Though the California Consumer Privacy Act (CCPA) came into force in 2020, many business leaders are still unsure about how it works. Because a big part of the CCPA involves posting a privacy notice that meets specific requirements, it is easy to confuse it with another state privacy law—the California Online Privacy Protection Act (CalOPPA). There are important differences between CCPA and CalOPPA, however, and compliance with one law does not equal compliance with the other. Here we’ll go over their similarities and differences, and how businesses can make sure they are in compliance with both the CCPA and CalOPPA.

CCPA: A Quick Summary

The CCPA is definitely the more comprehensive of the two laws. It requires businesses to be more transparent about how they collect and use consumers’ personal information, and creates several new consumer rights.

Regardless of where it is located, a for-profit organization must comply with the CCPA if it (1) does business in the state of California, (2) collects personal information from consumers (i.e., California residents), and (3) meets at least one of the following threshold requirements:

• Has annual gross revenues exceeding $25 million
• Annually buys, sells, or shares personal information from 100,000 or more consumers or households.
• Derives at least 50% of its annual revenues from the sale of personal information

If your organization meets this CCPA definition of a “business,” it must evaluate its data practices and post a CCPA-compliant notice at any point where it collects consumers’ personal information. This notice must tell consumers:

• What personal information you collect, from what sources, and for what purposes
• How long you will retain each category of personal information
• What sensitive personal information you collect, for what purposes, and whether that data is sold or shared.
• What personal information you disclose to service providers, categories, and third parties, and the categories of parties you share it with
• What personal information you sell to or share with third parties and the categories of those third parties
• What privacy rights consumers have with regard to their personal information
• How to make a privacy request

Depending on the business and its practices, you may also be required to make other disclosures in this privacy notice. For example, if a business knowingly collects personal information from consumers under the age of 16, it must describe the process for obtaining their affirmative consent.

In addition to making these disclosures at or before the point of collection, businesses covered by the CCPA must honor the new set of data privacy rights granted to consumers. These rights are:

• The right to know – Consumers can request to know what personal information a business has collected about them.
• The right to deletion – With some exceptions, businesses must permanently delete any personal information about a consumer upon request.
• The right to opt out – If a business sells consumers’ personal information (including by using interest-based advertising), it must give consumers the opportunity to opt out.
• The right to non-discrimination – Businesses can’t treat consumers differently for exercising their CCPA rights.
• The right to correct inaccurate personal information – Added by the California Privacy Rights Act (CPRA).
• The right to limit use and disclosure of sensitive personal information - Also added by the CPRA, this gives consumers additional control over specific categories of personal information.

For more detailed information, read our Complete CCPA Guide.

CalOPPA

Though it shares some common ground with the CCPA, CalOPPA is narrower in its scope: it deals exclusively with what information must be disclosed in a business’s online privacy policy. On the other hand, it applies much more widely than the CCPA: Any operator of a commercial website or online service that collects personally identifiable information about California residents must conspicuously post a CalOPPA-compliant privacy, accessible via hyperlink on their homepage.

What is personally identifiable information, according to CalOPPA? It is any personal data that can identify an individual consumer, including:

• First and last name
• Home or other physical address, including street name and name of a city or town
• E-mail address
• Telephone number
• Social security number
• Any other identifier that permits the physical or online contacting of a specific individual
• Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with one of the above identifiers

Most commercial websites collect at least one of these types of personal information, so they are likely to fall under the California law’s jurisdiction, at least with regard to state residents. They will therefore have to post a CalOPPA-compliant privacy policy, which has six categories of required disclosures.

1. Identify the categories of personally identifiable information that the operator collects about individual consumers, and the categories of third parties with whom they may share that information.
   • Cross-compliance: All of this information should be included in your business’s CCPA privacy notice.
2. Describe any process the business has, if any, for consumers to review and request changes to any of their personally identifiable information
   • Cross-compliance: The CCPA requires businesses to tell consumers how they can make privacy requests, including a request to know what personal information it has collected about the consumer and a request to correct inaccurate personal information. If a business has already met these CCPA requirements, then it meets the CalOPPA requirement.
3. Describe the process for notifying consumers of material changes to the privacy policy
   • Cross-compliance: The CCPA has no comparable requirement.
4. Identify the privacy policy’s effective date.
   • Cross-compliance: The CCPA has no comparable requirement.
5. Disclose how the operator responds to “do not track” signals and other similar mechanisms
   • Cross-compliance: The CCPA has no comparable requirement.
6. Disclose whether other parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when a consumer uses the operator’s website (i.e., third-party cookies and trackers)
   • Cross-compliance: The CCPA has a similar disclosure requirement regarding the use of targeted advertising across different websites, but the CalOPPA requirement is different enough that businesses should include it in a separate section of their privacy policy.

Summary

There is significant overlap between the two laws, and the CalOPPA requirements are generally lighter, so businesses that are already CCPA compliant should find it easy to quickly add the CalOPPA disclosures to their privacy policy. If the situation is reversed and a business is starting with a CalOPPA-compliant privacy policy and trying to become CCPA compliant, it already has a good start on the process but there will be significantly more work. The CCPA requires businesses to track and disclose more information, as well respond to individual privacy requests, all of which requires a more robust compliance solution.

‍