CalOPPA vs CCPA: Understanding California Privacy Laws

Introduction

California leads the United States in privacy legislation, having enacted two landmark laws that shape how businesses handle personal information: the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA). While both laws aim to protect California residents' privacy, they differ significantly in scope, requirements, and who must comply.

Understanding the distinction between CalOPPA and CCPA is crucial for any business with an online presence. CalOPPA, enacted in 2004, was the first state law in the nation requiring commercial websites to post a privacy policy. CCPA, which took effect in 2020 and was later strengthened by the California Privacy Rights Act (CPRA) in 2023, grants California consumers extensive rights over their personal data.

This guide will help you understand both laws, determine which apply to your business, and ensure you meet all compliance requirements.

What is CalOPPA?

The California Online Privacy Protection Act (CalOPPA) was signed into law in 2003 and became effective in 2004, making California the first state to require commercial websites to have a privacy policy. The law was amended in 2013 to address Do Not Track signals and mobile apps.

CalOPPA applies to any operator of a commercial website or online service that collects personally identifiable information (PII) from California residents—regardless of where the business is located. This means a company in New York, Texas, or even another country must comply with CalOPPA if it has users from California.

CalOPPA Requirements

Under CalOPPA, you must:

• Post a conspicuous privacy policy: Your privacy policy must be prominently displayed and easy to find. The word "privacy" must appear in the link.
• Identify the categories of PII collected: List what types of personal information you gather (names, emails, addresses, etc.).
• Describe third-party sharing: Explain which categories of third parties receive user information.
• Explain the review process: Describe how users can review and request changes to their personal information.
• Disclose policy changes: Explain how you will notify users of changes to your privacy policy.
• Include the effective date: Show when the policy was last updated.
• Address Do Not Track signals: Disclose how your site responds to browser Do Not Track (DNT) signals.
• Identify third-party tracking: Disclose whether other parties may collect PII about users' online activities over time and across different websites.

What is CCPA?

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and represents a significant expansion of privacy rights for California residents. In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which amended and strengthened CCPA. The CPRA amendments became fully operative on January 1, 2023.

Unlike CalOPPA, CCPA only applies to for-profit businesses that meet specific thresholds. However, the businesses it covers face much more extensive obligations, including honoring consumer rights requests.

Who Must Comply with CCPA?

CCPA applies to for-profit businesses that:

• Have annual gross revenues exceeding $25 million, OR
• Buy, sell, or share personal information of 50,000 or more California residents, households, or devices annually, OR
• Derive 50% or more of annual revenue from selling or sharing California residents' personal information

CCPA Consumer Rights

CCPA grants California consumers several rights:

• Right to Know: Consumers can request what personal information you've collected about them in the past 12 months.
• Right to Delete: Consumers can request deletion of their personal information (with some exceptions).
• Right to Opt-Out: Consumers can opt out of the sale or sharing of their personal information.
• Right to Non-Discrimination: You cannot discriminate against consumers who exercise their CCPA rights.
• Right to Correct: Added by CPRA, consumers can request correction of inaccurate personal information.
• Right to Limit: Added by CPRA, consumers can limit the use of sensitive personal information.

Side-by-Side Comparison

Key Differences Explained

1. Applicability Thresholds

2. Focus and Purpose

CalOPPA is primarily a transparency law. Its main purpose is to ensure that websites inform users about their data practices. The law doesn't give consumers rights to access, delete, or control their data—it simply requires clear disclosure of what data is collected and how it's used.

CCPA goes much further as a consumer rights law. Beyond disclosure requirements, it empowers California residents with actionable rights over their personal information. Businesses must not only tell consumers what they do with data but also respond to consumer requests regarding that data.

3. Privacy Policy Requirements

Both laws require a privacy policy, but CCPA demands significantly more content:

• CalOPPA: Basic disclosure of data collection practices, third-party sharing, Do Not Track response, and policy change notifications.
• CCPA: All CalOPPA requirements plus detailed categories of personal information collected, purposes for collection, consumer rights explanation, how to submit requests, data retention periods, and the "Do Not Sell or Share My Personal Information" link.

4. Do Not Track vs. Do Not Sell

5. Enforcement and Penalties

CalOPPA enforcement is handled by the California Attorney General and can also be addressed by the FTC as an unfair or deceptive practice. Violators receive a 30-day cure period before facing penalties of up to $2,500 per violation.

CCPA has stronger enforcement mechanisms. The California Privacy Protection Agency (CPPA), created by CPRA, now handles enforcement alongside the Attorney General. Penalties range from $2,500 per unintentional violation to $7,500 per intentional violation. Importantly, CCPA includes a limited private right of action for data breaches, allowing consumers to sue for $100-$750 per incident or actual damages.

Does My Business Need to Comply?

You Must Comply with CalOPPA If:

• You operate a commercial website or online service
• You collect personally identifiable information from users
• Any of your users are California residents

In practice, this means virtually every commercial website with a contact form, user registration, analytics tracking, or cookies needs a CalOPPA-compliant privacy policy.

You Must Comply with CCPA If:

• You are a for-profit business doing business in California
• You collect California residents' personal information
• You meet at least one threshold:
  • $25 million+ annual gross revenue
  • Buy, sell, or share 50,000+ consumers/households/devices data annually
  • 50%+ of annual revenue from selling/sharing personal information

How to Comply with Both Laws

Step 1: Create a Comprehensive Privacy Policy

Your privacy policy should address all CalOPPA requirements at minimum. If you're subject to CCPA, expand it to cover consumer rights and data handling practices in detail.

Key elements for CalOPPA compliance:

• Categories of personal information collected
• Categories of third parties with whom data is shared
• Process for users to review and request changes to their data
• How you notify users of policy changes
• Effective date of the policy
• Response to Do Not Track signals
• Whether third parties collect data across websites

Additional elements for CCPA compliance:

• Categories of personal information collected in the past 12 months
• Business or commercial purposes for collection
• Categories of sources of personal information
• Categories of third parties with whom you share data
• Description of consumer rights and how to exercise them
• Contact information for privacy requests
• "Do Not Sell or Share My Personal Information" link

Step 2: Make Your Privacy Policy Conspicuous

CalOPPA requires the privacy policy to be "conspicuously posted." This means:

• The link should be visible on your homepage
• Use the word "privacy" in the link text
• Use a font size and color that stands out
• Place it in an expected location (footer, navigation menu)

Step 3: Implement CCPA Consumer Request Processes

If CCPA applies to your business, you need systems to handle consumer rights requests:

• Provide at least two methods for submitting requests (e.g., web form, email, toll-free number)
• Verify the identity of requesters
• Respond to requests within 45 days (extendable by another 45 days with notice)
• Provide information in a portable, usable format
• Train staff on handling privacy requests

Step 4: Add Required CCPA Links

If you sell or share personal information, add a clear "Do Not Sell or Share My Personal Information" link on your homepage and in your privacy policy. CPRA also requires a "Limit the Use of My Sensitive Personal Information" link if you process sensitive data.

Common Compliance Mistakes

• Hidden privacy policy: Burying your privacy policy link violates CalOPPA's "conspicuous" requirement.
• Outdated policy: Failing to update your policy when practices change can lead to violations of both laws.
• Ignoring Do Not Track: CalOPPA requires disclosure even if you don't honor DNT signals.
• Missing opt-out mechanism: CCPA requires a functional opt-out, not just disclosure.
• Slow response times: CCPA mandates 45-day response windows for consumer requests.
• Discriminating against opt-outs: Charging more or providing lesser service to consumers who exercise CCPA rights violates the law.

Looking Ahead: Privacy Law Evolution

California privacy law continues to evolve. The CPRA strengthened CCPA by creating the California Privacy Protection Agency, adding new consumer rights, and tightening data minimization requirements. Businesses should monitor regulatory guidance from the CPPA and anticipate stricter enforcement.

Many other states have enacted comprehensive privacy laws modeled partly on CCPA, including Virginia, Colorado, Connecticut, and Utah. Federal privacy legislation continues to be discussed. Building strong privacy practices now will help you adapt to future requirements.

Conclusion

CalOPPA and CCPA both protect California residents' privacy but serve different purposes. CalOPPA ensures transparency through mandatory privacy policy disclosures, while CCPA empowers consumers with rights over their personal data.

Most businesses with California users must comply with CalOPPA, while larger businesses meeting CCPA thresholds face additional obligations. The good news is that compliance with CCPA generally means you'll also satisfy CalOPPA requirements.

The best approach is to create a comprehensive privacy policy that addresses both laws, implement clear consumer rights processes if CCPA applies, and stay informed about regulatory changes. With proper privacy practices in place, you protect both your users and your business.