Does CalOPPA require websites to post a privacy policy?

What the Law Says

The California Online Privacy Protection Act (CalOPPA) is the first state law in the U.S. requiring websites and online services to post a privacy policy.

CalOPPA applies to any operator of a commercial website or online service that collects personally identifiable information (PII) from California residents — even if the business is located outside California.

The law defines 'operator' broadly to include any person or entity that owns or operates a website or online service for commercial purposes and collects PII from consumers who visit the site or use the service.

A privacy policy must be 'conspicuous' — meaning it must be easily found, typically via a link labeled 'Privacy Policy' on the homepage and any page where PII is collected.

The policy must disclose what categories of PII are collected, how the information is used, with whom it is shared, and how users can review or request changes to their information.

Statutory Text

An operator of a commercial website or online service that collects personally identifiable information through the website or online service from a consumer residing in California shall conspicuously post its privacy policy on its website.

— Cal. Bus. & Prof. Code § 22575(a) — Posting of privacy policy

Statutory Text

The privacy policy shall identify the categories of personally identifiable information that the operator collects… and the categories of third parties with whom the operator may share that information.

— Cal. Bus. & Prof. Code § 22575(b)(1) — Required disclosures

Statutory Text

If the operator makes any material changes to its privacy policy, the operator shall notify consumers… within 72 hours after posting the revised policy.

— Cal. Bus. & Prof. Code § 22575(b)(5) — Notification of changes

What to Do

Sources