California Privacy Policy 101: A Simple How-To Legal Guide For Every Business Owner

Learn the rules imposed by California privacy policy laws! Then, grab your free privacy policy template created by a Harvard lawyer turned online entrepreneur.

When it comes to privacy laws, the United States is kinda in the stone age. There is no federal law that protects your privacy online or even requires the transparency that comes with a website privacy policy. Instead, we have a messy patchwork of laws

Enter… California. 

Love it or hate it, California has been at the forefront when it comes to online privacy. Way back in 2003, California passed the California Online Privacy Protection Act (CalOPPA), which requires commercial websites to include a privacy policy. 

Nineteen years later, CalOPPA is still basically the only game in town in the US. 

You might be thinking something like… “Wait, didn’t California pass a privacy law in the past couple of years too?” 

In fact, it did. In 2020, the California Consumer Privacy Act (“CCPA” for short) went into effect. You’ll be excused for thinking that CCPA might impose some restrictions on you… some online lawyers went into a fear-mongering mode to use CCPA as a reason for you to buy something from them. 

But, as we’ll cover later in this guide, the CCPA almost certainly doesn’t apply to your business. The CCPA privacy policy requirements really only apply to relatively large businesses and data brokers.

Back to the law that actually does apply… 

CalOPPA is an amazing law. It’s amazing because it was passed back when about 75% of Americans were still using dial-up internet and more than 90% of people were browsing the web with Internet Explorer. 

What’s even more amazing is CalOPPA’s simplicity. 

You can read the whole law online with a single flick of your scroll wheel. It succinctly sets out: (1) who is required to have a privacy policy, (2) what you have to include in that privacy policy, and (3) where you have to post the darn thing. 

But I’m guessing you’d rather not read a statute… I get it. I’m a lawyer, and I don’t really like reading statutes (but it’s kinda my job). 

Luckily for you, this guide will break CalOPPA down into plain English so you know exactly what you need to do to comply. 

Let’s dive in.

Are You Required To Comply With CalOPPA?

If you’re building an online business, the short answer is… Yes.

Or at least the answer is that you will be subject to CalOPPA at SOME point in the life of your online business. 

Here’s the long explanation…

CalOPPA’s language is pretty clear (at least for a law!):

“An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site…”

California Business and Professions Code § 22575

We, lawyers, like to break things down into chunks, so I’m going to break this section down for you. You are required to post a privacy policy if you meet three requirements:

  1. you operate a commercial Web site or online service;
  2. that site or service collects personally identifiable information through the Internet; and
  3. that includes information about consumers residing in California.

A business website will obviously meet the first prong. 

Assuming you aren’t a local business in some other part of the country… you are going to have folks from California visiting your site. So if you’re collecting personally identifiable information, the third prong will be met.  

So the only question is whether you are collecting “personally identifiable information” about people who visit your site. 

CalOPPA defines that terms as including any of the following: 

  • First AND Last Name
  • Address
  • Email Address
  • Phone Number
  • Social Security Number
  • Anything that would allow you to contact a specific person
  • Information collected by a website or service if it is stored alongside one of the other pieces of personal information 

Every business website should be set up to collect one or more of the first four categories of information. Whether it’s email addresses for your email marketing or names and addresses for purchases… I’m guessing you are collecting at least one category of information. 

That means you are subject to CalOPPA. 

That wasn’t so bad, now was it?? 

What Are You Required To Include In Your California Privacy Policy?

Since you are almost certainly subject to CalOPPA’s privacy policy requirement, let’s talk about what you need to include in that policy.  To comply with California law, your privacy policy will need to include the following information: 

  • What Information Your Website Collects
  • Who You Might Share The Information With
  • How Someone Can Review & Revise The Information (if applicable)
  • How You’ll Tell People About Changes To Your Policy
  • The Effective Date Of Your Policy
  • How You Handle Do Not Track Requests

A quick note… CalOPPA is not really about guaranteeing or protecting privacy. It does not set any rules for what may be collected, with whom it may be shared, or how you’ll answer any other privacy issues. 

CalOPPA is simply about transparency. 

It requires you to provide a notice to website visitors so they can assess your privacy policies for themselves. 

Let’s dive into the specific information you are required to disclose.

What Information Your Website Collects

First and foremost, you need to explain what information you are collecting from individuals; CalOPPA provides that your privacy policy must “identify the categories of personally identifiable information that the operator collects through the Web site…”

Some of the information you collect should be pretty obvious. I mean, if a user fills out a form with their name and email address, that’s personal information you are collecting. 

But some of the data collection is happening behind the scenes as a result of tracking or analytics software like Google Analytics. Web-savvy online marketers understand that this kind of information collection is happening… normal folks, not so much. 

So, your privacy policy should explain that you are collecting information the visitors provide and collecting information automatically. Here’s an example of a section describing what information is being collected:

Information We Collect About You - Privacy Policy section

If you grab our free privacy policy template, you can always get even more specific with the list of the categories that you collect by listing more specific categories (e.g., names, addresses, email addresses, etc.).

Just make sure to include the statement about automatic data collection and that your system will likely associate that with the information they provide manually. 

Who You Might Share The Information With

Next up, you need to explain who, outside your company, might get their hands on the information. 

A lot of people think this is simple and just want to say that they won’t share the information they collect with anyone. I mean, that sounds great on an opt-in form, right?

Not sure about you, but A LOT of the opt-in forms I see have something like this one: 

Screenshot of general opt-in form with fine print stating "We respect your privacy. Your data will not be shared or sold."

I’m not going to name names, but the fine print on that form (what’s below the button) is the standard “Privacy Policy Disclaimer” language for forms that’s built-in to one of the online marketing apps.

The trouble is that it is basically never true. 

Chances are pretty stinking good that you will share some of the personal information you collect with folks outside your company. And you need to leave open the possibility that you might at some point in the future. 

Here’s an example of this section of your privacy policy:

Disclosure of Your Information - Privacy Policy section

You’ll notice that it starts with a statement that the company generally will not share private information, but it defines instances in which it might, including:

  • With subsidiaries, affiliates, and service providers to serve customers
  • With a lawyer or collection agency to enforce an agreement
  • To a “successor in interest” if the company is sold
  • If legally required to do so

This more complete picture is the way to go. You are providing accurate information and also building trust by providing a thoughtfully constructed explanation. 

If Applicable… How Someone Can Review & Revise The Information

Under CalOPPA, you are not required to provide a way for people to review the information you have about them (or correct it). But if you do have a mechanism for people to do so, you must describe it in your privacy policy. 

Most small businesses will decide not to provide this kind of mechanism to review and correct… so you most likely don’t need to address this in your privacy policy. 

But if you decide to create a review and correct procedure, spell it out in your privacy policy. 

How You’ll Tell People About Changes To Your Policy

Your privacy policy won’t be a static document that never changes. As your business evolves and as the legal requirements change, you’ll need to update your privacy policy. 

Under CalOPPA, your policy needs to tell people how you’ll notify users of those changes. 

While it can be a good idea to email people on your email list to notify them of changes to your privacy policy… you won’t have contact information for everyone. That’s why the standard practice is to explain that you’ll notify users of changes by updating the policy on the website itself. 

Here’s an example of the change clause that has the best of both worlds:

Policy Changes - Privacy Policy section

We put some lawyer hedge language in saying that we’ll only email about “material changes,” which is lawyer-speak for big changes. But we also tell people that it is their responsibility to check the page periodically. 

The Effective Date Of Your Policy

This is the easiest part of your privacy policy… you need to include the date that the privacy policy went into effect. This is simple as can be… just post the date that you posted (or last modified) the privacy policy at the top or bottom. 

No reason to belabor this one! 

How You Handle Do Not Track Requests

Certain web browsers have a functionality called “Do Not Track.” It’s a pretty technical functionality that really just sends a request to websites not to track. There’s nothing mandatory about it. 

In 2013, CalOPPA was changed to require website owners to tell visitors how they will respond to “do not track” signals.

To be clear, you are NOT required to honor those requests… you just have to tell people whether your website will honor these requests or not. 

Unless you are incredibly tech-savvy and can figure out how to respond to do not track responses, the best way to handle this in your privacy policy is to state that you do not respond or honor these requests. 

That being said, there are other laws that cover “cookies” and require that we give notice that cookies are in use on our sites. On our site, we use a plug-in that allows users to select which cookie categories to accept:

Screenshot of cookies plug in stating "Mmmm, cookies!" with reference to Cookie Monster - Privacy Policy section

What… we figure that a cookie notice doesn’t have to be boring! Might as well have a bit of fun. And who doesn’t like Cookie Monster?!?!

Because we give people the option to set their preferences (rather than simply requiring them to accept all cookies), we explain this option in our privacy policy. Although we could stop at saying we do not respond to “Do Not Track” requests, adding a description of our cookie options gives additional trust signals to visitors.

The Easiest Way To Create A CalOPPA Compliant Privacy Policy

You could read the advice in this guide and write your privacy policy from scratch… but you really shouldn’t spend your time doing that!

Here’s guessing you have better things to do with your time than to try to write a legal policy for your website.

Besides, there are laws other than CalOPPA (like the General Data Protection Regulation from the EU) that you should address in your privacy policy. 

You can create your GDPR and CalOPPA-compliant privacy policy lickety-split with our 100% free privacy policy generator. All you have to do is answer a few questions and you’ll get a customized policy for your site. 

(And you can always go in and edit it if you really want to!)

Where Do You Post Your Privacy Policy?

CalOPPA requires you to “conspicuously post” your privacy policy. 

You could meet the “conspicuously post” requirement by posting the privacy policy on your homepage… but you probably don’t want to do that. 

You can also meet this privacy policy requirement by including a hyperlink that includes the word “Privacy” in the link on your homepage or any other page where someone might enter your site. 

The most obvious way to do this is to post a link in the universal footer that appears on all pages of your website. This is how we do it:

Screenshot pointing to where the Privacy Policy is located at the footer of a website.

Since we have a universal footer, that appears on every page without us having to give it another thought. 

If you have landing page software (or anything outside your main website), make sure you include a link to your privacy policy on those pages as well!

That’s a wrap on the requirements of CalOPPA.

What About CCPA?

Now that we’ve got you all covered when it comes to CalOPPA, let’s take a bit to talk about why you almost certainly don’t have to worry about the CCPA. 

The CCPA was passed in 2018 and went into effect on January 1, 2020. 

Right around the end of 2019, people in the online world started to worry about CCPA and thought they needed to comply with it. Suddenly, I was getting endless queries about whether my privacy policy template is CCPA compliant. 

My simple answer was no. 

And the reason is simple… if the CCPA applies to your business, you should talk to a lawyer to get a custom-crafted privacy policy. 

But don’t worry… that almost certainly isn’t you. 

Unlike CalOPPA, the CCPA is a beast of a law… both in terms of its complexity and in terms of the burdens it imposes upon businesses. 

You could try reading the entire law… but I don’t recommend it. If you don’t fall asleep, you’re likely to find yourself smashing your head against the wall trying to understand the dang thing. 

As a lawyer, I get why the CCPA freaked everyone out. It begins with what sounds like some pretty freaking broad language:

a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

c) A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.

d) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.

That language seems to pretty clearly say we are all subject to the CCPA. I mean, we are all businesses, right? 

And we are collecting information from consumers, right? 

So clearly this law applies to us, right?

A normal human being reading the law would obviously answer yes. 

But laws can’t always be interpreted correctly from the perspective of a regular human. 

If you think lawyers are annoying, the people who write laws are sometimes even MORE annoying… and this is one of those cases. 

To understand what the CCPA actually says, you have to sift through the long, boring, and complex definitions. Specifically, the definitions of “business” and “consumer.” 

In the CCPA, the term “business” doesn’t actually mean business. 

Weird. I know. 

In CCPA land, “business” only includes a business that meets one or more of these thresholds:

  • Your annual gross revenue is more than twenty-five million dollars ($25,000,000);
  • You buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices; or
  • You derive 50% or more of your annual revenues from selling consumers’ personal information. 

Are you starting to see why I’m pretty sure the CCPA doesn’t apply to you… and why you should really be talking to a lawyer if it does?

I mean… if your business is raking in $25 million or more per year, you really should be talking to your lawyer about CCPA and other legal issues rather than reading legal guides about them. (Even really awesome guides like this one!) 

And if you’re a data broker who makes a living by collecting and selling data… you really should have a privacy lawyer on speed dial. 

The only threshold that you might come close to is the second one, so the question is whether your business is buying, receiving, selling, or sharing personal information from at least 50,000 consumers each year. 

The CCPA defines personal information as: 

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

It then provides a list of categories, that includes (among other things): 

“Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”

This section is considerably broader than the CalOPPA definition, most notably because it includes IP addresses. 

Without getting all technical, you should just assume that your website is collecting data about the IP addresses of visitors (and collecting even more data if you have analytics installed). 

So, the only remaining question is whether you are collecting information from at least 50,000 consumers. 

You might think this means you just have to look at your Google Analytics to see how many website visitors you had in the last year. 

And… you would be wrong. 

Just like “business” doesn’t mean business, “consumer” doesn’t really mean consumer. The CCPA defines “consumer” to only include people living in California. 

So, the net result is that you only qualify as a “business” if you are collecting personal information from 50,000 California residents each year.

Although each business is different, chances are that you won’t come close to qualifying as a “business” that is subject to the CCPA until you have a high-seven or low-eight-figure business.

If that’s you… probably a good idea to stop reading this really cool guide and call your lawyer.

So that’s it… California privacy policy law in a nutshell.

If you’ve made it down to the bottom of this post, you’re a trooper in my book. And if you’re still awake, I may have just made it entertaining enough.

Now it’s time to stop reading and start doing. Go get your privacy policy set up if you haven’t already!

About Bobby Klinck

Harvard Lawyer and Online Entrepreneur

About Bobby Klinck