How the California Online Privacy Protection Act (CalOPPA) Affects You


This article is the first in a series of articles that will be written on Internet Privacy Policies. This article is intended to succinctly communicate the important legal issues of CalOPPA. The purpose of this article is simple – to notify website owners of whether they should be CalOPPA compliant.

What is CalOPPA?

The California Online Privacy Protection Act (CalOPPA) is a law enacted by California, the first of its kind. Aside from Connecticut’s privacy law, no other state has an Internet privacy law. At present, there is no comprehensive federal law that requires companies to have a privacy policy, aside from a limited number of laws that apply to specific industries, including health and financial services.

Who is Affected?

CalOPPA is broad and if you have a website, it is more than probable that you fall within its grasp. More specifically, one must be CalOPPA compliant only if that person or entity is an “operator.”

One is an operator only if the three elements described below are met:

Element 1: The person or entity must own or operate a commercial website or an online service (i.e., non-commercial websites or online services are excluded). Even if one operates a commercial site, one is nonetheless exempt if you are an internet service providers (ISPs) or a similar entity transmitting or storing personally identifiable information for a third party.

Element 2: The website or online service must maintain personally identifiable information for a consumer. Personally identifiable information is defined expansively, and a non-exclusive list of personally identifiable information includes a person’s:

  1. First and last name
  2. Home or other physical address, including street name and name of a city or town
  3. E-mail address
  4. Telephone number
  5. Social security number
  6. Any other identifier that permits the physical or online contacting of a specific individual
  7. Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

Element 3: The said personally identifiable information must be collected from California residents. Unless the website limits itself to non-California residents, which is unlikely, then it is very probable the website meets this third element.

In summary, this law reaches far beyond California and conceivably covers websites operated throughout the world. The elements of the operator test are broad and few, making it likely your website satisfies the test.

If CalOPPA Applies, What Should You Do?

If you are an operator according to the above test, then there are several steps you should take to be CalOPPA compliant. These steps will be discussed in greater detail in the next blog post.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.