TermsBuilder
Back to Blog
March 26, 20268 min read

CalOPPA and the Privacy Policy Rules for California Websites

CalOPPA requires a conspicuously posted website privacy policy and specific California website disclosures, including Do Not Track handling.

CalOPPA addresses the website privacy policy itself. The California Online Privacy Protection Act focuses on operators of commercial websites and online services that collect personally identifiable information from California consumers.

It remains relevant for businesses below the broader California privacy thresholds and for businesses that also have CCPA or CPRA duties.

For a site operator, the law pushes a simpler but important question. Is your privacy policy conspicuously posted, and does it disclose the items California requires for a website privacy page?

CalOPPA is a posting and disclosure law

CalOPPA requires an operator of a commercial website or online service that collects personally identifiable information through the Internet about California consumers to conspicuously post its privacy policy. The law is framed around the operator and the website.

Businesses often talk about California privacy law as though it is all one statute. CalOPPA addresses whether the page is posted properly and whether the page includes the specific website disclosures the chapter requires.

The operator definition controls who is on the hook

CalOPPA defines operator in a specific way. The law reaches a person or entity that owns a commercial website or online service and collects personally identifiable information from California consumers who use or visit your site or service, when the information is maintained by the operator in an accessible form. That makes the operator question more precise than a casual summary suggests.

This keeps CalOPPA relevant for businesses focused on CCPA threshold terms. The issue may be as simple as operating a commercial site, collecting personally identifiable information, and failing to post a compliant privacy policy conspicuously enough.

Do Not Track and change notice disclosure belong on the page

CalOPPA is also the California law that pushed many website operators to address Do Not Track disclosures. The privacy policy has to state how the operator responds to web browser Do Not Track signals or similar mechanisms and whether other parties may collect personally identifiable information about a consumer's online activities over time and across different sites or services when the consumer uses the operator's site or service.

It also requires your policy to describe how the operator notifies consumers of material changes. That means CalOPPA is a live page drafting statute. The law reaches specific disclosure items that many shorter privacy templates omit.

CalOPPA can apply even when broader California privacy thresholds do not

A business can spend a great deal of time on California's larger privacy framework and miss the more basic website rule. CalOPPA reaches commercial sites that collect covered information from California users, so the conspicuous posting and disclosure rules deserve review whether or not your business meets the revenue and data volume thresholds associated with the CCPA as amended by the CPRA.

If your site has a privacy policy, your business should confirm that the page is posted conspicuously and covers the specific website disclosures CalOPPA expects.

What to review under CalOPPA

A CalOPPA review is narrower than a full CCPA or CPRA review, but it is important because it speaks directly to the privacy page as a website document.

  • Confirm that your privacy policy is conspicuously posted on the website or online service
  • Check whether the operator definition fits your business and the way your site collects personally identifiable information
  • Review the page for Do Not Track disclosure and disclosure about third party cross site collection where required
  • Make sure your policy explains how users are told about material changes
  • Treat CalOPPA and CCPA or CPRA as related California layers rather than as interchangeable labels

Key Takeaways

  • CalOPPA is important because it focuses directly on privacy policy posting and website disclosures.
  • A business can have a CalOPPA issue while its attention is focused on the broader California privacy rights regime.
  • Do Not Track handling, third party cross site collection, and change notice language belong in the review.
  • The practical CalOPPA question is whether your site posts a conspicuous privacy page that says what California requires.

Primary Sources

Turn this into a real document

TermsBuilder uses an attorney-built questionnaire to turn these legal issues into Terms & Conditions and Privacy Policy pages that match the way your business operates.

Start your document set

Related Reading

CCPA Compliance Guide for Ecommerce Stores in 2026

If your store collects checkout data, uses advertising pixels, or sells into California at scale, your notices, request workflows, and vendor setup all need to line up with the law.

What Your Privacy Policy Needs to Include

A useful privacy policy explains what you collect, why you collect it, who receives it, how long you keep it, and what rights people have under the laws that apply to your business.