The primary data privacy law in the US that applies generally, rather than to a specific privacy field such as health or children's privacy, is a state law rather than a federal law known as the California Online Privacy Protection Act 2003 (CalOPPA).
This guide will cover what CalOPPA is, what the law covers, who it applies to, and how to comply.
What types of personal information is collected and the third parties this collected personal information may be shared with
How users can request changes to any of the personally identifiable information that was collected
How the operator responds to the "Do Not Track" requests of users
Whether other third parties may collect personally identifiable information about users through the operator's service
How to Comply with CalOPPA
First, ask if CalOPPA applies to your business. CalOPPA applies to operators of commercial websites or online services that collect "personally identifiable information through the Internet about individual consumers residing in California."
In 2012, the California Attorney General issued an agreement with mobile app providers that stated that CalOPPA also applies to mobile apps.
"Personally Identifiable Information" for the purposes of CalOPPA includes but is not at all limited to:
First and last names
Home or physical street addresses
An email address
A telephone number
A Social Security number
Or any other information that permits a specific individual to be contacted physically or online
Height, weight, hair color
What Personal Information You Collect and How/Why
Take a look back at the list of "personally identifiable information" above and check whether your website/mobile app collects any of those or any other information that could possibly be used to identify an individual. If you have users signing up for accounts, making purchases on your e-commerce store or if you use third-party services such as (Google Analytics, you collect personally identifiable information.
For example, you might want to say "If you create a user account, we will collect your contact details. If you purchase an item through our store, we will ask you to provide your physical address and credit card details so that we can process your payment."
Here's an example of a clause that discloses this information in an easy-to-understand way:
How/If You Share Personal Information
This clause addresses everything from working with third parties and conducting marketing campaigns to complying with laws and being involved in a transfer or sale of the business.
How Users Can Review and Update Their Information
This can be a simple instruction such as "You can login to your user profile and correct, amend, or delete information about yourself."
Or, if you don't have that type of user account/interface, be sure to include your contact details where users can reach out and request to have their information changed.
For example: "Contact us at [X] phone number or [X] email address to find out what information we have collected about you, and to request any changes."
Here's a clause that includes a link to account settings where users can access and adjust their personal information, as well as an email address where users can reach out to request that the company make the adjustments on behalf of the user:
How You Respond to "Do Not track" Requests
In this clause you need to outline whether or not you honor Do Not Track requests. You aren't required to honor them, but you are required to disclose whether or not you do. This clause can be a simple, basic statement acknowledging what you plan to do, such as this one:
Also include a clause that lets users know you may update your Policy from time to time and how you'll alert them of any material changes.
At Step 1, select the Website option and click "Next step":
Answer the questions about your website and click "Next step" when finished:
Answer the questions about your business practices and click "Next step" when finished:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
[...] being written in capital letters equal to or greater in size than the surrounding text or by being displayed in a type, font or color that contrasts with the surrounding text of the same size or must be otherwise distinguishable from surrounding text on the homepage.
In mobile apps, you can add a link within a menu, such as an About, Settings or Legal menu:
As long as your Policy can be accessed at any time, isn't hidden or in an unintuitive location, and actually includes the word "Privacy," you can add it to your website or mobile app in the way that best works with the layout and design.
In the example above, this leaves no doubt about whether the link has been clear and conspicuous enough for the user. It's clearly distinguished from other text.
In the case of mobile apps, a clickwrap method can be implemented by way of an "I agree" button or checkbox whenever users first open the app or whenever they sign-up for an account through the app.
Here's a great example from Samsung of how to implement a good clickwrap method in mobile apps:
If you collect personal information from residents of the state of California, you'll need to:
Include CalOPPA-specific requirements like a DNT clause and effective date
Use clickwrap methods to get users to agree to your Policy