California legislation regulates privacy and personal information in ways similar to the new 2009 HITECH Act that modifies HIPAA.
Reads section 1798.82 of the California Civil Code:
(a) Any person or business that conducts business in
California, and that owns or licenses computerized data that includes
personal information, shall disclose any breach of the security of
the system following discovery or notification of the breach in the
security of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure shall be made in
the most expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as provided
in subdivision (c), or any measures necessary to determine the scope
of the breach and restore the reasonable integrity of the data
system.
(b) Any person or business that maintains computerized data that
includes personal information that the person or business does not
own shall notify the owner or licensee of the information of any
breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
(c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
(d) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith
acquisition of personal information by an employee or agent of the
person or business for the purposes of the person or business is not
a breach of the security of the system, provided that the personal
information is not used or subject to further unauthorized
disclosure.
(e) For purposes of this section, "personal information" means an
individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual’s financial account.
(4) Medical information.
(5) Health insurance information.
(f) (1) For purposes of this section, "personal information" does
not include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(2) For purposes of this section, "medical information" means any
information regarding an individual’s medical history, mental or
physical condition, or medical treatment or diagnosis by a health
care professional.
(3) For purposes of this section, "health insurance information"
means an individual’s health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any information in an individual’s
application and claims history, including any appeals records.
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the person or business demonstrates that
the cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to
be notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(A) E-mail notice when the person or business has an e-mail
address for the subject persons.
(B) Conspicuous posting of the notice on the Web site page of the
person or business, if the person or business maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), a person or business that
maintains its own notification procedures as part of an information
security policy for the treatment of personal information and is
otherwise consistent with the timing requirements of this part, shall
be deemed to be in compliance with the notification requirements of
this section if the person or business notifies subject persons in
accordance with its policies in the event of a breach of security of
the system.
This bears semblance to the HITECH Act’s provisions regarding notification of breaches.
1798.83 has provisions regarding disclosure of personal information to marketing companies, and relevant language must be inserted into a company’s online Privacy Policy:
a) Except as otherwise provided in subdivision (d), if a
business has an established business relationship with a customer and
has within the immediately preceding calendar year disclosed
personal information that corresponds to any of the categories of
personal information set forth in paragraph (6) of subdivision (e) to
third parties, and if the business knows or reasonably should know
that the third parties used the personal information for the third
parties’ direct marketing purposes, that business shall, after the
receipt of a written or electronic mail request, or, if the business
chooses to receive requests by toll-free telephone or facsimile
numbers, a telephone or facsimile request from the customer, provide
all of the following information to the customer free of charge:
(1) In writing or by electronic mail, a list of the categories set
forth in paragraph (6) of subdivision (e) that correspond to the
personal information disclosed by the business to third parties for
the third parties’ direct marketing purposes during the immediately
preceding calendar year.
(2) In writing or by electronic mail, the names and addresses of
all of the third parties that received personal information from the
business for the third parties’ direct marketing purposes during the
preceding calendar year and, if the nature of the third parties’
business cannot reasonably be determined from the third parties’
name, examples of the products or services marketed, if known to the
business, sufficient to give the customer a reasonable indication of
the nature of the third parties’ business.
(b) (1) A business required to comply with this section shall
designate a mailing address, electronic mail address, or, if the
business chooses to receive requests by telephone or facsimile, a
toll-free telephone or facsimile number, to which customers may
deliver requests pursuant to subdivision (a). A business required to
comply with this section shall, at its election, do at least one of
the following:
(A) Notify all agents and managers who directly supervise
employees who regularly have contact with customers of the designated
addresses or numbers or the means to obtain those addresses or
numbers and instruct those employees that customers who inquire about
the business’s privacy practices or the business’s compliance with
this section shall be informed of the designated addresses or numbers
or the means to obtain the addresses or numbers.
(B) Add to the home page of its Web site a link either to a page
titled "Your Privacy Rights" or add the words "Your Privacy Rights"
to the home page’s link to the business’s privacy policy. If the
business elects to add the words "Your Privacy Rights" to the link to
the business’s privacy policy, the words "Your Privacy Rights" shall
be in the same style and size as the link to the business’s privacy
policy. If the business does not display a link to its privacy policy
on the home page of its Web site, or does not have a privacy policy,
the words "Your Privacy Rights" shall be written in larger type than
the surrounding text, or in contrasting type, font, or color to the
surrounding text of the same size, or set off from the surrounding
text of the same size by symbols or other marks that call attention
to the language. The first page of the link shall describe a customer’
s rights pursuant to this section and shall provide the designated
mailing address, e-mail address, as required, or toll-free telephone
number or facsimile number, as appropriate. If the business elects to
add the words "Your California Privacy Rights" to the home page’s
link to the business’s privacy policy in a manner that complies with
this subdivision, and the first page of the link describes a customer’
s rights pursuant to this section, and provides the designated
mailing address, electronic mailing address, as required, or
toll-free telephone or facsimile number, as appropriate, the business
need not respond to requests that are not received at one of the
designated addresses or numbers.
(C) Make the designated addresses or numbers, or means to obtain
the designated addresses or numbers, readily available upon request
of a customer at every place of business in California where the
business or its agents regularly have contact with customers.
The response to a request pursuant to this section received at one
of the designated addresses or numbers shall be provided within 30
days. Requests received by the business at other than one of the
designated addresses or numbers shall be provided within a reasonable
period, in light of the circumstances related to how the request was
received, but not to exceed 150 days from the date received.
(2) A business that is required to comply with this section and
Section 6803 of Title 15 of the United States Code may comply with
this section by providing the customer the disclosure required by
Section 6803 of Title 15 of the United States Code, but only if the
disclosure also complies with this section.
(3) A business that is required to comply with this section is not
obligated to provide information associated with specific
individuals and may provide the information required by this section
in standardized format.
(c) (1) A business that is required to comply with this section is
not obligated to do so in response to a request from a customer more
than once during the course of any calendar year. A business with
fewer than 20 full-time or part-time employees is exempt from the
requirements of this section.
(2) If a business that is required to comply with this section
adopts and discloses to the public, in its privacy policy, a policy
of not disclosing personal information of customers to third parties
for the third parties’ direct marketing purposes unless the customer
first affirmatively agrees to that disclosure, or of not disclosing
the personal information of customers to third parties for the third
parties’ direct marketing purposes if the customer has exercised an
option that prevents that information from being disclosed to third
parties for those purposes, as long as the business maintains and
discloses the policies, the business may comply with subdivision (a)
by notifying the customer of his or her right to prevent disclosure
of personal information, and providing the customer with a cost-free
means to exercise that right.
(d) The following are among the disclosures not deemed to be
disclosures of personal information by a business for a third party’s
direct marketing purposes for purposes of this section:
(1) Disclosures between a business and a third party pursuant to
contracts or arrangements pertaining to any of the following:
(A) The processing, storage, management, or organization of
personal information, or the performance of services on behalf of the
business during which personal information is disclosed, if the
third party that processes, stores, manages, or organizes the
personal information does not use the information for a third party’s
direct marketing purposes and does not disclose the information to
additional third parties for their direct marketing purposes.
(B) Marketing products or services to customers with whom the
business has an established business relationship where, as a part of
the marketing, the business does not disclose personal information
to third parties for the third parties’ direct marketing purposes.
(C) Maintaining or servicing accounts, including credit accounts
and disclosures pertaining to the denial of applications for credit
or the status of applications for credit and processing bills or
insurance claims for payment.
(D) Public record information relating to the right, title, or
interest in real property or information relating to property
characteristics, as defined in Section 408.3 of the Revenue and
Taxation Code, obtained from a governmental agency or entity or from
a multiple listing service, as defined in Section 1087, and not
provided directly by the customer to a business in the course of an
established business relationship.
(E) Jointly offering a product or service pursuant to a written
agreement with the third party that receives the personal
information, provided that all of the following requirements are met:(i) The product or service offered is a product or service of, and
is provided by, at least one of the businesses that is a party to
the written agreement.
(ii) The product or service is jointly offered, endorsed, or
sponsored by, and clearly and conspicuously identifies for the
customer, the businesses that disclose and receive the disclosed
personal information.
(iii) The written agreement provides that the third party that
receives the personal information is required to maintain the
confidentiality of the information and is prohibited from disclosing
or using the information other than to carry out the joint offering
or servicing of a product or service that is the subject of the
written agreement.
(2) Disclosures to or from a consumer reporting agency of a
customer’s payment history or other information pertaining to
transactions or experiences between the business and a customer if
that information is to be reported in, or used to generate, a
consumer report as defined in subdivision (d) of Section 1681a of
Title 15 of the United States Code, and use of that information is
limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681
et seq.).
(3) Disclosures of personal information by a business to a third
party financial institution solely for the purpose of the business
obtaining payment for a transaction in which the customer paid the
business for goods or services with a check, credit card, charge
card, or debit card, if the customer seeks the information required
by subdivision (a) from the business obtaining payment, whether or
not the business obtaining payment knows or reasonably should know
that the third party financial institution has used the personal
information for its direct marketing purposes.
(4) Disclosures of personal information between a licensed agent
and its principal, if the personal information disclosed is necessary
to complete, effectuate, administer, or enforce transactions between
the principal and the agent, whether or not the licensed agent or
principal also uses the personal information for direct marketing
purposes, if that personal information is used by each of them solely
to market products and services directly to customers with whom both
have established business relationships as a result of the principal
and agent relationship.
(5) Disclosures of personal information between a financial
institution and a business that has a private label credit card,
affinity card, retail installment contract, or cobranded card program
with the financial institution, if the personal information
disclosed is necessary for the financial institution to maintain or
service accounts on behalf of the business with which it has a
private label credit card, affinity card, retail installment
contract, or cobranded card program, or to complete, effectuate,
administer, or enforce customer transactions or transactions between
the institution and the business, whether or not the institution or
the business also uses the personal information for direct marketing
purposes, if that personal information is used solely to market
products and services directly to customers with whom both the
business and the financial institution have established business
relationships as a result of the private label credit card, affinity
card, retail installment contract, or cobranded card program.
(e) For purposes of this section, the following terms have the
following meanings:
(1) "Customer" means an individual who is a resident of California
who provides personal information to a business during the creation
of, or throughout the duration of, an established business
relationship if the business relationship is primarily for personal,
family, or household purposes.
(2) "Direct marketing purposes" means the use of personal
information to solicit or induce a purchase, rental, lease, or
exchange of products, goods, property, or services directly to
individuals by means of the mail, telephone, or electronic mail for
their personal, family, or household purposes. The sale, rental,
exchange, or lease of personal information for consideration to
businesses is a direct marketing purpose of the business that sells,
rents, exchanges, or obtains consideration for the personal
information. "Direct marketing purposes" does not include the use of
personal information (A) by bona fide tax exempt charitable or
religious organizations to solicit charitable contributions, (B) to
raise funds from and communicate with individuals regarding politics
and government, (C) by a third party when the third party receives
personal information solely as a consequence of having obtained for
consideration permanent ownership of accounts that might contain
personal information, or (D) by a third party when the third party
receives personal information solely as a consequence of a single
transaction where, as a part of the transaction, personal information
had to be disclosed in order to effectuate the transaction.
(3) "Disclose" means to disclose, release, transfer, disseminate,
or otherwise communicate orally, in writing, or by electronic or any
other means to any third party.
(4) "Employees who regularly have contact with customers" means
employees whose contact with customers is not incidental to their
primary employment duties, and whose duties do not predominantly
involve ensuring the safety or health of the business’s customers. It
includes, but is not limited to, employees whose primary employment
duties are as cashier, clerk, customer service, sales, or promotion.
It does not, by way of example, include employees whose primary
employment duties consist of food or beverage preparation or service,
maintenance and repair of the business’s facilities or equipment,
direct involvement in the operation of a motor vehicle, aircraft,
watercraft, amusement ride, heavy machinery or similar equipment,
security, or participation in a theatrical, literary, musical,
artistic, or athletic performance or contest.
(5) "Established business relationship" means a relationship
formed by a voluntary, two-way communication between a business and a
customer, with or without an exchange of consideration, for the
purpose of purchasing, renting, or leasing real or personal property,
or any interest therein, or obtaining a product or service from the
business, if the relationship is ongoing and has not been expressly
terminated by the business or the customer, or if the relationship is
not ongoing, but is solely established by the purchase, rental, or
lease of real or personal property from a business, or the purchase
of a product or service, and no more than 18 months have elapsed from
the date of the purchase, rental, or lease.
(6) (A) The categories of personal information required to be
disclosed pursuant to paragraph (1) of subdivision (a) are all of the
following:
(i) Name and address.
(ii) Electronic mail address.
(iii) Age or date of birth.
(iv) Names of children.
(v) Electronic mail or other addresses of children.
(vi) Number of children.
(vii) The age or gender of children.
(viii) Height.
(ix) Weight.
(x) Race.
(xi) Religion.
(xii) Occupation.
(xiii) Telephone number.
(xiv) Education.
(xv) Political party affiliation.
(xvi) Medical condition.
(xvii) Drugs, therapies, or medical products or equipment used.
(xviii) The kind of product the customer purchased, leased, or
rented.
(xix) Real property purchased, leased, or rented.
(xx) The kind of service provided.
(xxi) Social security number.
(xxii) Bank account number.
(xxiii) Credit card number.
(xxiv) Debit card number.
(xxv) Bank or investment account, debit card, or credit card
balance.
(xxvi) Payment history.
(xxvii) Information pertaining to the customer’s creditworthiness,
assets, income, or liabilities.
(B) If a list, description, or grouping of customer names or
addresses is derived using any of these categories, and is disclosed
to a third party for direct marketing purposes in a manner that
permits the third party to identify, determine, or extrapolate any
other personal information from which the list was derived, and that
personal information when it was disclosed identified, described, or
was associated with an individual, the categories set forth in this
subdivision that correspond to the personal information used to
derive the list, description, or grouping shall be considered
personal information for purposes of this section.
(7) "Personal information" as used in this section means any
information that when it was disclosed identified, described, or was
able to be associated with an individual and includes all of the
following:
(A) An individual’s name and address.
(B) Electronic mail address.
(C) Age or date of birth.
(D) Names of children.
(E) Electronic mail or other addresses of children.
(F) Number of children.
(G) The age or gender of children.
(H) Height.
(I) Weight.
(J) Race.
(K) Religion.
(L) Occupation.
(M) Telephone number.
(N) Education.
(O) Political party affiliation.
(P) Medical condition.
(Q) Drugs, therapies, or medical products or equipment used.
(R) The kind of product the customer purchased, leased, or rented.(S) Real property purchased, leased, or rented.
(T) The kind of service provided.
(U) Social security number.
(V) Bank account number.
(W) Credit card number.
(X) Debit card number.
(Y) Bank or investment account, debit card, or credit card
balance.
(Z) Payment history.
(AA) Information pertaining to creditworthiness, assets, income,
or liabilities.
(8) "Third party" or "third parties" means one or more of the
following:
(A) A business that is a separate legal entity from the business
that has an established business relationship with a customer.
(B) A business that has access to a database that is shared among
businesses, if the business is authorized to use the database for
direct marketing purposes, unless the use of the database is exempt
from being considered a disclosure for direct marketing purposes
pursuant to subdivision (d).
(C) A business not affiliated by a common ownership or common
corporate control with the business required to comply with
subdivision (a).
(f) (1) Disclosures of personal information for direct marketing
purposes between affiliated third parties that share the same brand
name are exempt from the requirements of paragraph (1) of subdivision
(a) unless the personal information disclosed corresponds to one of
the following categories, in which case the customer shall be
informed of those categories listed in this subdivision that
correspond to the categories of personal information disclosed for
direct marketing purposes and the third party recipients of personal
information disclosed for direct marketing purposes pursuant to
paragraph (2) of subdivision (a):
(A) Number of children.
(B) The age or gender of children.
(C) Electronic mail or other addresses of children.
(D) Height.
(E) Weight.
(F) Race.
(G) Religion.
(H) Telephone number.
(I) Medical condition.
(J) Drugs, therapies, or medical products or equipment used.
(K) Social security number.
(L) Bank account number.
(M) Credit card number.
(N) Debit card number.
(O) Bank or investment account, debit card, or credit card
balance.
(2) If a list, description, or grouping of customer names or
addresses is derived using any of these categories, and is disclosed
to a third party or third parties sharing the same brand name for
direct marketing purposes in a manner that permits the third party to
identify, determine, or extrapolate the personal information from
which the list was derived, and that personal information when it was
disclosed identified, described, or was associated with an
individual, any other personal information that corresponds to the
categories set forth in this subdivision used to derive the list,
description, or grouping shall be considered personal information for
purposes of this section.
(3) If a business discloses personal information for direct
marketing purposes to affiliated third parties that share the same
brand name, the business that discloses personal information for
direct marketing purposes between affiliated third parties that share
the same brand name may comply with the requirements of paragraph
(2) of subdivision (a) by providing the overall number of affiliated
companies that share the same brand name.
(g) The provisions of this section are severable. If any provision
of this section or its application is held invalid, that invalidity
shall not affect other provisions or applications that can be given
effect without the invalid provision or application.
(h) This section does not apply to a financial institution that is
subject to the California Financial Information Privacy Act
(Division 1.2 (commencing with Section 4050) of the Financial Code)
if the financial institution is in compliance with Sections 4052,
4052.5, 4053, 4053.5, and 4054.6 of the Financial Code, as those
sections read when they were chaptered on August 28, 2003, and as
subsequently amended by the Legislature or by initiative.
(i) This section shall become operative on January 1, 2005.
The next section describes penalties:
(a) Any waiver of a provision of this title is contrary to
public policy and is void and unenforceable.
(b) Any customer injured by a violation of this title may
institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation
of Section 1798.83, a customer may recover a civil penalty not to
exceed three thousand dollars ($3,000) per violation; otherwise, the
customer may recover a civil penalty of up to five hundred dollars
($500) per violation for a violation of Section 1798.83.
(d) Unless the violation is willful, intentional, or reckless, a
business that is alleged to have not provided all the information
required by subdivision (a) of Section 1798.83, to have provided
inaccurate information, failed to provide any of the information
required by subdivision (a) of Section 1798.83, or failed to provide
information in the time period required by subdivision (b) of Section
1798.83, may assert as a complete defense in any action in law or
equity that it thereafter provided regarding the information that was
alleged to be untimely, all the information, or accurate
information, to all customers who were provided incomplete or
inaccurate information, respectively, within 90 days of the date the
business knew that it had failed to provide the information, timely
information, all the information, or the accurate information,
respectively.
(e) Any business that violates, proposes to violate, or has
violated this title may be enjoined.
(f) A prevailing plaintiff in any action commenced under Section
1798.83 shall also be entitled to recover his or her reasonable
attorney’s fees and costs.
(g) The rights and remedies available under this section are
cumulative to each other and to any other rights and remedies
available under law.
We draft privacy policies, disclaimers, and other online agreements for our clients to help them comply with the latest law.
 Michael H CohenFounder |
The Los Angeles / San Francisco / Bay Area-based Michael H Cohen Law Group provides healthcare legal and FDA legal & regulatory counsel to health & wellness practices and ventures, including health technology companies (medical devices to wearable health and nanotech), healthcare facilities (from medical centers to medical spas), and healthcare service providers (from physicians to psychologists).Our legal team offers expertise in corporate & transactional, healthcare regulatory & compliance, and healthcare litigation and dispute resolution, in cutting-edge areas such as anti-aging and functional medicine, telemedicine and m-health, and concierge medicine.Our Founder, attorney Michael H. Cohen, is an author, speaker on healthcare law and FDA law, and internationally-recognized thought leader in the trillion-dollar health & wellness industry. |