Any person accepting a check in payment for most goods or services at retail is prohibited from recording a purchaser’s credit card number or requiring that a credit card be shown as a condition of accepting the check (Section 1725). Any person accepting a credit card in payment for most goods or services is prohibited from writing the cardholder’s personal information on forms associated with the transaction (Section 1747.08).
No more than the last five digits of a credit card or debit card number may be printed on the customer copy of electronically printed receipts.
This law restricts businesses and state and local agencies from publicly posting or displaying Social Security numbers (SSN). It also bans embedding SSNs on a card or document using a bar code, chip, magnetic strip or other technology, in place of removing the number as required by law. Businesses also may not require individuals to transmit SSNs over the internet unless the connection is secure. It is also unlawful to print an individual’s SSN on any material mailed to an individual, unless required by state or federal law.
This law requires employers to print no more than the last four digits of an employee’s SSN or to use an employee ID number other than the SSN on employee pay stubs or itemized statements.
These sections require businesses to shred, erase or otherwise modify the personal information when disposing of customer records under their control.
Among other things, this law prohibits, with exceptions, electronic eavesdropping on or recording of private communications by telephone, radio telephone, cellular radio telephone, cable or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7).
This law lets consumers learn how their personal information is shared by companies for marketing purposes and encourages businesses to let their customers opt out of such information sharing. In response to a customer request, a business must provide either: 1) a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, with the names and addresses of those companies, OR 2) a privacy statement giving the customer a cost- free opportunity to opt out of such information sharing. Financial services companies subject to the California Financial Information Privacy Act are exempt from this law.
This law requires specified businesses to use safeguards to ensure the security of Californians’ personal information (defined as name plus SSN, driver’s license/state ID, financial account number, medical information, health insurance information, information or data collected through the use or operation of an automated license plate recognition system and username or email address in combination with a password to an online account) and to contractually require third parties to do the same. Section 1798.82 requires businesses to notify individuals when their personal information has been, or is believed to have been, accessed by an unauthorized individual. If over 500 individuals are affected by a breach, notification to the California attorney general and local media is also required.
CalOPPA requires an operator of a commercial website that collects personally identifiable information (PII) about California residents to conspicuously post its privacy statement. The statement must do the following:
As of Jan. 1, 2014, CalOPPA requires any operator of a commercial website or mobile application that collects the personally identifiable information (PII) of California residents to disclose how the website responds to “do not track” (DNT) browser signals.
Most of the major web browsers now offer a DNT service, which users can enable via the browser or mobile device’s settings. When enabled, the mechanism sends a signal to visited websites letting it know that the user does not wish to be tracked over time and across third party sites. In other words, DNT signals let websites know that users do not wish to receive targeted advertisements based on their prior online activity.
CalOPPA does not prohibit online tracking and does not outline how websites should respond to DNT signals. It simply requires that websites that collect PII inform consumers of whether or not they honor DNT signals.
Dental practices should determine whether CalOPPA applies to their website. Dentists can do this by figuring out if their website collects consumer PII. Consumer PII is information about an individual consumer collected online by the website operator and maintained by the operator in an accessible form, including any of the following:
Second, if the website does collect PII, how does it respond to DNT signals? Practices should work with their IT provider and/or website vendor for the answer to this question. Again, CalOPPA does not prohibit online tracking, it simply requires website operators to be transparent about how their sites respond to DNT signals.
More specifically, the guidance addresses best practices for disclosing a website’s online tracking practices. Recommendations include:
The California Attorney General has been active in investigating and enforcing penalties against companies with commercial websites or apps that have nonexistent, inadequate or misleading online privacy policies. A dental practice would be in violation of AB370 if they fail to post their tracking practices within 30 days of being notified of noncompliance.