What is ‘CalOPPA’?

Lydia F de la Torre
May 11 · 7 min read
California apples crate label, Diving Girl Brand, Schmidt Litho. Co . — California Historical Society

The California Online Privacy Protection Act (CalOPPA) is a California law that requires operators of commercial websites and online services to display a privacy policy.

Cal. Bus. & Prof. Code Section 22575 et. sec.

Relationship with other laws: CalOPPA does not contain explicit exemptions. However, organizations are excepted from CalOPPA if they are subject to Federal laws that preempt state law. For example, commercial airlines subject to the federal Airline Deregulation Act (which preempts state law consumer protection claims against commercial airlines) have been found to be exempted from CalOPPA (See Case Study: Delta Airlines Inc)

Effective date: CalOPPA become operative on July 1, 2004.

See Cal. Bus. & Prof. Code Sec. 22579.

Who is subject to the CalOPPA (Territorial Scope)?

CalOPPA imposes obligations on ‘operators’ of commercial websites and online services within or outside California that collects information from consumers residing in California (see Cal. Bus. & Prof. Code Section 22575 (a)).

(1) ‘Operator’

‘Operator’ under CalOPPA means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains PII from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes.

‘Operator‘ does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner’s behalf or by processing information on behalf of the owner. See Cal. Bus. & Prof. Code Section 22577(c).

PRACTICE TIP: Organizations that provide web hosting or managing services are typically excluded from CalOPPA compliance, although they may decide to require or encourage compliance by their customers to avoid becoming entangled in lawsuits on a contributory liability basis.


PRACTICE TIP: In theory, a ‘operator’ could be outside of the scope of CalOPPA by blocking collection of data of California residents. In practice, few organizations can or want to exclude California residents from their online services.

(2) ‘Online service’

‘Online service’ is not defined under CalOPPA.

PRACTICE TIP: The CA AG has broadly interpreted the term ‘online service’ to include ‘any service available over the Internet or that connects to the Internet, including internet-connected gaming platforms, voice-over-Internet protocol services, cloud services and mobile applications.’ (see, Case Study: Delta Airlines Inc).

What is regulated by CalOPPA (Material Scope)?

CalOPPA applies to the online collection of ‘personally identifiable information’ of a consumer.

(1) Online Collection

Collection is not defined by CalOPPA.

PRACTICE TIP: CalOPPA applies to both online websites and other online services including mobile apps (See Case Study: Delta Airlines Inc)

(2) Personally Identifiable Information

‘Personally identifiable information’ (PII) under CalOPPA means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form (See Cal. Bus. & Prof. Code Section 22577(a)). PII includes, but is not limited to:

(1) A first and last name.

(2) A home or other physical address, including street name and name of a city or town. Therefore, ‘operators’ of mobile apps that collect location information are usually covered under CalOPPA because they collect ‘physical addresses’.

(3) An e-mail address.

(4) A telephone number.

(5) A social security number.

(6) Any other identifier that permits the physical or online contacting of a specific individual.

(7) Other information: Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in (1) through (6) above.

PRACTICE TIP: Passively collected information (that is, information collected by a site or online service from the user such as website usage information) is only PII under CalOPPA if it maintained in a way that connects it with a consumer. Operators of websites that do not require visitors to register or identify themselves may not have to post a CalOPPA compliant privacy policy (unless they link usage information with names, addresses, contact information or other identifiers considered PII under CalOPPA).

(3) Consumer

‘Consumer’ under CalOPPA means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes (See Cal. Bus. & Prof. Code Section 22577(d)).

PRACTICE TIP: Operators of B2B websites or online services are not expressly exempted and can be exposed to liability under CalOPPA. Even where the site or service is directed to other business, an organization may not be able to completely rule out that a consumer residing in California has accessed their site or service and, where such access results in the collection of PII as defined by CalOPPA, the obligation to notify under the law is triggered.

Individual rights: Right to be informed

Consumers have a right to be informed of the data handling practices of the ‘operator’ under CalOPPA. This is done through the posting of a privacy notice.

To be compliant with CalOPPA, a privacy notice must meet certain content and format standards

Content standards

The privacy policy required shall do all of the following (see Cal. Bus. & Prof. Code Section 22575 (b)):

General content:

  • Identify the categories of PII that the ‘operator’ collects through the Web site or online service about individual consumers and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
  • If the operator maintains a process for the consumer to review and request changes to PII collected through the Web site or online service, provide a description of that process.
  • Describe the process by which the operator notifies consumers of material changes to the operator’s privacy policy for that Web site or online service.
  • Identify its effective date.

‘Do-not-track’ disclosures:

While CalOPPA does not prohibit online tracking it requires disclosure of how organizations respond to web browser signals and other mechanisms that allow consumers to choose whether they want to allow collection of their PII over time and across third-party websites. Specifically, ‘operators’ shall:

  • Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection. This requirement may be satisfied by providing a clear and conspicuous hyperlink to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
  • Disclose whether other parties may collect PII about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.

A statement stating that the organization does not honor ‘Do Not Track’ signals is compliant with CalOPPA

Format standards

The information must be ‘conspicuously post’ (Cal. Bus. & Prof. Code Section 22575 (a)) through any of the following (See Cal. Bus. & Prof. Code Section 22577(b)):

(A) For websites:

(1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site.

(2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.

(3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:

  • Includes the word “privacy.”
  • Is written in capital letters equal to or greater in size than the surrounding text.
  • Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.

(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.

(B) For online services:

In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.

Obligations

See ‘individual rights’ above.

Sanctions and remedies

An ‘operator’ is in violation of CalOPPA if it fails to complain with its provisions in either of the following ways Cal. Bus. & Prof. Code Section 22576):

(a) Knowingly and willfully.

(b) Negligently and materially.

However, an ‘operator’ is liable only if it fails to post its policy within 30 days after being notified of noncompliance (Cal. Bus. & Prof. Code Section 22575 (a)).

Enforcement actions for violation of CalOPPA can be brought under general California Unfair Competitions Law (UCL) (see, Cal. Bus. & Prof. Code Section 17200 et. sec). Actions for enforcement of CalOPPA via CUL can be brought by the Attorney General or a district attorney. Private plaintiffs, including class-action plaintiffs, may also bring action but must show that they suffered an injury-in-fact and that they lost money or property as a result of the violation (see Cal. Bus. & Prof. Code Section 17204). Although allegations that PII has been compromised is not sufficient for a private plaintiff to bring action, some courts have accepted the argument that consumers would have paid less for products or services had they been told about the ‘operator’s’ practices.

NOTE:

California State agencies are subject to notice requirements under Cal. Gov. Code Sec. 11015.5

Resources

Books

California Privacy law: Practice guide a commentary of US Federal and California Law by Lothar Determann (an IAPP publication)

Guidance from regulators

‘Making your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy’ publication by California Department of Justice — Kamala D. Harris AG (May, 2014)

Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements, California Office of Privacy Protection, April 2008

Case studies and case law

Case Study: Delta Airlines Inc (SUMMARY: If an organization does not have a privacy policy that specifically addresses the information practices of its mobile apps it may be in violation of CalOPPA + commercial airlines subject to the federal Airline Deregulation Act (which preempts state law consumer protection claims against commercial airlines) are not subject to CalOPPA).

Regarding private parties bringing action under CA UCL: See Rubio v. Capital One Bank, 613 F. 3d 1195, 1203 (9th Cir. 2010) and In re. iPhone Application Litig. 844 F. Supp. 2d 1040, 1072 (N.D. Cal. 2012)

Lydia F de la Torre

Written by

Teacher. Counsel. Author. Queen bee.

Golden Data

Legal blog about data laws

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade