Online Privacy Protection Law

Your website must conspicuously post a privacy policy !

Internet Privacy Protection Law

Do you or does your business own and operate a website that collects personally identifiable information from any California consumer, such as name, address, telephone number, date of birth or email address?

If so, then you must conspicuously post your privacy policy on your website!

CalOPPA — The California Online Privacy Protection Act of 2003 and amended in 2013 (CalOPPA) applies to any person or company in the United States—and even the world!—whose website collects personally identifiable information online from California consumers.   CalOPPA requires these persons/businesses to conspicuously post a privacy policy on their website.  The privacy policy must include what information the operator collects, how the information will or could be shared with others and how it responds to “Do Not Track” signals.  CalOPPA also requires companies to comply with their website’s privacy policy.

What’s the big deal?  CalOPPA is enforced by California’s Unfair Competition Law (UCL) found in Business and Professions Code §§ 17200-17209 and you could face penalties of up to $2,500 for each violation.  CalOPPA can also be enforced by the Federal Trade Commission, the California Attorney General’s Office, district attorneys and some city and county attorneys who can all file suit for “unfair competition.”  These entities can seek civil penalties and equitable relief.  Furthermore, under California’s UCL, a consumer or a business may file a private action for violations of CalOPPA. 

But CalOPPA is just the beginning.  There are multiple US laws and global privacy laws that govern the collection of information from consumers.  These include the following, just to name a few:

COPPA – Child Online Privacy Protection Act applies to websites and services targeted to children and requires, among other things, a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children, provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children, and it requires these websites to provide parents access to their child’s personal information to review and/or have the information deleted.  

CCPA – California Consumer Privacy Act includes, among other things, the right of California consumers to request disclosure of business data collection and sales practices, the right to request specific PI collected, the right to have certain information deleted, the right to request that personal information not be sold to third parties, and the right not to be discriminated against because of exercising these rights.  The law requires that these notices be given at or before the point of collection of personal information and must be posted on a business’s website. 

These rights apply to businesses organized and operated for the profit or financial benefit of its shareholders or other owners which determines the purposes and means of processing personally identifiable information.  The CCPA applies to businesses in California who have annual gross revenues that exceed 25 million dollars, sell personal information of 50,000 or more consumers, or receives 50% of its annual revenue from sales of personal information.

GDPR – General Data Protection Regulation applies to businesses that are formed and operated in the European Union or to companies that collect information from people in the European Union.  These laws tend to be stricter and it protects people under the age of 16 by requiring parental consent to collect their information.  If you collect any information from people in the European Union, you must abide by the requirements of the GDPR.

Other Privacy Considerations:  Other privacy issues that should be considered include those under the following laws:  Health Information Portability and Accountability Act, Family Educational Rights and Privacy Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transaction Act; the Gramm-Leach-Bliley Act; the Cable Communications Policy Act; and the Telephone Consumer Protection Act.


If you run a website that collects information from consumers, it is of the utmost importance that you consult with a certified privacy professional.  We provide website owners and operators with current privacy policies to protect you from running afoul of the numerous laws to which you must comply.

For more information on the privacy services provided by Daryl Reese Law PC, contact Sarah M. Hurd Montgomery at

Sarah is a Certified Information Privacy Professional/United States (CIPP/US) through the ANSI-accredited International Association of Privacy Professionals (IAPP).  Complimenting Sarah’s estate planning practice, Sarah has been assisting clients with drafting website privacy policies to comply with California’s Online Privacy Protection Act, the Children’s Online Privacy Protection Act, the California Consumer Protection Act, and the General Data Protection Regulation.                                                                         

The CIPP is the global standard in privacy certification. Developed and launched by the IAPP with leading subject matter experts, the CIPP is the world’s first broad-based global privacy and data protection credentialing program. The CIPP/US demonstrates a strong foundation in U.S. private-sector privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the U.S., the EU and other jurisdictions. Sarah joins the ranks of professionals worldwide who currently hold an IAPP certification.

Our firm serves clients in California

Office Location

3843 Brickway Blvd. Ste 204
Santa Rosa, CA 95403

Office Hours

M-F: 9am - 5pm