24 July 2020
California has the strictest privacy laws in the United States. And it's also a huge, tech-savvy market. You must not do anything that compromises your operations in this important state.
In this article, we'll be taking you through four important California-specific laws that you may have to comply with if you have users in California (no matter where you're based).
The laws are:
We're not going into too much detail about any of these laws in this article. We're going to focus on:
If you want to know more about any of these laws, we have articles about all of them. Just click the relevant link above.
Here is a list of frequently asked questions that you may find useful.
Yes, if you do business with people located in California.
When it comes to privacy laws, the laws work to protect people in a region. Because of this, when it comes to compliance, it matters more where your customers are located rather than where your business is located.
"Shine the Light" law:
"Online Eraser" law:
You can also have users click a button that says something like "I Agree" next to a statement like the above if you don't want to use a checkbox.
First, we're going to look at California's original, most widely applicable, and simplest privacy law, the California Online Privacy Protection Act (CalOPPA).
CalOPPA applies to any "commercial website owner [who] collects and maintains personally identifiable information from a consumer residing in California."
This means that CalOPPA applies to virtually any company operating website or app.
CalOPPA uses the term "personally identifiable information." Most other privacy laws use the term "personal information" or "personal data." We're going to stick with the term "personal information" throughout this article.
Compared to many other privacy laws, such as the EU General Data Protection Regulation (GDPR) and the California Online Privacy Protection Act (CCPA), CalOPPA gives quite a narrow definition of personal information.
CalOPPA gives the following examples of personal information:
California's "Shine the Light" law gives California residents the right, once per year, to request certain information about what kind of personal information your company has collected about them and then shared with third parties for direct marketing purposes.
You must comply with California's "Shine the Light" law if all of the following three things apply.
There are exemptions to the law. You can read more about these on our full article about the "Shine the Light" law, linked above.
The "Shine the Light" law lists 27 categories of personal information. If you share these categories of personal information with third parties for direct marketing purposes, you must disclose this to your users on request.
Here's how Newscorp does this:
Here's how the Walt Disney company does this:
The California Consumer Privacy Act (CCPA) is the most extensive California privacy law but applies to a narrow range of companies. It grants California residents new consumer rights and focuses on allowing them to opt out of the sale of their personal information.
The CPPA mostly covers big businesses and "data brokers" - businesses that trade in personal information.
If your business operates for profit in California, and it fulfills at least one of these following characteristics, the CPPA might apply to you:
You (alone or in combination) buy, sell, receive (for commercial purposes), and/or share (for commercial purposes) personal information from at least 50,000:
A list of the CCPA consumer rights:
The right to access
The right to deletion
If you sell personal information: the right to opt-out
Disclosure of business practices over the past 12 month period:
Which categories of personal information you've sold in the past 12 months, or:
Which categories of personal information you've disclosed for business purposes in the past 12 months, or:
The California "Online Eraser" law allows California minors (under 18 years of age) to remove content or personal information from your website or app if your website or app is aimed at minors. It also prohibits certain types of advertising to minors.
The "Online Eraser" law could apply to you if:
You direct your website or app to specifically to California residents under 18 (minors), or:
The "Online Eraser" law imposes some rules on your company even if it uses a third-party advertiser.
Under the "Online Eraser" law, you must inform your advertising partners of their obligations under the law.
Here's an example from the American Licorice Company:
The American Licorice Company offers three ways for minors to erase their personal information from its site:
There are many other privacy laws you may need to obey that are not specific to California. These include:
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
As long as you provide the required content and have appropriate linking to your California privacy information, you can take either approach.
Note that the California "Shine the Light" law has some specific requirements that go above and beyond the information presented below.
Post a conspicuous link like this on every page of your website where you collect personal information, such as where you have mailing list signups, registration forms, payment pages, etc.
|CalOPPA||California "Shine the Light" law||The CCPA||California "Online Eraser" law|
|The categories of personal information you collect via your website or app.||Your users' rights under the law.||A list of the CCPA consumer rights and information about how consumers can access those rights.||A method by which minors can remove (or request removal of) their personal information from your website or app.|
|The categories of third parties with whom you may share that personal information.||A method by which your users can exercise their rights under the law.||Disclosure of which categories of personal information you've collected in the past 12 months.|
|If you have any system that allows your users to review or request changes to their personal information, a description of that system.||Disclosure of which categories of personal information you've sold in the past 12 months (or a declaration that you haven't done so).|
|Information about how you respond to browser "Do Not Track" signals.|
|A disclosure regarding whether other parties may collect the user's personal information across other websites once they've used your website or app.|