Iubenda logo
Start generating


Table of Contents

California Privacy Laws: What You Need To Know and How To Comply

What are the privacy laws in California? What’s the difference between CPRA (CCPA amendment) and CalOPPA? How does the CPRA (CCPA amendment) affect your business?

In this post, we take a look at the main requirements of California privacy laws, and we explain what you may need to do to comply.

California Privacy Laws

What are the privacy laws in California?

California is the US state with the most comprehensive legislation on data privacy. As of today, there are three main laws regulating data collection and the processing of users’ personal information.

Let’s have a more in-depth look at each one of them.

The California Consumer Privacy Act CCPA is the most robust US law on data privacy, and it’s often referred to as the “California GDPR”.

The CCPA was signed into law in 2018, became effective on January 1st, 2020, and made fully enforceable from July 1st, 2020.

The law aims at giving users more control over the data that businesses collect about them by granting consumers additional rights.

Does the CCPA apply to you?
It’s worth mentioning that by “business”, the CCPA means any for-profit organization targets California residents (even if the business is not actually in California), processes the data of California residents for their own purposes and meets at least one of the following requirements:

  • it has annual gross revenues of more than twenty-five million dollars ($25,000,000); or
  • it gets 50% or more of its annual revenues from selling or sharing the personal information of consumers; or
  • it buys, receives, sells, or shares* the personal information of 50,000 or more consumers annually for the business’ commercial purposes.

*Note that since IP addresses fall under what is considered personal data, it’s likely that any website with at least 50k unique visits per year from California falls within the scope of the last point.

💡 While not every business that collects Californian consumer data is subject to the CCPA – they are still subject to specific requirements according to CalOPPA. More about this in the next paragraph.

As we said above, the CPRA (CCPA amendment) may not apply to you if you don’t fall under its definition of business, but it’s likely that you may need to comply with the California Online Privacy Protection Act (CalOPPA).

CalOPPA was enforced in 2004 and it was the first US state law to make privacy policies mandatory. It was then amended in 2013, to regulate the tracking of users.

Unlike the CPRA (CCPA amendment), CalOPPA has a broader scope, because it applies to any person or entity that owns or operates a commercial website or online service collecting and maintaining personally identifiable information from California-based consumers.

In order to comply with CalOPPA, you should:

  • post your privacy policy on your website/ app in a visible and easily accessed location;
  • include a description of the process by which users can request changes to personal data (if such a process exists) in your privacy policy;
  • include a statement on how “Do Not Track” requests are handled in your privacy policy;
  • notify affected users in the occurrence of security breaches that impact their data.

The Children’s Online Privacy Protection Act (COPPA) was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The amended Rule became effective on July 1st, 2013.

The primary goal of COPPA is to protect children’s privacy online: COPPA puts parents in control over what information from their children is collected and processed by websites and online services.

COPPA applies to you if your commercial website or online service (the definition includes mobile apps):

  • is directed to children under 13 and collects, uses, or discloses personal information from them;
  • aims to a general audience, but you know it is used by children;
  • collects information from another online service that is directed to children.

For a more in-depth guide about COPPA, you can follow this link.

Do California laws affect your business?

As for the European GDPR, California privacy laws may apply also outside the state borders.

These laws aim at protecting California users, so they can apply to every entity – in or outside California – doing business with California-based users.

If you’re still not sure which laws apply to you, you can take this quiz and find out!

More on CCPA

This article is a part of our series on CCPA compliance. Read also:

👉 CCPA vs GDPR: what’s the difference?

How to comply with California Privacy Laws

Now that you’ve made sure, let’s go back over what you may need to do to comply.

The first thing you need is a valid and clear privacy policy, with all the relevant disclosures on how you collect and process the users’ personal information. It should be easily accessible from the homepage of your website / app, describe the process by which users can request changes to personal data and your contact information for CPRA (CCPA amendment) requests.
If also CalOPPA applies to you, add a statement on how you handle “Do Not Track” requests.

Then, it’s important that you show a “Do Not Sell My Personal Information” (“DNSMPI“) notice, for users to opt-out.

Remember, you don’t always need to ask users to opt-in, but it may be mandatory if there are children involved, or you’re collecting and processing sensitive information.

Learn more about CPRA (CCPA amendment), CalOPPA and COPPA requirements.

How iubenda can help

We have designed a set of tools that can help you comply with CPRA (CCPA amendment), CalOPPA and COPPA all at once.

Our Privacy and Cookie Policy Generator allows you to choose from +1700 pre-existing clauses. For example, if COPPA applies to you, just choose “The Service is directed to children under the age of 13”.

iubenda makes it easy for you to meet enhanced requirements by:

  • Displaying CPRA (CCPA amendment) related language, disclosures, and instructions as legally required;
  • Indicating services active on your site which might constitute a sale under the CPRA (CCPA amendment) definition; and
  • Automatically updating your embedded privacy policy with the CPRA (CCPA amendment) text once activated within the generator.

With our Privacy Controls and Cookie Solution, you can display a “Do Not Sell My Personal Information” notice and manage opt-outs.
More specifically, you can:

  • Display a CPRA (CCPA amendment) notice of collection;
  • Display a “Do Not Sell My Personal Information” link within the collection notice and also allows you to add the link to your site for easy user access;
  • Supports the CCPA Compliance Framework by IAB (Interactive Advertising Bureau) which establishes a process for publishers and their partners to comply with new regulations regarding the sale of consumer data to technology companies;
  • Manually block scripts that do not adhere to the IAB CPRA (CCPA amendment) Compliance Framework.

Then, you may need to keep track of your users’ requests.

Our Consent Database hooks onto your web-forms to let you automatically pass consumer preference details, like opt-outs. As the CPRA (CCPA amendment) mandates that opted-out users may not be contacted for a minimum of 12 months after the request, it’s prudent to keep records of opt-out details.

Need to comply with California privacy laws?

Check our solutions

See also