California has the strictest privacy laws in the United States. And it's also a huge, tech-savvy market. You must not do anything that compromises your operations in this important state.
In this article, we'll be taking you through four important California-specific laws that you may have to comply with if you have users in California (no matter where you're based).
The laws are:
We're not going into too much detail about any of these laws in this article. We're going to focus on:
- The main purpose of the laws
- Whether the laws apply to you
- What is "personal information" under the laws
If you want to know more about any of these laws, we have articles about all of them. Just click the relevant link above.
California Online Privacy Protection Act (CalOPPA)
First, we're going to look at California's original, most widely applicable, and simplest privacy law, the California Online Privacy Protection Act (CalOPPA).
Does CalOPPA Apply to Me?
CalOPPA applies to any "commercial website owner [who] collects and maintains personally identifiable information from a consumer residing in California."
This means that CalOPPA applies to virtually any company operating website or app.
What is Personal Information Under CalOPPA?
CalOPPA uses the term "personally identifiable information." Most other privacy laws use the term "personal information" or "personal data." We're going to stick with the term "personal information" throughout this article.
Compared to many other privacy laws, such as the EU General Data Protection Regulation (GDPR) and the California Online Privacy Protection Act (CCPA), CalOPPA gives quite a narrow definition of personal information.
CalOPPA gives the following examples of personal information:
- A first and last name
- A home or other physical address, including street name and name of a city or town
- An email address
- A telephone number
- A social security number
- Any other identifier that allows the contacting of a specific individual
- Information concerning a user that the website or online service collects online from the user and maintains in a personally identifiable form together with one of the identifiers above
- The categories of personal information you collect via your website or app.
- The categories of third parties with whom you may share that personal information.
- If you have any system that allows your users to review or request changes to their personal information, a description of that system.
- Information about how you respond to browser "Do Not Track" signals.
- A disclosure regarding whether other parties may collect the user's personal information across other websites once they've used your website or app (i.e. whether your website or app allows behavioral tracking).
California "Shine the Light" Law
California's "Shine the Light" law gives California residents the right, once per year, to request certain information about what kind of personal information your company has collected about them and then shared with third parties for direct marketing purposes.
Does the "Shine the Light" Law Apply to Me?
You must comply with California's "Shine the Light" law if all of the following three things apply.
- Has 20 or more employees
- Has users who are California residents
- Has shared personal information from any of your users with a third party for direct marketing purposes within the past 12 months
There are exemptions to the law. You can read more about these on our full article about the "Shine the Light" law, linked above.
What is Personal Information Under the "Shine the Light" Law?
The "Shine the Light" law lists 27 categories of personal information. If you share these categories of personal information with third parties for direct marketing purposes, you must disclose this to your users on request.
- Name and address
- Email address
- Age or date of birth
- Names of children
- Email or other addresses of children
- Number of children
- Age or gender of children
- Telephone number
- Political party affiliation
- Medical condition
- Drugs, therapies, or medical products or equipment used
- Kind of product the customer purchased, leased or rented
- Real property purchased, leased, or rented
- Kind of service provided
- Social Security number
- Bank account number
- Credit card number
- Debit card number
- Bank or investment account, debit card or credit card balance
- Payment history
- Information about the customer's creditworthiness, assets, income, or liabilities
Here's how Newscorp does this:
Here's how the Walt Disney company does this:
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is the most extensive California privacy law but applies to a narrow range of companies. It grants California residents new consumer rights and focuses on allowing them to opt out of the sale of their personal information.
Does the CCPA Apply to Me?
The CPPA mostly covers big businesses and "data brokers" - businesses that trade in personal information.
If your business operates for profit in California, and it fulfills at least one of these following characteristics, the CPPA might apply to you:
- You raise gross annual revenues of at least $25 million
You (alone or in combination) buy, sell, receive (for commercial purposes), and/or share (for commercial purposes) personal information from at least 50,000:
- You earn at least half of your gross annual revenues by selling personal information
What is Personal Information Under the CCPA?
- Personal information as defined in the California Customer Records Statute
- Characteristics of protected classifications under California or federal law
- Commercial information
- Biometric information
- Internet or other electronic network activity information
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Inferences drawn from personal information to create a profile about a consumer
California "Online Eraser" Law
The California "Online Eraser" law allows California minors (under 18 years of age) to remove content or personal information from your website or app if your website or app is aimed at minors. It also prohibits certain types of advertising to minors.
Does the Online Eraser Law Apply to My Business?
The "Online Eraser" law could apply to you if:
The "Online Eraser" law imposes some rules on your company even if it uses a third-party advertiser.
Under the "Online Eraser" law, you must inform your advertising partners of their obligations under the law.
Here's an example from the American Licorice Company:
The American Licorice Company offers three ways for minors to erase their personal information from its site:
- Log in using their username and password
- Send the company an email
- Send the company a letter
Other Privacy Laws You May Need to Obey
There are many other privacy laws you may need to obey that are not specific to California. These include:
As long as you provide the required content and have appropriate linking to your California privacy information, you can take either approach.
Note that the California "Shine the Light" law has some specific requirements that go above and beyond the information presented below.
Post a conspicuous link like this on every page of your website where you collect personal information, such as where you have mailing list signups, registration forms, payment pages, etc.
||California "Shine the Light" law
||California "Online Eraser" law
|The categories of personal information you collect via your website or app.
||Your users' rights under the law.
||A list of the CCPA consumer rights and information about how consumers can access those rights.
||A method by which minors can remove (or request removal of) their personal information from your website or app.
|The categories of third parties with whom you may share that personal information.
||A method by which your users can exercise their rights under the law.
||Disclosure of which categories of personal information you've collected in the past 12 months.
|If you have any system that allows your users to review or request changes to their personal information, a description of that system.
||Disclosure of which categories of personal information you've sold in the past 12 months (or a declaration that you haven't done so).
||A disclosure of which categories of personal information you've disclosed for business purposes in the past 12 months (or a declaration that you haven't done so).
|Information about how you respond to browser "Do Not Track" signals.
|A disclosure regarding whether other parties may collect the user's personal information across other websites once they've used your website or app.