- The policy appears on the home page of the website; or
- The policy is directly linked to the home page via an icon that contains the word “privacy,” and such icon appears in a color different from the background of the home page; or
- The policy is linked to the home page via a hypertext link that contains the word “privacy,” is written in capital letters equal to or greater in size than the surrounding text, is written in a type, font or color that contrasts with the surrounding text of the same size, or is otherwise distinguishable from surrounding text on the home page.
- What user personal data you collect;
- How you use the personal data you collect;
- What personal data you disclose and to whom you may disclose such data; and
- How you collect and manage such personal data.
For personally identifiable information collected about California residents, Cal OPPA requires that privacy policies include the following:
- A list of the categories of personal data that you collect.
- A list of categories of third parties with whom you may share personal data.
- The effective date of the policy, or any revised version.
Collecting Personal Data from Children under 13 or Other Age-Related Data
The Children’s Online Privacy Protection Act (“COPPA”) applies to companies that operate commercial websites and online services directed to children under 13 that collect, use or disclose personal data from children. COPPA also applies to companies that operate general audience websites or online services who have actual knowledge that they are collecting, using or disclosing personal data from children under 13. As a result, if you are collecting age-related data (e.g., birth year, age, etc.), you will need to comply with COPPA, unless you take affirmative action to fall outside of COPPA. The FTC has generated FAQs that provide guidance on the actions that general audience websites must take to avoid being required to implement COPPA protections. These FAQs are available here. In particular, you should review Section G, Question 3: “Can I block children under 13 from my general audience website or online service?”
Implementing Third Party APIs
Sharing Personal Data with Third Parties for Direct Marketing Purposes
California’s Shine the Light law, California Civil Code Section 1798.83, requires that businesses with 20+ employees that share personal data with third parties for the third parties’ direct marketing purposes must either: (a) provide customers, upon request, a list of the categories of personal data that was shared with third parties for direct marketing purposes during the preceding calendar year and the identity of the third parties with whom it was shared, or (b) inform customers of their right to either opt-in or opt-out of such information sharing.