New privacy laws go into effect with New Year

Two new laws regarding data breach notification and information privacy go into effect with the New Year.  

The first, SB 46, expands the definition of “personal information” that triggers a data breach notification. The other, AB 370, requires disclosure of how a commercial website responds to “do not track” browser signals.

Existing law requires businesses to notify any California residents of a breach of their computerized, unencrypted personal information. Personal information is defined as an individual’s first name or first initial, in combination with his or her last name, and one or more of the following data elements:

  • social security number;
  • driver’s license number or California identification card number;
  • account number, credit or debit card number, in combination with any required security code, Access code, or password that would permit access to an individual’s financial account;
  • medical information;
  • health insurance information.

SB 46 expands that definition to include “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” This might be relevant for dental practices with websites that offer patient portals or patient-only access, where a patient could register for and log in to the site with an email or username and password. Electronic notification of the breach of an online account is permissible, unless an individual’s email account was breached. In that case, notice should not be sent to that email address, rather via another method prescribed by law.

The other privacy-related law, AB 370, requires any operator of a commercial website that collects the personally identifiable information of California residents to disclose how the website responds to “do not track” browser signals.

The law does not prohibit websites from tracking visitors, but requires that operators include in their website privacy policy whether the site honors or ignores “do not track” browser signals. A dental practice would be in violation of the requirement only if they fail to disclose the information within 30 days of being notified of noncompliance.

Dental practices that operate a website that collects any personally identifiable information of California residents should consult their IT professional to determine how the site responds to “do not track” browser signals, and amend the website privacy policy accordingly.

Revised on 11/8/13