CalOPPA and the Privacy Policy Rules for California Websites

CalOPPA, the California Online Privacy Protection Act, has been in force since 2004, and it governs the website privacy policy itself rather than the broader rights regime that came later. It applies to any operator of a commercial website or online service that collects personally identifiable information from California residents, with no size or revenue threshold, so it comes down to a simple but unavoidable question, whether the policy is conspicuously posted and whether it carries the disclosures California requires.

The operator definition is more precise than a casual summary suggests, reaching a person or entity that owns a commercial site or service, collects identifiable information from California visitors, and keeps that information in an accessible form. That precision is why CalOPPA still catches businesses focused on the CCPA thresholds, because the issue can be as ordinary as running a commercial site, collecting identifiable information, and never posting a compliant policy where a visitor can find it.

CalOPPA names specific disclosures, so the policy has to state how the operator responds to browser Do Not Track signals, whether anyone else collects identifiable information about a visitor's activity across sites over time, and how the operator tells users about material changes, and it should carry an effective date. Many shorter templates skip those items, so a page that reads as finished can still miss what the law names.

CalOPPA can apply even when the CCPA and CPRA thresholds do not, because its trigger is collecting covered information from California users, not revenue or data volume, so the posting and disclosure rules deserve a look regardless of size. If a site has a privacy policy at all, the practical step is confirming that it is posted conspicuously and covers the website disclosures CalOPPA expects, and that it complements any CCPA or CPRA duties rather than standing in for them.