What are the privacy laws in California? What’s the difference between CCPA and CalOPPA? How does the CCPA affect your business?
In this post, we take a look at the main requirements of California privacy laws, and we explain what you may need to do to comply.
California is the US state with the most comprehensive legislation on data privacy. As of today, there are three main laws regulating data collection and the processing of users’ personal information.
Let’s have a more in-depth look at each one of them.
The California Consumer Privacy Act (CCPA) is the most robust US law on data privacy, and it’s often referred to as the “California GDPR”.
The CCPA was signed into law in 2018, became effective on January 1st, 2020, and made fully enforceable from July 1st, 2020.
The law aims at giving users more control over the data that businesses collect about them by granting consumers additional rights.
Does the CCPA apply to you?
It’s worth mentioning that by “business”, the CCPA means any for-profit organization targets California residents (even if the business is not actually in California), processes the data of California residents for their own purposes and meets at least one of the following requirements:
*Note that since IP addresses fall under what is considered personal data, it’s likely that any website with at least 50k unique visits per year from California falls within the scope of the last point.
💡 While not every business that collects Californian consumer data is subject to the CCPA – they are still subject to specific requirements according to CalOPPA. More about this in the next paragraph.
As we said above, the CCPA may not apply to you if you don’t fall under its definition of business, but it’s likely that you may need to comply with the California Online Privacy Protection Act (CalOPPA).
CalOPPA was enforced in 2004 and it was the first US state law to make privacy policies mandatory. It was then amended in 2013, to regulate the tracking of users.
Unlike the CCPA, CalOPPA has a broader scope, because it applies to any person or entity that owns or operates a commercial website or online service collecting and maintaining personally identifiable information from California-based consumers.
In order to comply with CalOPPA, you should:
The Children’s Online Privacy Protection Act (COPPA) was enacted by Congress in 1998 and required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The amended Rule became effective on July 1st, 2013.
The primary goal of COPPA is to protect children’s privacy online: COPPA puts parents in control over what information from their children is collected and processed by websites and online services.
COPPA applies to you if your commercial website or online service (the definition includes mobile apps):
For a more in-depth guide about COPPA, you can follow this link.
As for the European GDPR, California privacy laws may apply also outside the state borders.
These laws aim at protecting California users, so they can apply to every entity – in or outside California – doing business with California-based users.
If you’re still not sure which laws apply to you, you can take this quiz and find out!
This article is a part of our series on CCPA and CCPA compliance. Read also:
Now that you’ve made sure, let’s go back over what you may need to do to comply.
If also CalOPPA applies to you, add a statement on how you handle “Do Not Track” requests.
Then, it’s important that you show a “Do Not Sell My Personal Information” (“DNSMPI“) notice, for users to opt-out.
We have designed a set of tools that can help you comply with CCPA, CalOPPA and COPPA all at once.
iubenda makes it easy for you to meet enhanced requirements by:
With our Cookie Solution, you can display a “Do Not Sell My Personal Information” notice and manage opt-outs.
More specifically, you can:
Then, you may need to keep track of your users’ requests.
Our Consent Solution hooks onto your web-forms to let you automatically pass consumer preference details, like opt-outs. As the CCPA mandates that opted-out users may not be contacted for a minimum of 12 months after the request, it’s prudent to keep records of opt-out details.
Achieve CCPA compliance for your site, app and organization. Easily manage consent, processing records and more.