Mark Pestronk
Mark Pestronk

Q: In your June 11 column ("If you collect personal information, you need a privacy policy"), you stated that if we collect personal information from anyone in California, we must have a website privacy policy that complies with the California Online Privacy Protection Act (CalOPPA), regardless of whether our agency is located in that state. It looks like we need to comply with CalOPPA because we have a contact form for prospective clients on our website, and Californians have filled it out. What do we have to do to comply? We also have a link to an online booking engine that clients can use, so do we need our privacy policy to cover that, too, or can we rely on the booking engine vendor's privacy policy? If we comply with CalOPPA, will we be compliant with any of the other 49 states' laws as well?

A: First, the good news: If you comply with CalOPPA, there are no other U.S. federal or state privacy policy related statutes or regulations that you have to worry about. So if you are CalOPPA compliant, you are good to go nationwide.

You have to comply with CalOPPA only if your website or mobile app collects personally identifiable information through the internet. So if you have a website or mobile app but you collect all such information in email, phone or in person only, the law does not apply.

The privacy policy required by the CalOPPA law must have the following seven clauses:

  • Categories and examples of personal information you collect
  • Categories of third parties with which you share the information
  • How users can request changes to any of the information
  • How you will notify users of changes to your privacy policy
  • The effective date of the policy and any amendments
  • Whether third parties may collect information from you about a consumer's online activities over time and across different websites
  • How you respond to "do not track" requests of users

"Tracking" means collecting personal information from the individual's online activities on other websites. If you do not do such tracking and do not use a third-party service to do so, you can ignore the last requirement or just say, "We do not track your online activities on other websites."

In addition to the seven clauses, you need to do the following: You must make sure that the privacy policy is clearly posted on your website or app. You can have a link at the bottom of the homepage, but the link must use the word "privacy," and the letters of the link must be more prominent that the letters of other links in close proximity. You cannot bury the policy by having just a link to "legal" or "terms and conditions."
If you don't like the word "policy," you can use a similar word after "privacy," including "notice," "statement" or "agreement."

The policy must be simply worded and simply organized using bullet points or clear section headings.

If you have an online booking engine vendor's booking form on your website, or if you just have a link to one, you must still comply with CalOPPA because you are collecting and keeping the personal information, even if the booking engine vendor does so, too.

I have been working on a free, simple, CalOPPA-compliant model privacy policy for travel agencies that need one, and you can find my model here:

JDS Travel News JDS Viewpoints JDS Africa/MI