The state of privacy legislation in the United States is pretty shocking: there's no overarching federal data privacy law at all.

The United States lags far behind Europe and the UK, and even behind many up-and-coming economies in Southeast Asia.

The primary data privacy law in the US that applies generally, rather than to a specific privacy field such as health or children's privacy, is a state law rather than a federal law known as the California Online Privacy Protection Act 2003 (CalOPPA).

This guide will cover what CalOPPA is, what the law covers, who it applies to, and how to comply.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

What is CalOPPA

CalOPPA came into law on 1 July 2004 and covers operators of commercial websites that collect personally identifiable information. Its main requirement is that these website operators must conspicuously link to a Privacy Policy on their website.

The Privacy Policy required by CalOPPA law must also have certain clauses, including:

  • What types of personal information is collected and the third parties this collected personal information may be shared with
  • How users can request changes to any of the personally identifiable information that was collected
  • How the operator will notify users of changes/updates to the Privacy Policy
  • The effective date of the Privacy Policy
  • How the operator responds to the "Do Not Track" requests of users
  • Whether other third parties may collect personally identifiable information about users through the operator's service

How to Comply with CalOPPA

First, ask if CalOPPA applies to your business. CalOPPA applies to operators of commercial websites or online services that collect "personally identifiable information through the Internet about individual consumers residing in California."

It applies if your business is a SaaS app, a mobile app, a Facebook app, and so on.

In 2012, the California Attorney General issued an agreement with mobile app providers that stated that CalOPPA also applies to mobile apps.

"Personally Identifiable Information" for the purposes of CalOPPA includes but is not at all limited to:

  • First and last names
  • Home or physical street addresses
  • An email address
  • A telephone number
  • A Social Security number
  • Or any other information that permits a specific individual to be contacted physically or online
  • Birthdates
  • Height, weight, hair color

Clauses For Your CalOPPA Privacy Policy

If CalOPPA applies to you, you're going to legally need to have a Privacy Policy. You'll also need to make sure that your Privacy Policy meets CalOPPA's requirements. Make sure your Privacy Policy includes these following clauses.

What Personal Information You Collect and How/Why

Take a look back at the list of "personally identifiable information" above and check whether your website/mobile app collects any of those or any other information that could possibly be used to identify an individual. If you have users signing up for accounts, making purchases on your e-commerce store or if you use third-party services such as (Google Analytics, you collect personally identifiable information.

If so, disclose the types of information you collect in your Privacy Policy agreement and how/why you do so.

For example, you might want to say "If you create a user account, we will collect your contact details. If you purchase an item through our store, we will ask you to provide your physical address and credit card details so that we can process your payment."

Here's an example of a clause that discloses this information in an easy-to-understand way:

SurveyMonkey Privacy Policy: Excerpt of Information we collect about you clause

How/If You Share Personal Information

If you collect personal data and share it, disclose this. For example, if you're an ecommerce store, you'll need to disclose that you share information with credit card processing companies or other payment processors in your ecommerce Privacy Policy.

Here's how Shopify addresses this information in its Privacy Policy:

Shopify Privacy Policy: When and why do we share this information with third parties clause

This clause addresses everything from working with third parties and conducting marketing campaigns to complying with laws and being involved in a transfer or sale of the business.

How Users Can Review and Update Their Information

This can be a simple instruction such as "You can login to your user profile and correct, amend, or delete information about yourself."

Or, if you don't have that type of user account/interface, be sure to include your contact details where users can reach out and request to have their information changed.

For example: "Contact us at [X] phone number or [X] email address to find out what information we have collected about you, and to request any changes."

Here's a clause that includes a link to account settings where users can access and adjust their personal information, as well as an email address where users can reach out to request that the company make the adjustments on behalf of the user:

Living Clean Privacy Policy: Accessing and Updating Information clause

How You Respond to "Do Not track" Requests

In this clause you need to outline whether or not you honor Do Not Track requests. You aren't required to honor them, but you are required to disclose whether or not you do. This clause can be a simple, basic statement acknowledging what you plan to do, such as this one:

Politico Privacy Policy: DNT clause

Privacy Policy's Effective Date

Make sure you include a date when the Privacy Policy was last updated and became effective. This is typically included at the very top of the Privacy Policy so users know whether or not it's current.

Sony Privacy Policy effective date

Also include a clause that lets users know you may update your Policy from time to time and how you'll alert them of any material changes.

Whatsapp Privacy Policy: Updates to Our Policy clause

The example above invites readers to review the Privacy Policy from time to time to learn about updates or changes, but also states that it will provide notice of amendments to the Policy "as appropriate." It doesn't specifically state how it will provide such notice, but common ways are through notice emails and pop-ups on the website/app.

Your Privacy Policy will need other clauses as well, but these are the main ones that CalOPPA specifically calls you to have.

Displaying Your CalOPPA Privacy Policy

After you have a CalOPPA-compliant Privacy Policy, you need to make sure that it's posted clearly and conspicuously on your website/app. The hyperlink to your Privacy Policy agreement must contain the word "Privacy" and be conspicuous by:

[...] being written in capital letters equal to or greater in size than the surrounding text or by being displayed in a type, font or color that contrasts with the surrounding text of the same size or must be otherwise distinguishable from surrounding text on the homepage.

Include a link in your website footer where users can access your Privacy Policy at any time:

SurveyMonkey Footer

In mobile apps, you can add a link within a menu, such as an About, Settings or Legal menu:

Screenshot of Just Eat app Help menu

As long as your Policy can be accessed at any time, isn't hidden or in an unintuitive location, and actually includes the word "Privacy," you can add it to your website or mobile app in the way that best works with the layout and design.

Getting Agreement to Your Privacy Policy

When it comes to getting agreement to your Privacy Policy, clickwrap and browsewrap are two commonly used methods. However, browsewrap methods have not stood up well in court, while clickwrap methods have been held to be legally enforceable by numerous courts in the US and beyond.

Clickwrap is a much stronger method of getting consent to your legal agreements (regardless if it's a Privacy Policy or not) where the links are posted alongside a checkbox or a button that explicitly states "I Agree" which informs users that they're entering into an agreement:

EngineYard - I Agree To Terms of Service

In the example above, this leaves no doubt about whether the link has been clear and conspicuous enough for the user. It's clearly distinguished from other text.

In the case of mobile apps, a clickwrap method can be implemented by way of an "I agree" button or checkbox whenever users first open the app or whenever they sign-up for an account through the app.

Here's a great example from Samsung of how to implement a good clickwrap method in mobile apps:

Mobile App of Samsung Account: Accept or Decline Terms & Conditions

If you collect personal information from residents of the state of California, you'll need to:

  • Have a Privacy Policy
  • Include CalOPPA-specific requirements like a DNT clause and effective date
  • Make your Privacy Policy easily accessible/not hidden
  • Include the word "Privacy" in your Privacy Policy link
  • Use clickwrap methods to get users to agree to your Policy

All US Privacy Laws

Want to read more about privacy laws in the USA? Start here:

COPPA: Children's Online Privacy Protection Act Federal law that protects the privacy of children under 13 years of age when online or using a mobile app.
HIPAA: Health Insurance Portability and Accountability Act Federal law that protects the privacy of health information of individuals.
California CalOPPA: California Online Privacy Protection Act California law that requires commercial websites to properly display a compliant Privacy Policy.
California CCPA: California's Consumer Privacy Act California law that gives consumers many privacy rights while putting transparency obligations on businesses.
California CPRA: California's Privacy Rights Act California law that expands the CCPA and gives consumers additional rights.
Virginia VCDPA: Virginia's Consumer Data Protection Act Virginia law that allows users to opt out of the sale of their personal data.
Maryland PIPA: Maryland's Personal Information Protection Act Maryland law that requires businesses to keep personal information private and secured.
Utah UCPA: Utah's Consumer Privacy Act Utah law that provides a range of consumer privacy rights, including the right to data portability.
Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data.
Colorado CPA: Colorado's Privacy Act Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data.
Florida FPPA: Florida's Privacy Protection Act Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy