CalOPPA Overview
The California Online Privacy Protection Act (CalOPPA) was the first state law in the United States to require commercial websites and online services to post a privacy policy. Enacted in 2003 and amended in 2013, CalOPPA applies to any operator of a commercial website or online service that collects personally identifiable information (PII) from California residents, regardless of where the business is located.
Unlike CCPA which has revenue and data volume thresholds, CalOPPA applies broadly to any website or app collecting data from Californians. This makes it one of the most widely applicable privacy laws for online businesses.
Is CalOPPA still relevant now that CCPA exists?
Yes. CalOPPA and CCPA serve different purposes. CalOPPA requires you to post a privacy policy and has no revenue threshold, meaning it applies to far more businesses than CCPA. Even if you are not subject to CCPA, you almost certainly need to comply with CalOPPA if California residents visit your website.
Requirements Checklist
Every CalOPPA-compliant privacy policy must address these items.
Categories of PII Collected
List every type of personally identifiable information you collect (names, email addresses, phone numbers, IP addresses, browsing data, etc.)
Third-Party Sharing Categories
Disclose the categories of third parties with whom you share PII (analytics providers, advertising networks, payment processors, etc.)
Review and Request Process
Describe how users can review their PII and request changes to inaccurate information
Effective Date
Include the date the privacy policy takes effect and how you notify users of changes
Do Not Track Disclosure
State how your website responds to Do Not Track browser signals
Conspicuous Posting
Place a visible "Privacy" link on your homepage that links directly to your privacy policy
Template Preview
Below is an example structure for a CalOPPA-compliant privacy policy. This is for educational purposes and must be customized to reflect your specific data practices. Use our policy generator to create a tailored version.
Privacy Policy (CalOPPA-Compliant Template)
Effective Date: [Date]
- 1. Information We Collect: We collect the following categories of personally identifiable information: [names, email addresses, IP addresses, browsing data, payment information, etc.]
- 2. How We Use Your Information: We use collected information for [service delivery, communications, analytics, marketing, security, etc.]
- 3. Third-Party Sharing: We share information with the following categories of third parties: [analytics providers, advertising networks, payment processors, hosting services, etc.]
- 4. Do Not Track: [We honor / We do not currently honor] Do Not Track browser signals. Third parties [may / do not] collect tracking data on our website.
- 5. Reviewing Your Information: You may review the PII we hold about you and request corrections by contacting us at [email/method].
- 6. Policy Changes: We will notify you of material changes by [posting a notice on our website / sending an email]. The updated effective date will appear at the top of this policy.
This preview covers the core structure. A complete policy should also address data security, cookie use, and children's privacy if applicable.
Do Not Track Disclosure
CalOPPA requires every covered website to disclose how it responds to Do Not Track (DNT) browser signals. This was added in the 2013 amendment and remains a unique requirement among US privacy laws.
What DNT Signals Are
Do Not Track is a browser setting that sends a signal to websites requesting they stop tracking the user. Most modern browsers support DNT, though not all websites honor it.
Your Disclosure Options
You can state that you honor DNT signals, that you do not honor DNT signals, or that you have no position on DNT. The key is that you must disclose your stance clearly in your privacy policy.
Third-Party Tracking Disclosure
You must also disclose whether third parties (such as analytics or ad networks) collect tracking information about your users across other websites when they visit your site.
Conspicuous Posting
CalOPPA does not just require you to have a privacy policy. It requires that the policy be "conspicuously posted." This means the link must be easy to find and clearly labeled.
Use the word Privacy: The link text must contain the word "Privacy" (e.g., "Privacy Policy" or "Your Privacy Rights")
Homepage placement: The link must appear on your website's homepage, typically in the footer
One-click access: Users must be able to reach your full privacy policy within one click from any page on your site
Visual distinction: The link should use a different font size, color, or style to stand out from surrounding text
Does a footer link count as conspicuous?
Yes, a footer link is generally considered compliant as long as it appears on the homepage and every page, contains the word "Privacy," and is reasonably visible. Most websites use a footer link as their primary method of conspicuous posting. The California Attorney General has accepted this approach in enforcement actions.
CalOPPA vs CCPA vs CPRA
Understanding how California's three major privacy laws differ and overlap.
| Feature | CalOPPA | CCPA | CPRA |
|---|---|---|---|
| Enacted | 2003 | 2018 | 2020 |
| Scope | Any website collecting PII from CA residents | Businesses meeting revenue/data thresholds | Amends and expands CCPA |
| Primary focus | Transparency (post a policy) | Consumer rights (know, delete, opt out) | Expanded rights + enforcement agency |
| DNT disclosure | Required | Not required | Not required |
| Revenue threshold | None | $25M+ annual revenue | $25M+ annual revenue |
| Enforcement | CA Attorney General | CA Attorney General | CA Privacy Protection Agency |
Most businesses subject to CCPA or CPRA are also subject to CalOPPA. Compliance with one does not automatically satisfy the others, so check each law's requirements independently. See our legal requirements guide for more detail.
Who Must Comply
CalOPPA applies to any person or entity that:
- Operates a commercial website or online service
- Collects personally identifiable information from California residents
- Is located anywhere in the world (CalOPPA has no geographic restriction on the operator)
This includes individual bloggers, small business owners, SaaS providers, ecommerce stores, mobile app developers, and large corporations. If your website has any California visitors and collects any PII (including through cookies or analytics), CalOPPA applies to you.
Not sure if a privacy policy is legally required for your situation? Our guide covers the key scenarios.
Update Requirements
CalOPPA requires your privacy policy to include an effective date and a description of how you will notify users of material changes. Learn more in our guide on how often to update your privacy policy.
Effective Date Required
Every CalOPPA-compliant policy must display its effective date. Update this date each time you make material changes to the policy.
Change Notification Process
Describe how users will be informed of changes. Common methods include posting a notice on your website, sending an email to registered users, or displaying an in-app notification.
Annual Review Recommended
While CalOPPA does not mandate a specific review frequency, best practice is to review your policy at least once per year and whenever you add new data collection methods or third-party services.
Third-Party Disclosure
CalOPPA requires you to disclose the categories of third parties with whom you share personally identifiable information. You do not need to name specific companies, but you must describe the types of entities involved.
Analytics providers: Google Analytics, Mixpanel, Hotjar, and similar tools that track user behavior on your site
Advertising networks: Google Ads, Facebook/Meta Ads, and other platforms used for retargeting or campaign tracking
Payment processors: Stripe, PayPal, and other services that handle financial transactions
Hosting and infrastructure: Cloud providers, CDNs, and hosting services that may have access to server logs containing PII
Email service providers: Mailchimp, SendGrid, and similar platforms used for newsletters or transactional emails
Common Mistakes to Avoid
Missing Do Not Track disclosure
Many websites forget the DNT disclosure entirely. Even if you do not honor DNT signals, you must state this clearly in your policy.
Hidden privacy policy link
Burying the link deep in your site or using vague link text like "Legal" instead of "Privacy Policy" violates the conspicuous posting requirement.
No effective date
CalOPPA specifically requires an effective date on your privacy policy. Omitting it is a straightforward compliance failure.
Using a generic template without customization
Copying a privacy policy that does not reflect your actual data practices can be worse than having no policy at all, as it creates misleading disclosures.
Failing to update after adding new services
Adding Google Analytics, a new payment processor, or email marketing without updating your third-party disclosure creates a gap in compliance.
How to Create Your CalOPPA Policy
Identify all data you collect
Audit every form, cookie, analytics tool, and third-party integration on your site. List every category of PII you collect from visitors.
Document third-party sharing
Map out every third party that receives user data, whether directly or through embedded scripts and pixels.
Draft your Do Not Track disclosure
Decide your stance on DNT signals and write a clear statement about how your website responds to them.
Ensure conspicuous posting
Add a clearly labeled "Privacy Policy" link to your homepage footer and ensure it is accessible from every page.
Add your update notification process
Include the effective date and describe how you will inform users when the policy changes.
Review and publish
Check the policy against CalOPPA requirements, then publish and set a calendar reminder for annual review.
Frequently Asked Questions
What is CalOPPA and who does it apply to?
CalOPPA (California Online Privacy Protection Act) requires any commercial website or online service collecting personally identifiable information from California residents to post a conspicuous privacy policy. It applies regardless of where the business is located.
How is CalOPPA different from CCPA?
CalOPPA focuses on transparency by requiring websites to post a privacy policy. CCPA goes further by granting consumers specific rights (know, delete, opt out). CalOPPA has no revenue threshold, while CCPA applies only to businesses meeting certain size criteria.
What must a CalOPPA privacy policy include?
Categories of PII collected, categories of third parties with whom data is shared, the process for users to review and request changes to their data, an effective date, change notification process, and a Do Not Track disclosure.
What does conspicuous posting mean under CalOPPA?
Your privacy policy link must be prominently displayed on your homepage with the word "Privacy" in the link text. It should be accessible within one click from any page and visually distinct from surrounding text.
Do I need to honor Do Not Track signals?
CalOPPA does not require you to honor DNT signals, but you must disclose in your privacy policy how your site responds to them. You must also disclose whether third parties collect tracking data on your site.
What are the penalties for non-compliance?
The California Attorney General enforces CalOPPA. After a 30-day notice to fix violations, fines can reach $2,500 per individual violation. Because each user visit can be a separate violation, penalties can accumulate rapidly.
How often should I update my CalOPPA policy?
Update your policy whenever your data practices change and review it at least annually. CalOPPA requires an effective date and a description of how users will be notified of material changes.
Related Resources
CCPA Privacy Policy Example
California consumer rights guide
GDPR Privacy Policy Template
EU compliance guide and template
COPPA Privacy Policy Template
Children's privacy compliance
Is a Privacy Policy Legally Required?
Legal requirements explained
Privacy Policy for Websites
Website compliance guide
How to Write a Privacy Policy
Step-by-step writing guide
What Happens Without a Privacy Policy
Risks of non-compliance
Policy Generator
Create your compliant privacy policy