CalOPPA - the California Online Privacy Protection Act - became law on 1 July 2004, making California the first US state to require commercial websites to post a privacy policy. Two decades on, it remains actively enforced. In February 2024, the California Attorney General included CalOPPA violations alongside CCPA claims in a $375,000 settlement with DoorDash over undisclosed data sharing with marketing cooperatives.
The law sits under the California Business and Professions Code, Sections 22575-22579. Its scope is deceptively broad: any operator of a commercial website or online service that collects personally identifiable information (PII) from California residents must comply, regardless of where the business is physically located.
Who Must Comply with CalOPPA?
CalOPPA applies to any person or entity that owns a commercial website or online service collecting PII from California residents. The law defines an "operator" as the entity that owns the site - not the third party hosting or managing it. If a web agency builds and hosts a site for a client, the client bears the compliance obligation.
The geographic reach is essentially global. A business based in Berlin, a SaaS startup in Sydney, or an e-commerce shop in Toronto all fall under CalOPPA if California residents can visit their site and submit personal information. In 2012, then-Attorney General Kamala Harris confirmed this interpretation extends to mobile applications.
There are no revenue thresholds or data volume minimums. If a website has a contact form that a single California resident could fill in, CalOPPA applies. This stands in stark contrast to the CCPA, which only covers businesses exceeding $25 million in annual revenue, handling data from 100,000 or more consumers, or deriving half their revenue from selling personal information.
What Counts as Personally Identifiable Information?
CalOPPA defines PII as individually identifiable information collected online and maintained in an accessible form. The statute lists several specific categories:
| PII Category | Examples |
|---|---|
| Name | First name, last name, username |
| Physical address | Street address, city, postcode |
| Email address | Personal or business email |
| Telephone number | Mobile, landline, fax |
| Social Security number | Full or partial SSN |
| Other identifiers | Any data that, combined with the above, could identify a person (e.g., date of birth, account credentials) |
Any website running a newsletter signup, login form, checkout flow, or contact form is almost certainly collecting PII under this definition. Third-party services compound the picture: tools like Google Analytics, live chat widgets, and social login integrations all collect identifiable data on behalf of the site operator.
Privacy Policy Requirements Under CalOPPA
The core obligation is straightforward - post a privacy policy that meets specific content and accessibility standards. The policy must include the following disclosures:
Categories of PII collected. List every type of personally identifiable information the site gathers, whether directly through forms or indirectly through cookies and tracking technologies.
Third-party sharing. Identify the categories of third parties with whom PII may be shared. The DoorDash enforcement action in 2024 made clear that vague references to "advertising purposes" are insufficient - the specific nature of the sharing arrangement must be disclosed.
Review and correction process. If the site offers a way for users to review and request changes to their PII, the policy must explain how.
Policy change notification. Describe how consumers will be informed of material changes to the privacy policy.
Effective date. State when the privacy policy took effect. Best practice is to also display the date it was last updated.
The Do Not Track Disclosure Requirement
A 2013 amendment (Assembly Bill 370) added two disclosure requirements. The first concerns Do Not Track (DNT) signals - a browser setting that sends a preference header requesting websites stop tracking. CalOPPA does not require sites to honour DNT requests. It does require a clear disclosure of how the site responds to them.
The privacy policy must include a section - ideally titled "Do Not Track" - explaining whether the site honours these signals, ignores them, or provides an alternative opt-out mechanism. Most major websites do not honour DNT, which is legally permissible so long as this is disclosed. The policy should also state whether third parties may collect PII about a consumer's browsing activity across different websites when visiting the operator's site.
This matters for any site running third-party non-essential cookies from advertising networks, analytics platforms, or social media embeds. Each of these services may track visitors across the web, and the privacy policy needs to acknowledge that.
How to Display the Privacy Policy
CalOPPA is specific about placement. The privacy policy must be "conspicuously posted." The hyperlink must contain the word "Privacy," appear on the homepage or the first significant page after entry, and use text, font size, or colour that contrasts with surrounding content so visitors can actually find it.
For mobile applications, the policy should be accessible from within the app - typically in a Settings, About, or Legal menu. Burying a privacy link several screens deep inside an app does not meet the "conspicuous" standard.
A footer link labelled "Privacy Policy" on every page is the most common approach. Most consent management platforms include a configurable privacy policy link alongside the cookie banner, satisfying both CalOPPA and GDPR transparency requirements simultaneously.
CalOPPA vs CCPA vs CPRA: Key Differences
California has three overlapping privacy laws. CalOPPA is the oldest and narrowest: it concerns only privacy policy content and display. The CCPA and its amendment, the CPRA, are far broader, granting consumers rights to access, delete, correct, and opt out of the sale or sharing of their personal information.
| Feature | CalOPPA | CCPA/CPRA |
|---|---|---|
| Effective date | 1 July 2004 | 1 January 2020 / 1 January 2023 |
| Scope | Any commercial website collecting PII from CA residents | For-profit businesses meeting revenue, data volume, or data sale thresholds |
| Core obligation | Post a compliant privacy policy | Consumer rights: access, deletion, correction, opt-out of sale/sharing |
| DNT disclosure | Required | No equivalent requirement |
| Right to delete data | No | Yes |
| Right to opt out of sale | No | Yes |
| Penalties per violation | Up to $2,500 | Up to $2,500 (unintentional) or $7,500 (intentional) |
| Enforced by | California Attorney General via UCL | California AG + CPPA |
Compliance with the CCPA does not automatically cover CalOPPA. The DNT disclosure and the requirement to describe how consumers are notified of policy changes are unique to CalOPPA.
Enforcement and Penalties
CalOPPA is enforced through California's Unfair Competition Law (UCL), Section 17200 of the Business and Professions Code. The Attorney General can pursue civil penalties of up to $2,500 per violation under Section 17206.
The critical detail is what counts as a "violation." Each California resident who visits a non-compliant website could constitute a separate violation. A site receiving 1,000 California visitors in a single day without a compliant privacy policy faces theoretical exposure of $2.5 million for that day alone. A 30-day cure period applies after notification - failing to fix the issue within that window triggers the per-violation penalties.
The DoorDash case in 2024 confirmed that CalOPPA enforcement remains active. The Attorney General alleged that DoorDash's privacy policy failed to disclose sharing of customer data with marketing cooperatives. The combined CCPA and CalOPPA settlement resulted in a $375,000 penalty plus a three-year compliance programme.
CalOPPA and Cookies: What Website Owners Should Know
CalOPPA does not specifically regulate cookies or require consent banners the way the ePrivacy Directive does in Europe. Cookies intersect with CalOPPA in two practical ways, though.
First, cookies often collect PII or data that can identify individuals when combined with other information. A _ga cookie from Google Analytics, a _fbp cookie from Meta, or a session cookie storing a login state all handle data within CalOPPA's PII definition. The privacy policy must account for these.
Second, the 2013 third-party tracking disclosure directly addresses cookie-based tracking across websites. If advertising networks, analytics services, or social media platforms place cookies through the operator's site, this must be disclosed. Running a cookie scanner is the most reliable way to identify which third-party cookies are active and what disclosures the privacy policy needs.
CalOPPA Compliance Checklist
Draft a privacy policy listing all categories of PII collected - including data gathered by third-party services - and name the categories of third parties receiving that data. Explain whether visitors can review or request corrections to their data. Describe how policy changes will be communicated. Include the policy's effective date.
Add a clearly titled Do Not Track section stating whether the site honours DNT browser signals. Disclose whether third parties collect PII about visitors' activity across other websites.
Place the privacy policy link on the homepage footer using the word "Privacy" in the anchor text. Ensure the link is visible on mobile and within any native app. Verify the link text contrasts with surrounding page content.
For sites also subject to the CCPA or GDPR, a unified privacy policy works well. A CCPA-compliant policy typically needs only the DNT disclosure and the change notification process added to satisfy CalOPPA.
Frequently Asked Questions
Does CalOPPA apply to websites outside California?
Yes. CalOPPA applies to any commercial website or online service that collects personally identifiable information from California residents, regardless of where the business is physically located. A website based in the UK, Germany, or Japan must comply if it is accessible to and collects data from people in California.
Is CalOPPA the same as the CCPA?
No. CalOPPA (2004) requires websites to post a compliant privacy policy. The CCPA (2020) grants consumers specific rights over their data, including the right to access, delete, and opt out of data sales. CalOPPA applies to virtually any website, while the CCPA only applies to businesses meeting certain revenue or data volume thresholds. Both laws are active and enforceable.
What are the penalties for not complying with CalOPPA?
The California Attorney General can impose fines of up to $2,500 per violation, with each visit from a California resident to a non-compliant site potentially counting as a separate violation. A 30-day cure period applies after notification of non-compliance. If the issue is not resolved within that window, penalties accumulate rapidly.
Do I need a cookie banner to comply with CalOPPA?
CalOPPA does not require a cookie consent banner. Its focus is on the content and visibility of the privacy policy. However, if the site also serves visitors in the EU, UK, or Brazil, a cookie banner is likely required under the ePrivacy Directive, UK GDPR, or LGPD. A consent management platform that handles both the banner and the privacy policy link covers multiple laws at once.
Does CalOPPA require me to honour Do Not Track signals?
No. CalOPPA requires disclosure of how the site responds to Do Not Track signals, but it does not mandate that the site actually honour them. Most websites disclose that they do not respond to DNT requests, which is legally compliant under CalOPPA.
How does CalOPPA define personally identifiable information?
CalOPPA defines PII as individually identifiable information collected online, including a person's name, physical address, email address, telephone number, Social Security number, and any other data that could identify an individual when combined with these categories.
Can consumers sue businesses directly for CalOPPA violations?
CalOPPA does not include a private right of action. Enforcement is handled by the California Attorney General through the state's Unfair Competition Law. Consumers can report non-compliant websites to the Attorney General's office, which may then investigate and pursue penalties.
Keep Your Privacy Policy Compliant
CalOPPA's requirements are narrow but non-negotiable for any site reachable by California residents. Start by scanning the site to identify every cookie and tracker in use, then ensure the privacy policy accounts for each one. Kukie.io detects first-party and third-party cookies, categorises them, and helps generate the disclosures a compliant privacy policy needs.
