CalOPPA and CCPA: A quick guide for online businesses

If you have a website privacy policy, you’re probably familiar with the 2003 California Online Privacy Protection Act (CalOPPA). However, a new law known as the California Consumer Privacy Act (CCPA) has set the internet abuzz since coming into effect on January 1, 2020.

To business owners who are still adjusting to the changes brought by the General Data Protection Regulation, the arrival of the CCPA has generated a whole new raft of questions.

To understand the new legislation and how it could impact your business, we’ve summarised the key differences and privacy considerations that you need to know for each law.

What are the CalOPPA and CCPA?

The CalOPPA was the first data privacy law in the US that required all commercial websites collecting personal data about Californian residents to have a privacy policy. The CCPA, which is the toughest data privacy law that has been passed in the US to date, was passed in 2018 to give Californian residents more control over their personal data and online tracking.

To address issues around the resale of people’s information, the CCPA introduced a set of consumer “rights” that businesses must respect:

• The Right to Notice. You must inform consumers at or before the point of collection what types of personal information you will collect from them and why.
• The Right to Access. Consumers should be able to request a business to disclose the categories of personal information collected about them, as well as the categories of third parties with which the business shares user information
• The Right to Deletion. Consumers should be able to request the deletion of any personal information collected on them by a business.
• The Right to Opt-Out. Consumers should have the authority to stop the sale of their personal information to third parties. Minors aged 13-16 also have the right to opt-in to the sale of their data, while those aged under 13 require the prior consent of a parent or guardian.
• The Right to Equal Services and Prices. If a consumer chooses to exercise any of these rights, a business must not treat them any differently.

Neither CalOPPA or CCPA require consent prior to the collection of personal data, unless that data belongs to a Californian resident under the age of 16.

Who do these laws apply to?

The CalOPPA applies to any business or online service that collects “personally identifiable information” about Californian residents, regardless of their physical location.

Examples of personal information mentioned by the law include names, email addresses, phone numbers or any other information that can be combined with these to identify somebody (such as an IP address or cookies).

While most businesses are likely to be impacted by the CalOPPA, the CCPA is more targeted towards companies that process and profit off the personal information of consumers on a large scale.

It applies to any organisation that conducts business with Californian consumers and meets one of the following criteria:

• Buys, sells or shares the personal data of 50,000 or more people, households or devices a year
• Makes a gross annual revenue of more than $25 million
• Makes at least 50% of their annual revenue by sharing consumers’ personal information

An important caveat to note is that the CCPA also considers Internet, electronic network activity and biometric data to be personal information.

This may take some businesses by surprise, as the collection of data such as browsing history and even website server logs could now mean that they must comply with the CCPA.

What are the compliance requirements for each law?

Complying with the CalOPPA is relatively easy. You must have a website privacy policy that is clearly displayed on your website and includes information on the following seven items:

• The types of personal data collected.
• How personal data is used.
• Whether a user’s personal data is shared with third parties and how it is being shared.
• How users can review, change and update the information that is collected about them.
• Whether you respond to “Do Not Track” (DNT) requests. This is a browser setting that visitors can turn on to signal to websites not to track or collect their browsing data.
• The effective date of the privacy policy.
• A statement disclosing that you may update this privacy policy in the future.

The CCPA compliance requirements are essentially the same, with some extra stipulations.

If your business meets the regulation’s criteria, your privacy policy must be updated yearly and contain additional information about:

• The rights that the CCPA has granted consumers.
• The categories of personal information your business has collected, shared or sold in the preceding year. If you don’t sell or share any user data, you must add a statement in your privacy policy to confirm this.
• How users can opt-out of the sale of their data. If your business sells the personal data you collect from users, you must also create a “Do Not Sell My Personal Information” web page and link to it on your site’s homepage.
• How your business verifies the identity of users who request access to their data.

While the enforcement date for the CCPA isn’t until July 1, 2020, many companies are scrambling to update their policies and practices to avoid the huge fines allotted by the regulation.

Under the CCPA, a “violation” of the law can be as simple as someone visiting your website and can cost you a fine of up to $7,500.

In an increasingly globalised marketplace, both the CalOPPA and CCPA have a far-reaching impact.

All website owners should be aware of how these new regulations could impact their business and the way they manage their customers’ personal data.

Looking for the best privacy policy generator?

GetTerms.io makes compliance easier with our free privacy policy generator. Create your privacy policy now.