California Privacy Rights Act
On November 3, 2020, Californians voted to approve Proposition 24, the California Privacy Rights Act (CPRA), which expands the definition of personal information under California law to include almost all data elements that could potentially identify a California resident. It also provides consumers the right to request access to their personal information, requests that businesses delete their personal information, and provides the right to opt-out of businesses selling their personal information to third parties. The substantive portions of the law are effective on January 1, 2023. CPRA only applies to businesses that generate $25+ million in annual revenue, and protected health information (PHI) as defined by HIPAA is exempt from the requirements. However, the information collected by a dental practice that is not PHI would still be under the purview of CPRA.
Checks and Credit Cards
Credit Card or Check Payment – Civil Code sections 1725 and 1747.08. Any person accepting a check in payment for most goods or services at retail is prohibited from recording a purchaser’s credit card number or requiring that a credit card be shown as a condition of accepting the check (Section 1725). Any person accepting a credit card in payment for most goods or services is prohibited from writing the cardholder’s personal information on forms associated with the transaction (Section 1747.08).
Credit/Debit Card Number Truncation – Civil Code section 1747.09. No more than the last five digits of a credit card or debit card number may be printed on the customer's copy of electronically printed receipts.
No more than the last five digits of a credit card or debit card number may be printed on the customer's copy of electronically printed receipts.
Social Security Numbers
Social Security Number Confidentiality – Civil Code sections 1798.85.
This law restricts businesses and state and local agencies from publicly posting or displaying Social Security numbers (SSN). It also bans embedding SSNs on a card or document using a bar code, chip, magnetic strip, or other technology, in place of removing the number as required by law. Businesses also may not require individuals to transmit SSNs over the internet unless the connection is secure, or require an individual to use their social security number to access a website. It is also unlawful to print an individual’s SSN on any material mailed to an individual unless required by state or federal law.
Social Security Number Truncation on Pay Stubs – Labor Code section 226(a)(7).
This law requires employers to print no more than the last four digits of an employee’s SSN or to use an employee ID number other than the SSN on employee pay stubs or itemized statements.
Disposal of Customer Records – Civil Code sections 1798.80 - 1798.81.
These sections require businesses to shred, erase or otherwise modify the personal information when disposing of customer records under their control.
Electronic Eavesdropping – Penal Code sections 630-638.
Among other things, this law prohibits, with exceptions, electronic eavesdropping on or recording of private communications by telephone, radiotelephone, cellular radiotelephone, cable, or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7).
Information-Sharing Disclosure, “Shine the Light” – Civil Code sections 1798.83.
Security of Personal Information – Civil Code section 1798.81.5, 1798.82.
This law requires specified businesses to use safeguards to ensure the security of Californians’ personal information (defined as name plus SSN, driver’s license/state ID, financial account number, medical information, health insurance information, information or data collected through the use or operation of an automated license plate recognition system and username or email address in combination with a password to an online account) and to contractually require third parties to do the same. Section 1798.82 requires businesses to notify individuals when their personal information has been or is believed to have been, accessed by an unauthorized individual. If over 500 individuals are affected by a breach, notification to the California attorney general and local media is also required. These requirements do not apply to healthcare providers who are HIPAA-covered entities and are in compliance with the HIPAA privacy and security rules.
Website Privacy – California Online Privacy Protection Act (CalOPPA) – Business and Professions Code sections 22575-22579. CalOPPA requires an operator of a commercial website that collects personally identifiable information (PII) about California residents to conspicuously post its privacy statement. The statement must do the following:
- Identify the categories of PII collected and identify any third parties with whom it might be shared.
- If there is a process for an individual site visitor to review and request changes to any of his or her PII, provide a description of that process.
- Describe the process by which visitors will be notified of material changes to the statement.
- Identify the effective date.
- Disclose how the website responds to browser “do not track” signals (details below).
- Disclose whether other parties may collect PII about an individual’s online activities over time and across different websites.
CalOPPA requires any operator of a commercial website or mobile application that collects the personally identifiable information (PII) of California residents to disclose how the website responds to “do not track” (DNT) browser signals.
Most of the major web browsers now offer a DNT service, which users can enable via the browser or mobile device’s settings. When enabled, the mechanism sends a signal to visited websites letting it know that the user does not wish to be tracked over time and across third-party sites. In other words, DNT signals let websites know that users do not wish to receive targeted advertisements based on their prior online activity.
CalOPPA does not prohibit online tracking and does not outline how websites should respond to DNT signals. It simply requires that websites that collect PII inform consumers of whether or not they honor DNT signals.
Dental practices should determine whether CalOPPA applies to their website. Dentists can do this by figuring out if their website collects consumer PII. Consumer PII is information about an individual consumer collected online by the website operator and maintained by the operator in an accessible form, including any of the following:
- First and last name.
- Home or other physical address, including street name and name of a city or town.
- Email address.
- Telephone number.
- Social Security number.
- Another identifier that permits the physical or online contact of a specific individual.
Second, if the website does collect PII, how does it respond to DNT signals? Practices should work with their IT provider and/or website vendor for the answer to this question. Again, CalOPPA does not prohibit online tracking, it simply requires website operators to be transparent about how their sites respond to DNT signals.
More specifically, the guidance addresses best practices for disclosing a website’s online tracking practices. Recommendations include:
- Make it easy for a consumer to find the section of the policy that describes how the site responds to DNT signals (for example, using a header such as “Online Tracking” or “California Do Not Track Disclosures”).
- Describe how the website responds to a browser that has turned on DNT signals or other such mechanisms.
- State whether other parties are or may be collecting the PII of consumers while they are on the website.
The California Attorney General has been active in investigating and enforcing penalties against companies with commercial websites or apps that have nonexistent, inadequate, or misleading online privacy policies. A dental practice would be in violation if they fail to post their tracking practices within 30 days of being notified of noncompliance.
The attorney general’s guidance can be found at https://www.oag.ca.gov/privacy/business-privacy.
Source: Office of the California Attorney General – Privacy Enforcement and Protection