On November 3, 2020, Californians voted to approve Proposition 24, the California Privacy Rights Act (CPRA), which expands the definition of personal information under California law to include almost all data elements that could potentially identify a California resident. It also provides consumers the right to request access to their personal information, requests that businesses delete their personal information, and provides the right to opt-out of businesses selling their personal information to third parties. The substantive portions of the law are effective on January 1, 2023. CPRA only applies to businesses that generate $25+ million in annual revenue, and protected health information (PHI) as defined by HIPAA is exempt from the requirements. However, the information collected by a dental practice that is not PHI would still be under the purview of CPRA.
Credit Card or Check Payment – Civil Code sections 1725 and 1747.08. Any person accepting a check in payment for most goods or services at retail is prohibited from recording a purchaser’s credit card number or requiring that a credit card be shown as a condition of accepting the check (Section 1725). Any person accepting a credit card in payment for most goods or services is prohibited from writing the cardholder’s personal information on forms associated with the transaction (Section 1747.08).
Credit/Debit Card Number Truncation – Civil Code section 1747.09. No more than the last five digits of a credit card or debit card number may be printed on the customer's copy of electronically printed receipts.
No more than the last five digits of a credit card or debit card number may be printed on the customer's copy of electronically printed receipts.
Social Security Number Confidentiality – Civil Code sections 1798.85.
This law restricts businesses and state and local agencies from publicly posting or displaying Social Security numbers (SSN). It also bans embedding SSNs on a card or document using a bar code, chip, magnetic strip, or other technology, in place of removing the number as required by law. Businesses also may not require individuals to transmit SSNs over the internet unless the connection is secure, or require an individual to use their social security number to access a website. It is also unlawful to print an individual’s SSN on any material mailed to an individual unless required by state or federal law.
Social Security Number Truncation on Pay Stubs – Labor Code section 226(a)(7).
This law requires employers to print no more than the last four digits of an employee’s SSN or to use an employee ID number other than the SSN on employee pay stubs or itemized statements.
Disposal of Customer Records – Civil Code sections 1798.80 - 1798.81.
These sections require businesses to shred, erase or otherwise modify the personal information when disposing of customer records under their control.
Electronic Eavesdropping – Penal Code sections 630-638.
Among other things, this law prohibits, with exceptions, electronic eavesdropping on or recording of private communications by telephone, radiotelephone, cellular radiotelephone, cable, or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7).
Information-Sharing Disclosure, “Shine the Light” – Civil Code sections 1798.83.
Security of Personal Information – Civil Code section 1798.81.5, 1798.82.
This law requires specified businesses to use safeguards to ensure the security of Californians’ personal information (defined as name plus SSN, driver’s license/state ID, financial account number, medical information, health insurance information, information or data collected through the use or operation of an automated license plate recognition system and username or email address in combination with a password to an online account) and to contractually require third parties to do the same. Section 1798.82 requires businesses to notify individuals when their personal information has been or is believed to have been, accessed by an unauthorized individual. If over 500 individuals are affected by a breach, notification to the California attorney general and local media is also required. These requirements do not apply to healthcare providers who are HIPAA-covered entities and are in compliance with the HIPAA privacy and security rules.
Website Privacy – California Online Privacy Protection Act (CalOPPA) – Business and Professions Code sections 22575-22579. CalOPPA requires an operator of a commercial website that collects personally identifiable information (PII) about California residents to conspicuously post its privacy statement. The statement must do the following:
CalOPPA requires any operator of a commercial website or mobile application that collects the personally identifiable information (PII) of California residents to disclose how the website responds to “do not track” (DNT) browser signals.
Most of the major web browsers now offer a DNT service, which users can enable via the browser or mobile device’s settings. When enabled, the mechanism sends a signal to visited websites letting it know that the user does not wish to be tracked over time and across third-party sites. In other words, DNT signals let websites know that users do not wish to receive targeted advertisements based on their prior online activity.
CalOPPA does not prohibit online tracking and does not outline how websites should respond to DNT signals. It simply requires that websites that collect PII inform consumers of whether or not they honor DNT signals.
Dental practices should determine whether CalOPPA applies to their website. Dentists can do this by figuring out if their website collects consumer PII. Consumer PII is information about an individual consumer collected online by the website operator and maintained by the operator in an accessible form, including any of the following:
Second, if the website does collect PII, how does it respond to DNT signals? Practices should work with their IT provider and/or website vendor for the answer to this question. Again, CalOPPA does not prohibit online tracking, it simply requires website operators to be transparent about how their sites respond to DNT signals.
More specifically, the guidance addresses best practices for disclosing a website’s online tracking practices. Recommendations include:
The California Attorney General has been active in investigating and enforcing penalties against companies with commercial websites or apps that have nonexistent, inadequate, or misleading online privacy policies. A dental practice would be in violation if they fail to post their tracking practices within 30 days of being notified of noncompliance.
The attorney general’s guidance can be found at https://www.oag.ca.gov/privacy/business-privacy.
Source: Office of the California Attorney General – Privacy Enforcement and Protection
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.