One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
Though the California Consumer Privacy Act (CCPA) came into force in 2020, many business leaders are still unsure about how it works. Because a big part of the CCPA involves posting a privacy notice that meets specific requirements, it is easy to confuse it with another state privacy law—the California Online Privacy Protection Act (CalOPPA). There are important differences between CCPA and CalOPPA, however, and compliance with one law does not equal compliance with the other. Here we’ll go over their similarities and differences, and how businesses can make sure they are in compliance with both the CCPA and CalOPPA.
The CCPA is definitely the more comprehensive of the two laws. It requires businesses to be more transparent about how they collect and use consumers’ personal information, and creates several new consumer rights.
Regardless of where it is located, a for-profit organization must comply with the CCPA if it (1) does business in the state of California, (2) collects personal information from consumers (i.e., California residents), and (3) meets at least one of the following threshold requirements:
If your organization meets this CCPA definition of a “business,” it must evaluate its data practices and post a CCPA-compliant notice at any point where it collects consumers’ personal information. This notice must tell consumers:
Depending on the business and its practices, you may also be required to make other disclosures in this privacy notice. For example, if a business knowingly collects personal information from consumers under the age of 16, it must describe the process for obtaining their affirmative consent.
In addition to making these disclosures at or before the point of collection, businesses covered by the CCPA must honor the new set of data privacy rights granted to consumers. These rights are:
For more detailed information, read our Complete CCPA Guide.
Though it shares some common ground with the CCPA, CalOPPA is narrower in its scope: it deals exclusively with what information must be disclosed in a business’s online privacy policy. On the other hand, it applies much more widely than the CCPA: Any operator of a commercial website or online service that collects personally identifiable information about California residents must conspicuously post a CalOPPA-compliant privacy, accessible via hyperlink on their homepage.
What is personally identifiable information, according to CalOPPA? It is any personal data that can identify an individual consumer, including:
Most commercial websites collect at least one of these types of personal information, so they are likely to fall under the California law’s jurisdiction, at least with regard to state residents. They will therefore have to post a CalOPPA-compliant privacy policy, which has six categories of required disclosures.
There is significant overlap between the two laws, and the CalOPPA requirements are generally lighter, so businesses that are already CCPA compliant should find it easy to quickly add the CalOPPA disclosures to their privacy policy. If the situation is reversed and a business is starting with a CalOPPA-compliant privacy policy and trying to become CCPA compliant, it already has a good start on the process but there will be significantly more work. The CCPA requires businesses to track and disclose more information, as well respond to individual privacy requests, all of which requires a more robust compliance solution.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.