California Privacy Policy 101: A Simple How-To Legal Guide For Every Business Owner

When it comes to privacy laws, the United States is kinda in the stone age. There is no federal law that protects your privacy online or even requires the transparency...

Image of an iPad showing the legal guide.


Get a quick crash course in the laws that affect your business and other ways you can protect yourself from legal headaches.

California Privacy Policy 101: A Simple How-To Legal Guide For Every Business Owner

When it comes to privacy laws, the United States is kinda in the stone age. There is no federal law that protects your privacy online or even requires the transparency...

Image of an iPad showing the legal guide.


Get a quick crash course in the laws that affect your business and other ways you can protect yourself from legal headaches.

When it comes to privacy laws, the United States is kinda in the stone age. There is no federal law that protects your privacy online or even requires the transparency that comes with a website privacy policy. Instead, we have a messy patchwork of laws

Enter… California. 

Love it or hate it, California has been at the forefront when it comes to online privacy. Way back in 2003, California passed the California Online Privacy Protection Act (CalOPPA), which requires commercial websites to include a privacy policy. 

Many years later, CalOPPA is still basically the only game in town in the US. 

You might be thinking something like… “Wait, didn’t California pass a privacy law in the past couple of years too?” 

In fact, it did. In 2020, the California Consumer Privacy Act (“CCPA” for short) went into effect. You’ll be excused for thinking that CCPA might impose some restrictions on you… some online lawyers went into a fear-mongering mode to use CCPA as a reason for you to buy something from them. 

But, as we’ll cover later in this guide, the CCPA almost certainly doesn’t apply to your business. The CCPA privacy policy requirements really only apply to relatively large businesses and data brokers.

Back to the law that actually does apply… 

CalOPPA is an amazing law. It’s amazing because it was passed back when about 75% of Americans were still using dial-up internet and more than 90% of people were browsing the web with Internet Explorer. 

What’s even more amazing is CalOPPA’s simplicity. 

You can read the whole law online with a single flick of your scroll wheel. It succinctly sets out: (1) who is required to have a privacy policy, (2) what you have to include in that privacy policy, and (3) where you have to post the darn thing. 

But I’m guessing you’d rather not read a statute… I get it. I’m a lawyer, and I don’t really like reading statutes (but it’s kinda my job). 

Luckily for you, this guide will break CalOPPA down into plain English so you know exactly what you need to do to comply. 

Let’s dive in.

What We'll Cover...

Are You Required To Comply With CalOPPA?

Phone face up on desk with screen that reads "CalOPPA California Online Privacy Protection Act, read". Surrounding the phone is a corner image of the computer keyboard, a notepad, and pen. Topic: California Privacy Policy

If you’re building an online business, the short answer is… Yes.

Or at least the answer is that you will be subject to CalOPPA at SOME point in the life of your online business. 

Here’s the long explanation…

CalOPPA’s language is pretty clear (at least for a law!):

“An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site…”

California Business and Professions Code § 22575

We, lawyers, like to break things down into chunks, so I’m going to break this section down for you. You are required to post a privacy policy if you meet three requirements:

  1. you operate a commercial Web site or online service;
  2. that site or service collects personally identifiable information through the Internet; and
  3. that includes information about consumers residing in California.

A business website will obviously meet the first prong. 

Assuming you aren’t a local business in some other part of the country… you are going to have folks from California visiting your site. So if you’re collecting personally identifiable information, the third prong will be met.  

So the only question is whether you are collecting “personally identifiable information” about people who visit your site. 

CalOPPA defines that terms as including any of the following: 

  • First AND Last Name
  • Address
  • Email Address
  • Phone Number
  • Social Security Number
  • Anything that would allow you to contact a specific person
  • Information collected by a website or service if it is stored alongside one of the other pieces of personal information 

Every business website should be set up to collect one or more of the first four categories of information. Whether it’s email addresses for your email marketing or names and addresses for purchases… I’m guessing you are collecting at least one category of information. 

That means you are subject to CalOPPA. 

That wasn’t so bad, now was it?? 

What Are You Required To Include In Your California Privacy Policy?

Hand is holding cardboard sign that reads "California Privacy Law".

Since you are almost certainly subject to CalOPPA’s privacy policy requirement, let’s talk about what you need to include in that policy.  To comply with California law, your privacy policy will need to include the following information: 

  • What Information Your Website Collects
  • Who You Might Share The Information With
  • How Someone Can Review & Revise The Information (if applicable)
  • How You’ll Tell People About Changes To Your Policy
  • The Effective Date Of Your Policy
  • How You Handle Do Not Track Requests

A quick note… CalOPPA is not really about guaranteeing or protecting privacy. It does not set any rules for what may be collected, with whom it may be shared, or how you’ll answer any other privacy issues. 

CalOPPA is simply about transparency. 

It requires you to provide a notice to website visitors so they can assess your privacy policies for themselves. 

Let’s dive into the specific information you are required to disclose.

What Information Your Website Collects

First and foremost, you need to explain what information you are collecting from individuals; CalOPPA provides that your privacy policy must “identify the categories of personally identifiable information that the operator collects through the Web site…”

Some of the information you collect should be pretty obvious. I mean, if a user fills out a form with their name and email address, that’s personal information you are collecting. 

But some of the data collection is happening behind the scenes as a result of tracking or analytics software like Google Analytics. Web-savvy online marketers understand that this kind of information collection is happening… normal folks, not so much. 

So, your privacy policy should explain that you are collecting information the visitors provide and collecting information automatically. Here’s an example of a section describing what information is being collected:

Screenshot snippet from privacy policy that reads: Information We Collect About You
When you access the Website, the Company will learn certain information about you during your visit.

Information You Provide To Us. The Website provides various places for users to provide information. We collect information that users provide by filling out forms on the Website, communicating with us via contact forms, responding to surveys, search queries on our search feature, providing comments or other feedback, and providing information when ordering a product or service via the Website.

We use information you provide to us to deliver the requested product and/or service, to improve our overall performance, and to provide you with offers, promotions, and information.

Information We Collect Through Automatic Data Collection Technology. As you navigate through our Website, we may use automatic data collection technologies including Google Analytics to collect certain information about your equipment, browsing actions, and patterns. This will generally include information about your location, your traffic pattern through our website, and any communications between your computer and our Website. Among other things, we will collect data about the type of computer you use, your Internet connection, your IP address, your operating system, and your browser type.

The information we collect automatically is used for statistical data and will not include personal information. We use this data to improve our Website and our service offerings. To the extent that you voluntarily provide personal information to us, our systems will associate the automatically collected information with your personal information.

With Plainly Legal™’s smart Legal Doc Generator, you can create your own privacy policy and can always get even more specific with the list of the categories that you collect by listing more specific categories (e.g., names, addresses, email addresses, etc.).

Just make sure to include the statement about automatic data collection and that your system will likely associate that with the information they provide manually.

Don’t worry, Plainly Legal™’s Legal Doc Generator guides you through this process!

Who You Might Share The Information With

Next up, you need to explain who, outside your company, might get their hands on the information. 

A lot of people think this is simple and just want to say that they won’t share the information they collect with anyone. I mean, that sounds great on an opt-in form, right?

Not sure about you, but A LOT of the opt-in forms I see have something like this one: 

Screenshot of an opt-in form that has a space for "first name" and a space for "email", has button that reads "submit". Below the button shows a lock icon and states "We respect your privacy. Your data will not be shared or sold." Topic: California Privacy Policy

I’m not going to name names, but the fine print on that form (what’s below the button) is the standard “Privacy Policy Disclaimer” language for forms that’s built-in to one of the online marketing apps.

The trouble is that it is basically never true. 

Chances are pretty stinking good that you will share some of the personal information you collect with folks outside your company. And you need to leave open the possibility that you might at some point in the future. 

Here’s an example of this section of your privacy policy:

Screenshot snippet from privacy policy that reads: Disclosure of Your Information
As a general rule, we do not sell, rent, lease or otherwise transfer any information collected whether automatically or through your voluntary action.

We may disclose your personal information to our subsidiaries, affiliates, and service providers for the purpose of providing our services to you.

We may disclose your personal information to a third party, including a lawyer or collection agency, when necessary to enforce our terms of service or any other agreement between you and the Company.

We may provide your information to any successor in interest in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company’s assets and/or business.

We may disclose information when legally compelled to do so, in other words, when we, in good faith, believe that the law requires it or for the protection of our legal rights or when compelled by a court or other governmental entity to do so.

You’ll notice that it starts with a statement that the company generally will not share private information, but it defines instances in which it might, including:

  • With subsidiaries, affiliates, and service providers to serve customers
  • With a lawyer or collection agency to enforce an agreement
  • To a “successor in interest” if the company is sold
  • If legally required to do so

This more complete picture is the way to go. You are providing accurate information and also building trust by providing a thoughtfully constructed explanation. 

If Applicable… How Someone Can Review & Revise The Information

Under CalOPPA, you are not required to provide a way for people to review the information you have about them (or correct it). But if you do have a mechanism for people to do so, you must describe it in your privacy policy. 

Most small businesses will decide not to provide this kind of mechanism to review and correct… so you most likely don’t need to address this in your privacy policy. 

But if you decide to create a review and correct procedure, spell it out in your privacy policy. 

How You’ll Tell People About Changes To Your Policy

Your privacy policy won’t be a static document that never changes. As your business evolves and as the legal requirements change, you’ll need to update your privacy policy. 

Under CalOPPA, your policy needs to tell people how you’ll notify users of those changes. 

While it can be a good idea to email people on your email list to notify them of changes to your privacy policy… you won’t have contact information for everyone. That’s why the standard practice is to explain that you’ll notify users of changes by updating the policy on the website itself. 

Here’s an example of the change clause that has the best of both worlds:

Screenshot snippet from privacy policy that reads: Policy Changes
It is our policy to post any changes we make to our privacy policy on this page. If we make material changes to how we treat our users’ personal information, we will notify you by email to the email address specified in your account and/or through a notice on the Website home page. The date the privacy policy was last revised is identified at the bottom of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this privacy policy to check for any changes.

We put some lawyer hedge language in saying that we’ll only email about “material changes,” which is lawyer-speak for big changes. But we also tell people that it is their responsibility to check the page periodically. 

The Effective Date Of Your Policy

This is the easiest part of your privacy policy… you need to include the date that the privacy policy went into effect. This is simple as can be… just post the date that you posted (or last modified) the privacy policy at the top or bottom. 

No reason to belabor this one! 

How You Handle Do Not Track Requests

Certain web browsers have a functionality called “Do Not Track.” It’s a pretty technical functionality that really just sends a request to websites not to track. There’s nothing mandatory about it. 

In 2013, CalOPPA was changed to require website owners to tell visitors how they will respond to “do not track” signals.

To be clear, you are NOT required to honor those requests… you just have to tell people whether your website will honor these requests or not. 

Unless you are incredibly tech-savvy and can figure out how to respond to do not track responses, the best way to handle this in your privacy policy is to state that you do not respond or honor these requests. 

That being said, there are other laws that cover “cookies” and require that we give notice that cookies are in use on our sites. On our previous site, we used a plug-in that allows users to select which cookie categories to accept:

Screenshot of cookie pop-up notification which reads: "Mmmmm, cookies! We use cookies to make this website as awesome as Cookie Monster. Some cookies help us understand how people use our website so we can make it better. Some cookies help out site remember your preferences when you come back next time. And some cookies let us use targeted messages (rather than spamming everyone with the same message!). We're like Cookie Monster and want ALL the cookies... but we get that not everyone does. If you're like us, just click ACCEPT so we can get on with the show. If you want to pick and choose your cookies, that's cool too... just click Cookie settings. Accept button, cookie settings.

What… we figure that a cookie notice doesn’t have to be boring! Might as well have a bit of fun. And who doesn’t like Cookie Monster?!?!

Because we give people the option to set their preferences (rather than simply requiring them to accept all cookies), we explain this option in our privacy policy. Although we could stop at saying we do not respond to “Do Not Track” requests, adding a description of our cookie options gives additional trust signals to visitors.

The Easiest Way To Create A CalOPPA Compliant Privacy Policy

You could read the advice in this guide and write your privacy policy from scratch… but you really shouldn’t spend your time doing that!

Here’s guessing you have better things to do with your time than to try to write a legal policy for your website.

Besides, there are laws other than CalOPPA (like the General Data Protection Regulation from the EU) that you should address in your privacy policy. 

With Plainly Legal™’s smart Legal Doc Generator, you can create your GDPR and CalOPPA-compliant privacy policy lickety-split! All you have to do is answer a few questions and you’ll get a customized policy for your site. 

Where Do You Post Your Privacy Policy?

Two hands cupping together with palms facing up, holding a small ripped strip of paper that reads "Privacy". Topic: California Privacy Policy

CalOPPA requires you to “conspicuously post” your privacy policy. 

You could meet the “conspicuously post” requirement by posting the privacy policy on your homepage… but you probably don’t want to do that. 

You can also meet this privacy policy requirement by including a hyperlink that includes the word “Privacy” in the link on your homepage or any other page where someone might enter your site. 

The most obvious way to do this is to post a link in the universal footer that appears on all pages of your website. This is how we do it:

Screenshot of footer of Plainly Legal's website which reads: Plainly Legal Legal Disclaimer: Your Online Genius LLC is not a law firm, and its employees cannot offer legal advice. Plainly Legal is not a substitute for a lawyer or legal advice. Plainly Legal provides self-help services powered by technology that you can use at your own discretion. Privacy Policy Website Disclaimer Website Terms of Use Software Terms of Use". Topic: California Privacy Policy

Since we have a universal footer, that appears on every page without us having to give it another thought. 

If you have landing page software (or anything outside your main website), make sure you include a link to your privacy policy on those pages as well!

That’s a wrap on the requirements of CalOPPA.

What About CCPA?

Image of computer keyboard partially visible with green button that reads "CCPA California Consumer Privacy Act" has index finger that is pressing the button. Topic: California Privacy Policy

Now that we’ve got you all covered when it comes to CalOPPA, let’s take a bit to talk about why you almost certainly don’t have to worry about the CCPA. 

The CCPA was passed in 2018 and went into effect on January 1, 2020. 

Right around the end of 2019, people in the online world started to worry about CCPA and thought they needed to comply with it. Suddenly, I was getting endless queries about whether my privacy policy template was CCPA compliant. 

My simple answer was no. 

And the reason is simple… if the CCPA applies to your business, you should talk to a lawyer to get a custom-crafted privacy policy. 

But don’t worry… that almost certainly isn’t you. 

Unlike CalOPPA, the CCPA is a beast of a law… both in terms of its complexity and in terms of the burdens it imposes upon businesses. 

You could try reading the entire law… but I don’t recommend it. If you don’t fall asleep, you’re likely to find yourself smashing your head against the wall trying to understand the dang thing. 

As a lawyer, I get why the CCPA freaked everyone out. It begins with what sounds like some pretty freaking broad language:

a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

c) A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.

d) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.

That language seems to pretty clearly say we are all subject to the CCPA. I mean, we are all businesses, right? 

And we are collecting information from consumers, right? 

So clearly this law applies to us, right?

A normal human being reading the law would obviously answer yes. 

But laws can’t always be interpreted correctly from the perspective of a regular human. 

If you think lawyers are annoying, the people who write laws are sometimes even MORE annoying… and this is one of those cases. 

To understand what the CCPA actually says, you have to sift through the long, boring, and complex definitions. Specifically, the definitions of “business” and “consumer.” 

In the CCPA, the term “business” doesn’t actually mean business. 

Weird. I know. 

In CCPA land, “business” only includes a business that meets one or more of these thresholds:

  • Your annual gross revenue is more than twenty-five million dollars ($25,000,000);
  • You buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices; or
  • You derive 50% or more of your annual revenues from selling consumers’ personal information. 

Are you starting to see why I’m pretty sure the CCPA doesn’t apply to you… and why you should really be talking to a lawyer if it does?

I mean… if your business is raking in $25 million or more per year, you really should be talking to your lawyer about CCPA and other legal issues rather than reading legal guides about them. (Even really awesome guides like this one!) 

And if you’re a data broker who makes a living by collecting and selling data… you really should have a privacy lawyer on speed dial. 

The only threshold that you might come close to is the second one, so the question is whether your business is buying, receiving, selling, or sharing personal information from at least 50,000 consumers each year. 

The CCPA defines personal information as: 

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

It then provides a list of categories, that includes (among other things): 

“Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”

This section is considerably broader than the CalOPPA definition, most notably because it includes IP addresses. 

Without getting all technical, you should just assume that your website is collecting data about the IP addresses of visitors (and collecting even more data if you have analytics installed). 

So, the only remaining question is whether you are collecting information from at least 50,000 consumers. 

You might think this means you just have to look at your Google Analytics to see how many website visitors you had in the last year. 

And… you would be wrong. 

Just like “business” doesn’t mean business, “consumer” doesn’t really mean consumer. The CCPA defines “consumer” to only include people living in California. 

So, the net result is that you only qualify as a “business” if you are collecting personal information from 50,000 California residents each year.

Although each business is different, chances are that you won’t come close to qualifying as a “business” that is subject to the CCPA until you have a high-seven or low-eight-figure business.

If that’s you… probably a good idea to stop reading this really cool guide and call your lawyer.

So that’s it… California privacy policy law in a nutshell.

If you’ve made it down to the bottom of this post, you’re a trooper in my book. And if you’re still awake, I may have just made it entertaining enough.

With Plainly Legal™’s smart Legal Doc Generator, you can easily draft your privacy policy in minutes, ensuring your website and business are protected.

Click here to learn more about how Plainly Legal™ can help you protect your online business!

Get the guide right in your inbox now!

    We respect your privacy. That’s why we never sell your information to anyone and only send you emails you’ve expressed interest in. Read our entire privacy policy.

    Get the guide right in your inbox now!

      We respect your privacy. That’s why we never sell your information to anyone and only send you emails you’ve expressed interest in. Read our entire privacy policy.

      Access the replay before it expires in...

      This replay has expired!

      Get Instant Access to the tutorial now!

      Get the guide right in your inbox now!

        We respect your privacy. That’s why we never sell your information to anyone and only send you emails you’ve expressed interest in. Read our entire privacy policy.

        See Plainly Legal™ In Action

        Get notified when the
        Plainly Legal™ Affiliate Program

        Fill out the form below to be notified as soon as the Plainly Legal™ affiliate program opens for registration!