CalOPPA compliance checklist for online businesses
What the California Online Privacy Protection Act asks for, and how to map the requirements to a privacy policy that travels well.
Short answer
CalOPPA requires a conspicuous privacy policy on any commercial website that collects personally identifiable information from California consumers. The policy must list the categories of data collected, the third parties it is shared with, the process for changes, the response to Do Not Track signals, and the effective date. Most modern privacy policies cover this with light additions.
Conspicuous link
CalOPPA expects the policy to be reachable from any page where personal information is collected. A footer link is the usual answer. The link text should clearly say "Privacy policy" — labels like "Legal" or "About this site" are weaker.
Categories of personal information
List the categories of personal data the site collects. Common categories: contact information, account credentials, payment information, support correspondence, device and browser data, usage analytics. The categories should match what the site actually gathers, not a copied list.
Third parties
Disclose the third parties the data is shared with. CalOPPA does not require an exhaustive vendor list, but a category-level disclosure (for example, payment processors, hosting providers, analytics vendors) is the minimum useful baseline.
Notification of changes
The policy must explain how users learn about changes. The most common phrasing is that the operator updates the effective date and may post a notice on the site or in the customer dashboard.
Effective date
Display an effective date and update it when the policy changes. The effective date is what users compare against when they revisit the site.
Do Not Track
CalOPPA requires the policy to disclose how the operator responds to Do Not Track signals from browsers. Most operators state honestly that they do not modify behavior based on the signal because it is not a recognized standard, and they describe the available opt-out mechanisms instead.
Cookies and analytics
CalOPPA itself does not mandate cookie consent, but the privacy policy should describe the analytics tools in use. If the site also serves the EU, the cookie banner and consent storage are governed by separate rules; the privacy policy should reference the cookie policy where relevant.
Account profile and access requests
Describe how a user can review or update the personal information held about them. Even a simple "contact support" route counts as long as the route works.
Children
If the site is reachable by users under 13, US federal rules under COPPA apply on top of CalOPPA, and the policy should include the relevant age restriction. A simple statement that the site is not directed at children under 13 is the common minimum.
Cross-links
Reference the cookie policy, the terms of service, the refund policy where applicable, and any region-specific addendum (for example, the CCPA-specific notice). Cross-links should match the website slug structure.
FAQ
CalOPPA is one of several privacy regimes a US-facing site usually has to consider. A policy that is honest, specific, and dated tends to satisfy the disclosure-style rules with little adaptation.
Questions this guide answers.
Does CalOPPA apply to a business that is not in California?+
If the website is commercial and collects personal information from California consumers, CalOPPA applies regardless of where the operator is based.
How is CalOPPA different from CCPA and CPRA?+
CalOPPA is older, lighter, and focused on disclosure. CCPA and CPRA add consumer rights, opt-out mechanisms, and opt-out signals. A modern policy that meets CCPA usually meets CalOPPA, with a small amount of additional language.
Price and promise
- Any document - $49
- Pack of 4 - $149
- Pack of 8 - $279
- Prepared within 2 working hours, 7:00-19:00 Central European Time
- Up to 5 revisions per order goal, no extra cost
- Brief us once. Operator follows up with focused questions when needed
- Human-prepared files delivered through your account