What is required under CalOPPA?

The operator of a commercial website or online service must conspicuously post a privacy policy on its website. According to CalOPPA, conspicuously posting a privacy policy means:

  • The privacy policy is shown on the website’s homepage; or
  • A link – via an icon that contains the word “privacy” – appears on the homepage and directly takes consumers to the privacy policy. In this instance, the icon must be in a color different from the homepage’s background; or
  • The privacy policy is linked to the homepage via a hypertext link that contains the word “privacy,” is written in capital letters equal to or greater in size than the surrounding text; is displayed in a type, font or color that contrasts with the surrounding text of the same size; or is otherwise distinguishable from surrounding text on the homepage.

CalOPPA also requires website operators to adhere to their stated privacy policy. California Attorney General’s Office says, “It requires them to say what they do and do what they say – to conspicuously post a privacy policy and to comply with it.”

To be considered in compliance with CalOPPA, the website’s privacy policy must contain the following:

  • A list of the categories of personally identifiable information the operator collects;
  • A list of the categories of third parties with whom the operator may share such personally identifiable information;
  • A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
  • A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy; and
  • The effective date of the privacy policy.

The average U.S. adult reads at an 8th grade reading level. The clear majority of Fortune 500 privacy policies in the study require a reading comprehension level beyond that of the average U.S. adult.  82% of those privacy policies required a college-level reading ability.

Consequences of not having a privacy policy and/or not having a policy that is legally compliant:

  • California can seek statutory penalties of $2,500.00 for each user who accesses the site;
  • FTC civil penalties of up to  $10,000 for each violation.See, Commission Rule 1.98(d), 16 C.F.R. Sec. 1.98(d).
  • COPPA penalties: $42,530. 


Good Times
Are In