Skip to main content


California-Specific Privacy Laws

June 26, 2019 3353

Checks and Credit Cards

Credit Card or Check Payment – Civil Code sections 1725 and 1747.08

Any person accepting a check in payment for most goods or services at retail is prohibited from recording a purchaser’s credit card number or requiring that a credit card be shown as a condition of accepting the check (Section 1725). Any person accepting a credit card in payment for most goods or services is prohibited from writing the cardholder’s personal information on forms associated with the transaction (Section 1747.08).

Credit/Debit Card Number Truncation – Civil Code section 1747.09

No more than the last five digits of a credit card or debit card number may be printed on the customer copy of electronically printed receipts.

Social Security Numbers

Social Security Number Confidentiality – Civil Code sections 1798.85

This law restricts businesses and state and local agencies from publicly posting or displaying Social Security numbers (SSN). It also bans embedding SSNs on a card or document using a bar code, chip, magnetic strip or other technology, in place of removing the number as required by law. Businesses also may not require individuals to transmit SSNs over the internet unless the connection is secure. It is also unlawful to print an individual’s SSN on any material mailed to an individual, unless required by state or federal law.

Social Security Number Truncation on Pay Stubs – Labor Code section 226(a)(7)

This law requires employers to print no more than the last four digits of an employee’s SSN or to use an employee ID number other than the SSN on employee pay stubs or itemized statements.

Disposal of Customer Records – Civil Code sections 1798.80 - 1798.81

These sections require businesses to shred, erase or otherwise modify the personal information when disposing of customer records under their control.

Electronic Eavesdropping – Penal Code sections 630-638

Among other things, this law prohibits, with exceptions, electronic eavesdropping on or recording of private communications by telephone, radio telephone, cellular radio telephone, cable or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7).

Information-Sharing Disclosure, “Shine the Light” – Civil Code sections 1798.83.

This law lets consumers learn how their personal information is shared by companies for marketing purposes and encourages businesses to let their customers opt out of such information sharing. In response to a customer request, a business must provide either: 1) a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, with the names and addresses of those companies, OR 2) a privacy statement giving the customer a cost- free opportunity to opt out of such information sharing. Financial services companies subject to the California Financial Information Privacy Act are exempt from this law.

Security of Personal Information – Civil Code section 1798.81.5, 1798.82.

This law requires specified businesses to use safeguards to ensure the security of Californians’ personal information (defined as name plus SSN, driver’s license/state ID, financial account number, medical information, health insurance information, information or data collected through the use or operation of an automated license plate recognition system and username or email address in combination with a password to an online account) and to contractually require third parties to do the same. Section 1798.82 requires businesses to notify individuals when their personal information has been, or is believed to have been, accessed by an unauthorized individual. If over 500 individuals are affected by a breach, notification to the California attorney general and local media is also required.

Website Privacy – California Online Privacy Protection Act (CalOPPA) – Business and Professions Code sections 22575-22579

CalOPPA requires an operator of a commercial website that collects personally identifiable information (PII) about California residents to conspicuously post its privacy statement. The statement must do the following:

  • Identify the categories of PII collected and identify any third parties with whom it might be shared.
  • If there is a process for an individual site visitor to review and request changes to any of his or her PII, provide a description of that process.
  • Describe the process by which visitors will be notified of material changes to the statement.
  • Identify the effective date.
  • Disclose how the website responds to browser “do not track” signals (details below).
  • Disclose whether other parties may collect PII about an individual’s online activities over time and across different websites.

As of Jan. 1, 2014, CalOPPA requires any operator of a commercial website or mobile application that collects the personally identifiable information (PII) of California residents to disclose how the website responds to “do not track” (DNT) browser signals.

Most of the major web browsers now offer a DNT service, which users can enable via the browser or mobile device’s settings. When enabled, the mechanism sends a signal to visited websites letting it know that the user does not wish to be tracked over time and across third party sites. In other words, DNT signals let websites know that users do not wish to receive targeted advertisements based on their prior online activity.

CalOPPA does not prohibit online tracking and does not outline how websites should respond to DNT signals. It simply requires that websites that collect PII inform consumers of whether or not they honor DNT signals.

Dental practices should determine whether CalOPPA applies to their website. Dentists can do this by figuring out if their website collects consumer PII. Consumer PII is information about an individual consumer collected online by the website operator and maintained by the operator in an accessible form, including any of the following:

  • First and last name.
  • Home or other physical address, including street name and name of a city or town.
  • Email address.
  • Telephone number.
  • Social Security number.
  • Other identifier that permits the physical or online contacting of a specific individual.

Second, if the website does collect PII, how does it respond to DNT signals? Practices should work with their IT provider and/or website vendor for the answer to this question. Again, CalOPPA does not prohibit online tracking, it simply requires website operators to be transparent about how their sites respond to DNT signals.

The attorney general’s guidance, “Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy,” provides background on CalOPPA, clarifies its applicability and recommends best practices for updating website privacy policies to comply with the requirements of AB 370. The document addresses general best practices regarding readability, data use and sharing, individual choice and access and accountability.

More specifically, the guidance addresses best practices for disclosing a website’s online tracking practices. Recommendations include:

  • Make it easy for a consumer to find the section of the policy that describes how the site responds to DNT signals (for example, using a header such as “Online Tracking” or “California Do Not Track Disclosures”).
  • Describe how the website responds to a browser that has turned on DNT signals or other such mechanisms.
  • State whether other parties are or may be collecting the PII of consumers while they are on the website.

The California Attorney General has been active in investigating and enforcing penalties against companies with commercial websites or apps that have nonexistent, inadequate or misleading online privacy policies. A dental practice would be in violation of AB370 if they fail to post their tracking practices within 30 days of being notified of noncompliance.