California has one of the strictest privacy laws in the United States. One such law, California’s Online Privacy Protection Act (“CalOPPA”), requires that any person or entity that owns or operates a commercial website or online service that collects personally identifiable information (“PII”) (discussed below) from California residents to have clearly visible and accessible privacy policies. These privacy policies must provide consumers notice on what type of PII the business collects and what the business does with the PII.
PII includes a consumer’s name; address; e-mail address; telephone number; social security number; and any other identifier that allows the physical or online contacting of a specific individual. If your business’s website has a contact form or email newsletter sign-up form – you are collecting PII.
- Identification of the categories of PII that are collected through the website or online service—and the categories of third parties that PII may be shared with (e.g., payment service vendors);
- A clear explanation of how a consumer can review and request changes to any of their PII;
- Disclosure regarding a Do Not Track (“DNT”) request (discussed below); and
- Details of third parties who collect PII through the website or app.
CalOPPA is enforced by the California Attorney General, who can impose a penalty of $2,500 per violation for failure to comply.