Management, compliance & auditing

CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance

Ben Hartwig
May 20, 2021 by
Ben Hartwig

It seems like we hear about a big data breach every week. Another large business with seemingly unlimited resources is found to have had security vulnerabilities that hackers exploited to gain access to sensitive information like emails, pictures and financial information. In response, federal and state governments have passed strong consumer privacy protection laws, such as the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

These laws protect consumer’s privacy, but they apply to very different situations. You must understand your rights under these laws and the dangers that present themselves when companies do not comply with them.

The state of consumer data collection today

As of 2018, more than 2.5 quintillion bytes of data were created every year, but it is projected that the amount of data generated each day by 2025 will be 463 exabytes. Today, much of the data is considered “big data.” What is big data? This refers to data whose size is so large that it is beyond the ability of traditional databases to capture, manage and process it. Businesses are all too happy to obtain this valuable data to drive sales and connect with customers.

Today’s marketing is all about making it personal to the customer. Businesses are increasingly able to do this by collecting massive amounts of data about their customers and anyone who visits their website. This allows them to tailor their marketing message to you, based on your specific characteristics.

Business News Daily reports that the most common types of data that companies collect about consumers are:

  • Personal data: Names, dates of birth, addresses, gender, IP addresses, web browser cookies and device IDs.
  • Engagement data: How consumers interact with a website, email, paid ad and more.
  • Behavioral data: Purchase histories, repeated action and mouse movement information.
  • Attitudinal data: Consumer satisfaction, product desirability and purchase criteria.

Companies using consumer data for good and bad

Using consumer data can go exceptionally well or spectacularly bad.

On the good side, Netflix uses big data to make suggestions about the next movie or program you should watch, based on your past search and watch data. Other subscribers with similar interests also play a part. Netflix’s recommendation system influences about 80% of what is streamed on the mega platform.

Amazon Fresh and Whole Foods use their big data to understand how consumers buy groceries and how suppliers interact with the grocer to improve innovation. The Rapid SOS Clearinghouse system uses publicly available data, big data and GPS location data and real-time sensor data to deliver relevant information to first responders on 911 calls, allowing them to reach emergency victims faster.

But, then there is the bad where companies have used big data in potentially harmful ways. Take Vizio. The affordable tv brand tracks information about each owner and shares this information with companies to deliver targeted ads. The worst thing about it is that the company never asks permission to track and report your information, which is why the company is currently embroiled in a messy lawsuit.

Talking about privacy violations, there is CVS, which the U.S. Department of Health and Human Services has found has violated federal patient privacy laws at least 200 times in four years. Complaints include one patient’s medication being delivered to his neighbor, which revealed he had cancer, a pharmacist yelling personal information across the counter, and the company dumping prescription bottles in unsecured dumpsters.

Then, there is Ashley Madison, the notorious website whose current tagline is “Life is short. Have an Affair.” It was hacked and threatened to release personal information about its users unless the site was taken down. The company refused to give in to the threat, and the hackers released data on thousands of its adulterous users. A lawsuit has since been filed, seeking more than $578 million from the company founded on lying and cheating.

What do governments do to protect consumer data rights?

Governments are taking an increasing interest in protecting consumer data rights. They often pass broad-ranging consumer protection laws in the interest of protecting consumers’ private data. Some examples of these initiatives include:

  • HIPAA: The Health Insurance Portability and Accountability Act is a U.S. law that established procedures for the exercise of individual health information privacy rights and limiting the disclosure of private health information.
  • GDPR: The General Data Protection Regulation is a European Union regulation on data protection and privacy.
  • CCPA: The California Consumer Privacy Act gives consumers the right to know about the data being collected about them, the right to delete this data and the right to opt-out of collection.
  • CalOPPA: The California Online Privacy Protection Act requires websites to post a privacy policy if they collect personally identifiable information.
  • UK Data Protection Act: The United Kingdom Data Protection Act protects personal data stored on computers or paper and gives consumers the right to control information about themselves.

California consumer privacy act

The California Consumer Privacy Act protects the consumer privacy rights of people who live in California. Companies must provide more information to consumers about how they are collecting data about them and what they are doing with it. Consumers are given the right to opt-out of having their information shared or otherwise used in a way they do not approve of. The law applies to for-profit businesses that have $25 million or more in annual revenue, have the personal data of at least 50,000 individuals, households, or devices or earn more than half of their annual revenue by selling the personal information of consumers. The law exempts certain types of businesses, such as banks, credit reporting agencies and health providers.

The CCPA applies to personal information, such as:

  • Names
  • Social Security numbers
  •  Phone numbers
  • Physical addresses
  • Email addresses
  • IP addresses
  • Online handles
  • Biometric information
  • Geolocation data
  • Browsing and search history
  • Records of products purchased

Consumers have limited rights to protect their rights under the CCPA. For example, they may be able to sue a company if a data breach occurs and affects them if certain conditions are met. In some instances, consumers can sue for monetary damages for the actual damages they suffered or statutory damages of $750 per incident. The attorney general can file an action against businesses if it identifies patterns of misconduct or other violations of the CCPA.

California online privacy protection act

The California Online Privacy Protection Act (CalOPPA) applies to businesses that are located in California, as well as businesses that collect personal information from California residents. This privacy law requires companies to:

  • Post a public privacy policy on their website and make it easy to find.
  • Inform consumers of what types of personal information they collect and with whom they share it.
  • Update users regarding changes in their privacy policy.
  • Post an effective date for their privacy policy.
  • Give website or mobile app users an easy way to review and change their personal information.
  • Explain how they respond to Do Not Track signals from web browsers and provide information about how to block this type of technology.

What is the difference between CCPA and CalOPPA?

The CCPA and CalOPPA are two very important consumer privacy laws, but they do have many differences, including in their:


While both laws are consumer protection acts, they apply to different people. Both acts intend to protect the privacy of California consumers, who is anyone that resides in California. Both are addressed to commercial enterprises. The CalOPPA applies to the operators of commercial websites, mobile apps or online services that collect personal information from California consumers. Therefore, the CalOPPA can apply to businesses in California, in Utah or Switzerland.

In contrast, the CCPA applies to any business that impacts people in California, which it defines as any legal entity that:

  • Pursues a profit
  • Operates in California
  • Decides why and controls how consumers’ personal information is processed
  • Has an annual gross revenue of more than $25 million, collects personal information from at least 50,000 devices, consumers, or households or makes at least 50% of its annual revenue by selling consumers’ personal information


Each of the acts requires that the entities to which they apply fulfill certain legal requirements. Under these laws, you must:


  • Display a public privacy policy on your websites
  • Disclose what type of personal information you collect
  • Provide a list of categories of third parties that may receive consumers’ personal information
  • Describe the process you have in place for consumers to review and request changes to their personal information
  •  Disclose the date the privacy policy takes effect
  • ·Explain whether your website honors Do Not Track signals
  •   Explain whether consumers’ personal information will be shared outside of your website where your website integrates third-party software or resources 


  • Describe consumers’ rights under the law and how they can be exercised
  • Amend your privacy policy to include certain information and update your policy at least once a year
  • Require children to opt into any sale of their personal data
  • Provide the list of categories of personal information that the business has collected, sold or shared in the past year
  • Provide a link to allow consumers to decline their personal information from being sold
  •  Provide notices that meet certain requirements 

Consumer rights

The CalOPPA gives consumers the right to know about how their consumer information is collected via the display of a privacy policy. Under the CCPA, consumers have the right to:

  • Know: Consumers are entitled to know how you will collect their data, what type of data you may collect and what you will do with it.
  • Decline: Consumers can ask the business not to sell their information, and the business must comply.
  •  Delete: Under certain situations, you must delete the customer’s information.
  •  Not be discriminated against: You cannot discriminate against consumers for exercising these rights.  

Does your business fall under the CCPA or CalOPPA?

Your business might fall under the CCPA, the CalOPPA or both laws. This will depend on:

  • What type of business you have
  • Whether you collect personal information from California residents
  • The amount of annual revenue of your business
  • How many people, devices or households you collect personal information from
  • The type of personal information you collect

Technical compliance under CCPA and CalOPPA

To comply with the CCPA and CalOPPA, you must ensure you meet the following requirements in these categories.

General best practices

Complying with the CCPA and CalOPPA largely depends on your ability to adopt best practices and to routinely use them. Some suggestions are to:

  • Learn about your technological infrastructure: Talk to all stakeholders involved in your business about the sensitive information you collect and where it is stored.
  • Map your applications: Map your applications and create an inventory of the information they use.
  • Create privacy notices: Familiarize yourself with the mandatory notices required by these laws and create them.
  • Investigate third-party vendors: Be hesitant to integrate third-party software until you ensure that they comply with these requirements, too.

Database security

Fulfill these requirements to ensure the highest database security:

  • Provide users with all personal data you collect about them.
  •  Provide the infrastructure to allow consumers to delete their data.
  • Encrypt data whenever possible.
  • Authenticate access to data.
  • Keep track of where you send data and where you collected the data.
  •  Keep track of all consumer rights requests and their progress.
  •  Apply pseudonyms for consumers when sharing information for research purposes.
  •  Conduct periodic audit logs to ensure you are complying with all relevant rules.


Under the CCPA, data you collect through the use of cookies is considered “personal information.” Therefore, you must disclose the data you are collecting through cookies and what you are doing with it. You must also give consumers an option to opt out of the sale of this information.

Following the CCPA and CalOPPA

The CCPA and CalOPPA are two broad consumer protection laws that you may have to comply with. Use the tips above to help you meet the laws’ specific requirements and to avoid any compliance issues. 



How much data is generated each day?, Visual Capitalist

How businesses are collecting data (and what they’re doing with it), Business Daily News 

5 real-world examples of how brands are using big data analytics, Mentionlytics

Few consequences for health privacy law’s repeat offenders, ProPublica

How Ashley Madison data breach ended marriages, ID Strong 

Consumer protection law: The basics, FreeBackgroundChecks 

California Consumer Privacy Act (CCPA), State of California Department of Justice

Data security, NIST NCCoE

Ben Hartwig
Ben Hartwig

Ben Hartwig is a web operations director at InfoTracer. He authors guides on marketing and cybersecurity posture and enjoys sharing best practices. You can contact the author via LinkedIn ( or read more at his blog, .