How the California Online Privacy Protection Act Impacts Your Business

Starting this month, amendments to the California Online Privacy Protection Act (CalOPPA) will require businesses to disclose their response processes to Do Not Track (DNT) directives.

Meaning, any website that collects personally identifiable information (PII) from a website customer must update the privacy policy on its website.

Does that seem like a lot of alphabet soup? Definitely. Yet, this statewide law has national consequences. Failure to acknowledge and implement changes to your current website privacy policy could cost your business $2,500 or more in fines.

First, what is “Do Not Track”?

In 2010, the Federal Trade Commission issued a report to propose a simple “Do Not Track” mechanism for consumers to install in order to notify websites to not collect information about their Internet activity for advertising and other purposes.

Since the proposal, the gray area has increased. Even users who currently have a DNT plugin installed, the businesses receiving the DNT signal are not required to acknowledge, respond, or change their information gathering. Leaving the DNT essentially powerless.

As a result, California Governor Jerry Brown signed in September 2013 amendments to the current CalOPPA, stating that any business collecting information from a California resident online must disclose how they respond to DNT. Therefore, regardless of whether a website honors DNT, the website user has the right to know where and how their information is being used after pressing “Submit.”

With that, here are some common misconceptions from businesses reluctant to change their current privacy policy:

“My business doesn’t conduct business in California”

Currently CalOPPA is only a statewide law, but the Internet knows no borders—allowing customers to interact from anywhere at any time. Even if your current customers aren’t coming out of the Golden State, it’s still wise to implement the disclosure now to avoid penalties once you start gaining national recognition.

“My website isn’t an e-Commerce site”

Doesn’t matter. “Personally identifiable information” covers everything from first and last name, email, location, and more.  A simple signup for a content offer such as a white paper download or regular email list can be utilized for other purposes such as sales and advertising. This common tactic will now have to clearly explain to website visitors where and how their information will be used.

So now what?

Time to meet with your legal team (or, if you’re like other small businesses, put on your legal hat) and get to work on that revised privacy statement. Currently, there is a lack of templates available. Don’t fret—the International Association of Privacy Professionals details some helpful tips and terminology to consider in the required ruling, which we’ve summarized and adapted for marketers:

Questions to answer in your revised privacy statement:

  • What are you currently using to track DNTs? Ask your web developer if your website it utilizing traditional HTTP cookies or another method.
  • Does your company combine PII data with information from other sites? Disclose if your marketing and sales strategy includes creating visitor profiles with other third party information through social media, sales databases, or more.
  • Does your website host social media plugins? A “yes” for many marketers, websites should disclose if these share and like buttons are present and collecting data. Your website is not responsible for explaining how the data is used by a social media site (that is outlined by the social platform’s collection and handling policy). You can always link to the social plugin’s privacy policy for users who want more information.

While enforcement of CalOPPA has yet to be seen, small businesses and entrepreneurs building their national marketing reach should be aware of the new amendment. By acting accordingly, business owners avoid costly fines and, most importantly, continue ethical marketing practices.

Jeremy Durant
<div> Jeremy is the Business Principal of Bop Design, a B2B marketing and web design & development firm. Jeremy builds relationships with B2B businesses and entrepreneurs in need of a marketing and branding strategy, helping them to develop their unique value proposition and ideal customer profile.</div> <div> <a href="" target="_blank"></a>|<a href="" target="_blank"> Facebook</a> | <a href="" target="_blank">@BopDesignSD</a> | <a href="/author/jeremy-durant/all-posts" target="_blank">More from Jeremy</a>             </div>


We're in the process of

We're in the process of finalizing our revised privacy policy statement with a legal team, but there is a paid privacy policy generator Iubenda that could help:

I don't suppose you know of

I don't suppose you know of anyone who is planning on templating this stuff out for people who are creative types and can't stand the ridiculousness of our legal system?


Post new comment

The content of this field is kept private and will not be shown publicly.
This question ensures you are a human visitor to prevent automated spam submissions.
Enter the characters shown in the image.