Any e-retailer that collects information about California residents must comply with the California Online Privacy Protection Act or face lawsuits.

Robert Estrin, counsel, Michelman & Robinson, LLP

Robert Estrin, counsel, Michelman & Robinson, LLP

It has been three decades since the Electronic Communications Privacy Act of 1986 was enacted. Since then, federal legislation has touched upon privacy issues in a piecemeal fashion, including the Children’s Online Privacy Protection Act; however, Congress has not passed a major comprehensive privacy law in years. As a consequence, online retailers and others involved in e-commerce have little guidance relative to the connected marketplace, current consumer behavior and the advanced and ever-evolving capabilities of technology.

Though the leader in technological innovation, the United States lags behind other countries when it comes to data privacy regulation. For example, on April 13, 2000, the Canadian Parliament passed the Personal Information Protection and Electronic Documents Act “PIPEDA,” which sets the ground rules for how private-sector organizations collect, use and disclose personal information in the course of for-profit, commercial activities across Canada. More recently, on April 27, 2016, the European Union adopted the General Data Protection Regulation (GDPR), establishing fundamental, persistent rights and freedoms of EU residents with regard to their personal data. For its part, the U.S. has no corollary law.

To fill the void, most states have passed legislation to regulate the collection and use of personal information, and online businesses are left to navigate this patchwork of laws. One of the first of these to be enacted (back in 2004) was the California Online Privacy Protection Act (“CalOPPA”), as codified under Business and Professions Code Chapter 22, Sections 22575-22579. While not as comprehensive as, say, the PIPEDA or GDPR, the CalOPPA requires every website operator to link to a privacy policy on its website, which privacy policy must (1) describe how users are to be notified of changes to the Privacy Policy agreement; (2) disclose how the operator responds to users’ “do not track” requests; and (3) specify the effective date of the Privacy Policy Agreement.

If you operate a commercial website and wonder, “Am I subject to CalOPPA’s requirements,” the answer is almost undoubtedly yes.

Notably, the owner of a website can be subject to legal actions in violation of CalOPPA within 30 days of being notified of noncompliance (e.g., not posting a privacy policy or failing to meet the law’s other criteria). And though CalOPPA does not contain its own enforcement provisions, an Internet company that violates the law can expect to face a lawsuit through California’s Unfair Competition (“UCL”) law, which is particularly dangerous to companies as it allows either governmental officials or private parties to bring claims.


If you operate a commercial website and wonder, “Am I subject to CalOPPA’s requirements,” the answer is almost undoubtedly yes. The law applies to any business collecting “personally identifiable information through the Internet about individual consumers residing in California.” Those outside California must be mindful of the mandates of CalOPPA as well, as its scope extends beyond the state’s border. Indeed, a violating entity need not be a California company. Instead, all that is necessary to be subject to CalOPPA is operation of a website accessible by California residents.

Even Google has felt the impact of CalOPPA. A group of privacy advocates accused the online giant of not posting its privacy policy conspicuously enough to comply with California law. They argued that CalOPPA requires a website to include a link that includes the word “privacy” or appears in a larger font than the rest of a page’s text. At the time, Google required a user to click on an “About Google” tab in order to bring up a link to its privacy policy.

While Google has thus far avoided a lawsuit on the issue, consumer groups have impelled the California Attorney General to take action under CalOPPA. And the AG’s office seems to be serious about ensuring CalOPPA compliance. In late 2016, then-Attorney General Kamala Harris made it easier than ever for consumers to report violations of the law by creating an online form to allow consumers to report websites and mobile applications that they believe to be in violation. No doubt, your company does not want to face such scrutiny (or the negative publicity that Google received concerning its privacy policy), which is why compliance with CalOPPA should be front of mind.

As of this writing, federal lawmakers are once again dipping their toes into the data privacy waters by trying to codify nationwide standards on breach notifications and how data is handled and stored. The current bipartisan bill (the “Data Acquisition and Technology Accountability and Security Act” or “DATAS Act”), introduced by Representative Blaine Luetkemeyer, a Missouri Republican, and Carolyn Maloney, a New York Democrat, appears to be gaining some traction, but passage is certainly not guaranteed. Time and again, such as immediately following the 2013 Target breach, members of Congress have proposed national, standardized privacy and data security requirements, but to no avail.


On the federal front, all one can do is wait and see. In the meantime, California remains at the forefront of consumer privacy law. For this reason, and given its reach, companies are encouraged to pay heed to CalOPPA and its far-reaching mandates.

Robert Estrin is counsel at Michelman & Robinson, LLP, a national law firm with offices in Los Angeles, Orange County (California), San Francisco, Chicago and New York City. He represents a range of clients, including those in the tech industry, involved in complex commercial disputes.