California has one of the strictest privacy laws in the United States. One such law, California’s Online Privacy Protection Act (“CalOPPA”), requires that any person or entity that owns or operates a commercial website or online service that collects personally identifiable information (“PII”) (discussed below) from California residents to have clearly visible and accessible privacy policies. These privacy policies must provide consumers notice on what type of PII the business collects and what the business does with the PII.
PII includes a consumer’s name; address; e-mail address; telephone number; social security number; and any other identifier that allows the physical or online contacting of a specific individual. If your business’s website has a contact form or email newsletter sign-up form – you are collecting PII.
To be compliant with CalOPPA, a privacy policy should include the following:
- Identification of the categories of PII that are collected through the website or online service—and the categories of third parties that PII may be shared with (e.g., payment service vendors);
- A clear explanation of how a consumer can review and request changes to any of their PII;
- The process for notifying consumers of any changes to the privacy policy;
- The effective date of the privacy policy;
- Disclosure regarding a Do Not Track (“DNT”) request (discussed below); and
- Details of third parties who collect PII through the website or app.
CalOPPA requires businesses to acknowledge whether they respect DNT settings by consumers. A DNT setting allows consumers to limit or prevent the collection of their PII across multiple sites. If your business does not honor DNT signals, we recommend that a business has a clause in its privacy policy to the effect that:
Most web browsers and some mobile operating systems and mobile applications include a Do Not Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. We do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online as there is no uniform manner of recognizing or implementing DNT signals. Should this change, we will inform you in a revised version of this Privacy Policy.
CalOPPA is enforced by the California Attorney General, who can impose a penalty of $2,500 per violation for failure to comply.