With over 200 privacy laws and regulations possibly applicable to an organization,  Privacy 101* introduces three of the most common of these laws - GLBA, COPPA, and CalOPPA - in Indium's easy to follow Q&A format.  Indicium's Privacy Compendium** provides deeper coverage.


California Online Privacy Protection Act (CalOPPA)

  1. Who does CalOPPA apply to?  It applies to any person or company anywhere in the world whose commercial website or online service collects and maintains personally identifiable information from a consumer residing in California who uses or visits the website or online service.

  2. What does CalOPPA require?  It requires the website to feature a conspicuous privacy policy stating exactly what information is collected and with whom it is shared and requires the website operator to comply with the site’s privacy policy.

  3. What are the consequences of failing to comply with CalOPPA?  CalOPPA itself does not contain enforcement provisions.   It is expected that violations of CalOPPA will be enforced through California’s Unfair Competition Law under which the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit seeking civil penalties and equitable.  In addition, private plaintiffs may assert private claims for violations of CalOPPA under California’s Unfair Competition Law.  Failure to comply with CalOPPA or with the terms of a privacy policy will be found in violation of CalOPPA only if the noncompliance is either knowing and willful or negligent and material.  This means that a non-material (i.e. minor) but deliberate violation of CalOPPA can give rise to liability.  As a result, minor technical defects in the posting or the contents of a privacy policy could be a basis for liability.  Violations of CalOPPA may also be susceptible to actions by the Federal Trade Commission which may bring an enforcement action if a privacy policy is deceptive, i.e., a business fails to comply with its posted privacy policy.

Gramm-Leach-Bliley Act


  1.  Who does GLBA apply to?  GLBA applies to a business if the business is a “financial institution” or if the business receives “nonpublic personal information” from a financial institution with which it is not affiliated.
  2.  What does GLBA require?  Financial institutions must give their customers – and in some cases their consumers – a “clear and conspicuous” written notice describing their privacy policies and practices.
  3.  What are the consequences of failing to comply with GLBA?  Federal regulatory authorities and state insurance authorities may bring enforcement actions for violations of GLBA.



Children's Online Privacy Protection Act (COPPA)

  1. Who does COPPA apply to?  COPPA applies to operators of commercial websites and online services directed to children 12 and under that collect, use or disclose personal information as well as to operators of general audience websites or online services that have actual knowledge that they are collecting, using or disclosing personal information from a child 12 and under. As well as to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

  2. What does COPPA require?  Principally COPPA requires operators to:

    • post a clear and comprehensive online privacy notice describing their information practices for personal information collected online from children,

    • provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children,

    • give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case this must be made clear to parents),

    • provide parents access to their child’s personal information to review and/or have the information deleted, and

    • give parents the opportunity to prevent further use or online collection of a child’s personal information.
  3. What are the consequences of failing to comply with COPPA?  Federal and state regulatory authorities may bring enforcement actions for violations of COPPA.  A court can hold operators liable for civil penalties of up to $16,000 per violation.  The largest COPPA fine obtained by the FTC is $3 million.

*Privacy 101 is freely accessed above; however, these three laws summarized briefly are just an introduction. Indicium encourages organizations to deepen their privacy knowledge and practices.

**The Privacy Compendium is an available paid subscription.  For more information on the Privacy Compendium and other Indicium services, click here.