out.Ensure that your policy contains a section explaining your websites stance on online tracking and ensure it is clearly labelled. Explain how you respond to Do Not Track signals and whether or not you disclose personal information to any third parties.
Any financial incentives that are offered in return for personal information must be disclosed in a notice to the consumer.Disclose all of the ways you use personal data that you collect and provide links, where possible, to any third parties you share personal data with.
All businesses are required to keep records for 2 years of consumer requests and how they have responded to these request.Disclose in your policy, any choices your users have in relation to the collection, use and sharing of their personal information
Business can not sell personal information of consumers under the age of 16 unless: consumers aged 13-16 have authorised the sale of this information consumers under the age of 13 have had their parent or guardian authorise this saleEnsure you are accountable by providing clear contact details so that your users can contact you with any questions or concerns they may have.

CCPA

The California Consumer Privacy Act came into effect on the 1st January 2020. It is a California state based privacy legislation which increases the privacy rights and protection of personal information for the residents of California.

Who Does it Apply to

CCPA applies to any business that collects personal information from residents of California and meets one or more of the following:

  • has a gross annual revenue of over $25 million
  • buys, receives or sells personal information of 50,000 or more California residents, households or devices or
  • derives 50% or more of its annual revenue form selling the personal information of California residents.

Key Requirements for Business

key requirements for business to comply with CCPA

The keys requirements for businesses which need to comply with CCPA are:

Privacy Policy Updates

Businesses will need to update their privacy policies to ensure that they are informing California residents of their new privacy rights. These rights are:

  • the right to know: this is the residents right to know what personal information is collected about them and how that information is used and shared by the business.
  • the right to delete: this is the right of the California resident to request that their personal information be deleted. However there are a number of reasons this request may be denied. For example if the personal information is required in order to comply with legal obligations or it is required in order to complete your transaction.
  • the right to opt out: this allows the Californian resident to opt out of the sale of their personal information
  • the right to non discrimination: this means that a resident cannot be denied goods or services, be charged differently or be provided with a different quality of goods or services because they exercised their rights under CCPA.

Disclose Categories of Personal Information Collected

Under CCPA businesses are required to notify the consumer of the categories of information that they collect and what the purpose for collecting the information is.. This can be done at the time or before collection takes place. The information must be readily available on the privacy policy and be updated every 12 months.

"Do Not Sell My Personal Information"

Businesses are required to provide a "Do Not Sell My Information" link on the home page of their website which takes them to an opt-out page so that they can exercise their right to opt out.

Financial Incentives

Businesses can offer financial incentives in return for personal information as long as these incentives are disclosed in a notice to the consumer explaining the terms of this incentive.

Records

Under CCPA, businesses are required to keep records of consumer requests and how they respond to these requests. These records must be kept for 2 years.

Parental or Guardian Consent

Businesses must not sell personal information that relates to consumers under the age of 16 unless :

  1. consumers aged 13-16 have authorized the sale of their personal information or
  2. consumers under the age of 13 have had their parent or guardian authorize the sale of their personal information.

CalOPPA

The California Online Privacy Protection Act came into effect in 2004 but was amended in 2013 to reflect new privacy disclosures regarding tracking online visits. It is the first state law to make it mandatory for websites and online services to post a privacy policy.

Who Does it Apply to

If you own a website or online service that collects and maintains personally identifying information from a California resident then CalOPPA applies to you. "Personally identifying information" refers to data collected via the internet that either alone or when collected together can reveal the identify of the individual.

Examples of personally identifying information are: the individuals name, address, email address, telephone number, and social security number.

Key Requirements for Business

CalOPPA requirements staff training

If you own or operate a website or online service then you are required to post a privacy policy on your website in a conspicuous manner. To comply you must:

  • ensure the privacy policy is shown on the homepage of the website or
  • have a link via an icon containing the word Privacy on the homepage that takes users directly to the privacy policy or
  • the privacy policy is linked to the homepage via a hyperlink text containing the word PRIVACY written in capital letters or in greater size font than surrounding text.

You are also required to stick with what is stated in your privacy policy. As stated by the General California Department of Justice "It requires them to say what they do and do what they say—to conspicuously post a privacy policy and to comply with the terms of the policy."

Privacy Policy Recommendations

CalOPPA compliant privacy policy

To comply with CalOPPA your privacy policy needs to comply with the following recommendations from the General California Department of Justice:

Readability

  • Use an easy to read format
  • use plain, easily understood English and avoid technical jargon where possible.

Online Tracking/ Do Not Track

  • Ensure the part in your privacy policy that explains your stance on online tracking is labeled clearly for your consumer. Example "California Do Not Track Disclosures"
  • Explain how you respond to Do Not Track signals.
  • Disclose whether any third parties may collect personal identifiable information when on your site.

Data Use and Sharing

  • Disclose all of your uses of personal data collected.
  • If possible provide a link to privacy policies of any third parties you share personally identifiable information with

Individual Choice and Access

  • Disclose the choices a consumer has in relation to the collection, use and sharing of their personal information.

Accountability

  • Ensure you provide contact details for any questions or concerns your users may have.

Conclusion

Both CPPA and CalOPPA are California state laws. They both apply to businesses that collect data from California residents however CCPA only requires compliance if your business has an annual turnover of over $25 million OR buys, sells or receives personal information of 50,000 or more California residents OR derives 50% or more of its annual revenue from selling the personal information from Californian residents.

Both CCPA and CalOPPA require that your business has a privacy policy, however each law requires different specific requirements. Check out our table above for the specific requirements of each of these Acts.

Your business does not need to be located in California for either of these laws to apply to you. If you have any users or customers who are residents of California then you must ensure you are complying with the laws.

For your CalOPPa and CCPA compliant privacy policy please check out our generators.

Disclaimer

The information in this article is for informational purposes only and should not be construed as legal advice on any matter and does not create a lawyer-client relationship

Your Legal Toolkit

Latest Articles

What is the Data Protection Act 2018?

The Data Protection Act (DPA) 2018 is the UK's updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom's exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]

Read More...
Where to put a Privacy Policy on your Website?

A Privacy Policy is a legal requirement for any business or website, but where should you put your Privacy Policy on your website? To be compliant with a number of International laws, including GDPR, CalOPPA and Australian Privacy Act 1988, your privacy policy is required to be in a prominent, easily located place on your […]

Read More...
3 Reasons Your Website Needs a Privacy Policy

Whether you own a website, blog or eCommerce store you may find yourself wondering, do I need a privacy policy? The short answer is, if you collect personal data from your readers or users in any form, then yes you do need a privacy policy. The three most important reasons you will require a privacy […]

Read More...