Skip to main content
Menu

Resources

California-Specific Privacy Laws

June 13, 2023 6940

California Privacy Rights Act

On November 3, 2020, Californians voted to approve Proposition 24, the California Privacy Rights Act (CPRA), which expands the definition of personal information under California law to include almost all data elements that could potentially identify a California resident. It also provides consumers the right to request access to their personal information, request that businesses delete their personal information, and provides the right to opt-out of businesses selling or sharing their personal information to third parties. The substantive portions of the law became effective January 1, 2023. However, CPRA only applies to businesses that generate $25+ million in annual revenue, and protected health information (PHI) as defined by HIPAA is exempt from the requirements, however, the information collected by a dental practice that is not PHI would still be under the purview of CPRA.

Checks and Credit Cards

Credit Card or Check Payment – Civil Code sections 1725 and 1747.08. Any person accepting a check in payment for most goods or services at retail is prohibited from recording a purchaser’s credit card number or requiring that a credit card be shown as a condition of accepting the check (Section 1725). Any person accepting a credit card in payment for most goods or services is prohibited from writing the cardholder’s personal information on forms associated with the transaction (Section 1747.08).

Credit/Debit Card Number Truncation – Civil Code section 1747.09. No more than the last five digits of a credit card or debit card number may be printed on the customer copy of electronically printed receipts.

Social Security Numbers

Social Security Number Confidentiality – Civil Code sections 1798.85. This law restricts businesses and state and local agencies from publicly posting or displaying Social Security numbers (SSN). It also bans embedding SSNs on a card or document using a bar code, chip, magnetic strip or other technology, in place of removing the number as required by law. Businesses also may not require individuals to transmit SSNs over the internet unless the connection is secure, or require an individual to use their social security number to access a website. It is also unlawful to print an individual’s SSN on any material mailed to an individual, unless required by state or federal law.

Social Security Number Truncation on Pay Stubs – Labor Code section 226(a)(7). This law requires employers to print no more than the last four digits of an employee’s SSN or to use an employee ID number other than the SSN on employee pay stubs or itemized statements.

Disposal of Customer Records – Civil Code sections 1798.80 - 1798.81. These sections require businesses to shred, erase or otherwise modify personal information when disposing of customer records under their control.

Electronic Eavesdropping – Penal Code sections 630-638. Among other things, this law prohibits, with exceptions, electronic eavesdropping on or recording of private communications by telephone, radio telephone, cellular radio telephone, cable or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7).

Information-Sharing Disclosure, “Shine the Light” – Civil Code sections 1798.83. This law lets consumers learn how their personal information is shared by companies for marketing purposes and encourages businesses to let their customers opt out of such information sharing. In response to a customer request, a business must provide either: 1) a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, with the names and addresses of those companies, OR 2) a privacy statement giving the customer a cost-free opportunity to opt out of such information sharing. Businesses must also add to the home page of their website a link either to a page titled “Your Privacy Rights” or add the words “Your Privacy Rights” to the home page’s link to the business’s privacy policy. If the business elects to add the words “Your Privacy Rights” to the link to the business’s privacy policy, the words “Your Privacy Rights” shall be in the same style and size as the link to the business’s privacy policy. If the business does not display a link to its privacy policy on the home page of its website, or does not have a privacy policy, the words “Your Privacy Rights” shall be written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. The first page of the link shall describe a customer’s rights pursuant to this section and shall provide the designated mailing address, e-mail address, as required, or toll-free telephone number or facsimile number, as appropriate. If the business elects to add the words “Your California Privacy Rights” to the home page’s link to the business’s privacy policy in a manner that complies with this subdivision, and the first page of the link describes a customer’s rights pursuant to this section, and provides the designated mailing address, electronic mailing address, as required, or toll-free telephone or facsimile number, as appropriate, the business need not respond to requests that are not received at one of the designated addresses or numbers. Financial services companies subject to the California Financial Information Privacy Act are exempt from this law.

Security of Personal Information – Civil Code section 1798.81.5, 1798.82. This law requires specified businesses to use safeguards to ensure the security of Californians’ personal information (defined as name plus SSN, driver’s license/state ID, financial account number, medical information, health insurance information, information or data collected through the use or operation of an automated license plate recognition system and username or email address in combination with a password to an online account) and to contractually require third parties to do the same. Section 1798.82 requires businesses to notify individuals when their personal information has been, or is believed to have been, accessed by an unauthorized individual. If over 500 individuals are affected by a breach, notification to the California attorney general and local media is also required. These requirements do not apply to healthcare providers who are HIPAA-covered entities and are in compliance with the HIPAA privacy and security rules.

Website Privacy – California Online Privacy Protection Act (CalOPPA) – Business and Professions Code sections 22575-22579. CalOPPA requires an operator of a commercial website that collects personally identifiable information (PII) about California residents to conspicuously post its privacy statement. The statement must do the following:

  • Identify the categories of PII collected and identify any third parties with whom it might be shared.
  • If there is a process for an individual site visitor to review and request changes to any of his or her PII, provide a description of that process.
  • Describe the process by which visitors will be notified of material changes to the statement.
  • Identify the effective date.
  • Disclose how the website responds to browser “do not track” signals (details below).
  • Disclose whether other parties may collect PII about an individual’s online activities over time and across different websites.

CalOPPA requires any operator of a commercial website or mobile application that collects the personally identifiable information (PII) of California residents to disclose how the website responds to “do not track” (DNT) browser signals.

Most of the major web browsers now offer a DNT service, which users can enable via the browser or mobile device’s settings. When enabled, the mechanism sends a signal to visited websites letting it know that the user does not wish to be tracked over time and across third party sites. In other words, DNT signals let websites know that users do not wish to receive targeted advertisements based on their prior online activity.

CalOPPA does not prohibit online tracking and does not outline how websites should respond to DNT signals. It simply requires that websites that collect PII inform consumers of whether or not they honor DNT signals.

Dental practices should determine whether CalOPPA applies to their website. Dentists can do this by figuring out if their website collects consumer PII. Consumer PII is information about an individual consumer collected online by the website operator and maintained by the operator in an accessible form, including any of the following:

  • First and last name.
  • Home or other physical address, including street name and name of a city or town.
  • Email address.
  • Telephone number.
  • Social Security number.
  • Other identifier that permits the physical or online contacting of a specific individual.

Second, if the website does collect PII, how does it respond to DNT signals? Practices should work with their IT provider and/or website vendor for the answer to this question. Again, CalOPPA does not prohibit online tracking, it simply requires website operators to be transparent about how their sites respond to DNT signals.

The attorney general’s guidance, “Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy,” provides background on CalOPPA, clarifies its applicability and recommends best practices for updating website privacy policies. The document addresses general best practices regarding readability, data use and sharing, individual choice and access and accountability.

More specifically, the guidance addresses best practices for disclosing a website’s online tracking practices. Recommendations include:

  • Make it easy for a consumer to find the section of the policy that describes how the site responds to DNT signals (for example, using a header such as “Online Tracking” or “California Do Not Track Disclosures”).
  • Describe how the website responds to a browser that has turned on DNT signals or other such mechanisms.
  • State whether other parties are or may be collecting the PII of consumers while they are on the website.

The California Attorney General has been active in investigating and enforcing penalties against companies with commercial websites or apps that have nonexistent, inadequate or misleading online privacy policies. A dental practice would be in violation if they fail to post their tracking practices within 30 days of being notified of noncompliance.

The attorney general’s guidance can be found at https://www.oag.ca.gov/privacy/business-privacy.

Source: Office of the California Attorney General – Privacy Enforcement and Protectioning of private communications by telephone, radiotelephone, cellular radiotelephone, cable, or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7).

Information-Sharing Disclosure, “Shine the Light” – Civil Code sections 1798.83.

This law lets consumers learn how their personal information is shared by companies for marketing purposes and encourages businesses to let their customers opt-out of such information-sharing. In response to a customer request, a business must provide either: 1) a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, with the names and addresses of those companies, OR 2) a privacy statement giving the customer a cost-free opportunity to opt-out of such information-sharing. Businesses must also add a link to the home page of their website to a page titled “Your Privacy Rights” or add the words “Your Privacy Rights” to the home page’s link to the business’s privacy policy. If the business elects to add the words “Your Privacy Rights” to the link to the business’s privacy policy, the words “Your Privacy Rights” shall be in the same style and size as the link to the business’s privacy policy. If the business does not display a link to its privacy policy on the home page of its website or does not have a privacy policy, the words “Your Privacy Rights” shall be written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. The first page of the link shall describe a customer’s rights pursuant to this section and shall provide the designated mailing address, e-mail address, as required, or toll-free telephone number or facsimile number, as appropriate. If the business elects to add the words “Your California Privacy Rights” to the home page’s link to the business’s privacy policy in a manner that complies with this subdivision, and the first page of the link describes a customer’s rights pursuant to this section, and provides the designated mailing address, electronic mailing address, as required, or toll-free telephone or facsimile number, as appropriate, the business need not respond to requests that are not received at one of the designated addresses or numbers. Financial services companies subject to the California Financial Information Privacy Act are exempt from this law.

Security of Personal Information – Civil Code section 1798.81.5, 1798.82.

This law requires specified businesses to use safeguards to ensure the security of Californians’ personal information (defined as name plus SSN, driver’s license/state ID, financial account number, medical information, health insurance information, information or data collected through the use or operation of an automated license plate recognition system and username or email address in combination with a password to an online account) and to contractually require third parties to do the same. Section 1798.82 requires businesses to notify individuals when their personal information has been or is believed to have been, accessed by an unauthorized individual. If over 500 individuals are affected by a breach, notification to the California attorney general and local media is also required. These requirements do not apply to healthcare providers who are HIPAA-covered entities and are in compliance with the HIPAA privacy and security rules. 

Website Privacy – California Online Privacy Protection Act (CalOPPA) – Business and Professions Code sections 22575-22579. CalOPPA requires an operator of a commercial website that collects personally identifiable information (PII) about California residents to conspicuously post its privacy statement. The statement must do the following:

  • Identify the categories of PII collected and identify any third parties with whom it might be shared.
  • If there is a process for an individual site visitor to review and request changes to any of his or her PII, provide a description of that process.
  • Describe the process by which visitors will be notified of material changes to the statement.
  • Identify the effective date.
  • Disclose how the website responds to browser “do not track” signals (details below).
  • Disclose whether other parties may collect PII about an individual’s online activities over time and across different websites.

CalOPPA requires any operator of a commercial website or mobile application that collects the personally identifiable information (PII) of California residents to disclose how the website responds to “do not track” (DNT) browser signals.

Most of the major web browsers now offer a DNT service, which users can enable via the browser or mobile device’s settings. When enabled, the mechanism sends a signal to visited websites letting it know that the user does not wish to be tracked over time and across third-party sites. In other words, DNT signals let websites know that users do not wish to receive targeted advertisements based on their prior online activity.

CalOPPA does not prohibit online tracking and does not outline how websites should respond to DNT signals. It simply requires that websites that collect PII inform consumers of whether or not they honor DNT signals.

Dental practices should determine whether CalOPPA applies to their website. Dentists can do this by figuring out if their website collects consumer PII. Consumer PII is information about an individual consumer collected online by the website operator and maintained by the operator in an accessible form, including any of the following:

  • First and last name.
  • Home or other physical address, including street name and name of a city or town.
  • Email address.
  • Telephone number.
  • Social Security number.
  • Another identifier that permits the physical or online contact of a specific individual.

Second, if the website does collect PII, how does it respond to DNT signals? Practices should work with their IT provider and/or website vendor for the answer to this question. Again, CalOPPA does not prohibit online tracking, it simply requires website operators to be transparent about how their sites respond to DNT signals.

The attorney general’s guidance, “Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy,” provides background on CalOPPA, clarifies its applicability, and recommends best practices for updating website privacy policies. The document addresses general best practices regarding readability, data use and sharing, individual choice, and access and accountability.

More specifically, the guidance addresses best practices for disclosing a website’s online tracking practices. Recommendations include:

  • Make it easy for a consumer to find the section of the policy that describes how the site responds to DNT signals (for example, using a header such as “Online Tracking” or “California Do Not Track Disclosures”).
  • Describe how the website responds to a browser that has turned on DNT signals or other such mechanisms.
  • State whether other parties are or may be collecting the PII of consumers while they are on the website.

The California Attorney General has been active in investigating and enforcing penalties against companies with commercial websites or apps that have nonexistent, inadequate, or misleading online privacy policies. A dental practice would be in violation if they fail to post their tracking practices within 30 days of being notified of noncompliance.

The attorney general’s guidance can be found at https://www.oag.ca.gov/privacy/business-privacy.

Source: Office of the California Attorney General – Privacy Enforcement and Protection

Comments are only visible to subscribers.