What Does California’s Privacy Law Mean for Dentists?

Dan Goldstein and Adam Rowan


Earlier this year, the European Union launched sweeping data gathering and storage guidelines through its General Data Protection Regulation (GDPR). The regulation specifies how online entities must handle the data of citizens in the EU, with businesses and websites around the world required to revise their privacy policies to achieve compliance. 

Now the United States is starting to follow suit. AB 375, or the California Consumer Privacy Act of 2018 (the “Act”), was signed in to law on June 28. Starting in 2020, businesses meeting the Act’s stated thresholds “will be required to disclose the types of data they collect, as well as allow consumers to opt out of having their data sold,” according to The Verge.

So, how will this groundbreaking legislation affect dentists? 

Is My Practice Eligible Under the Law? 

According to Tripwire, businesses subject to the California law must meet one of the following criteria: “Have annual gross revenue of $25 million or more; Collects, sells or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices; or Derives at least 50% of its annual revenues from selling consumers’ personal information.”

Most individual and group dental practitioners both inside and outside of California won’t meet the thresholds established by the California Consumer Privacy Act. Accordingly, most dentists won’t be subject to the law and won’t need to take any action now to comply.

It should be noted, however, that unintended consequences have been the recurrent theme of the GDPR. How else to explain the glut of “Our Privacy Policy Has Changed” messages on the websites of even the smallest of small businesses?

Both houses of the California legislature passed AB 375 in approximately one week, and Governor Jerry Brown signed the bill into law the same day it was passed. The unusual speed almost ensures that drafting errors were made and makes the Act seem primed for the law of unintended consequences—a charge already levied against it by Google, Reuters reports.

What If It Applies to My Practice?

If your practice is the exception, meaning you make more than $25 million in annual revenue or you collect huge amounts of personal consumer data as part of your revenue stream, you will need to comply.

In that situation, there is good news. The Act doesn’t take effect until 2020, which gives you plenty of time to address it. In the case of the GDPR, most dental website marketing companies will be able to address the new rules fairly quickly either by opting out or by activating a plugin specifically built for the purpose of compliance with the GDPR. Since the Act’s requirements are similar, your dental website marketing company should be able to implement a similar solution to your website well in advance of 2020. 

What Now?

Major corporations like Google, Facebook, and Apple—all headquartered in California, not so coincidentally—fought to strike down the act while the Assembly was debating it. Now that the law has passed, it is all but certain that one or more of these companies will challenge the Act in court.

When that happens, perhaps the biggest challenge the California Consumer Privacy Act will face is the supremacy of federal law over interstate commerce, a reality the GDPR did not have to face. California is the first state in the nation to sport this level of consumer protection. If a court finds that the Act is preempted by federal law, it could strike down significant provisions of the Act, if not the entirety of the law.

Preserving Patient Privacy 

The California Consumer Privacy Act empowers consumers in California to know what data businesses collect. It also gives them the right to prohibit websites from collecting data and the right to opt out of data collection. Additionally, it requires websites and businesses to delete all non-essential user information.

For dentists, HIPAA compliance already establishes a foundation for protecting patient privacy. While other businesses might be reeling from the introduction of such a massive consumer protection law, dentists already have a longstanding commitment to confidentiality both in person and online. Furthermore, most solo and group practitioners fall below the revenue and consumer service thresholds established by the California Consumer Privacy Act. 

Most dentists in California should see limited impact from the law once it becomes effective in 2020. Dentists outside of California should see even less impact. 

Dan Goldstein is an attorney. He is the president and owner of Page 1 Solutions, LLC, a full-service digital marketing agency serving dentists, attorneys, and doctors throughout North America. He has written numerous articles and given many presentations on internet marketing at various conferences for attorneys, physicians, and dentists.

Adam Rowan is the content specialist at Page 1 Solutions. He has 10 years of experience writing for the Web and print outlets. Also, he has worked for multinational corporations like Yahoo! and for local publications in the Denver metro area.

Related Articles

CMA and CDA Propose Statewide Soda Tax in California

California Crafts Statewide Plan to Improve Oral Health

Denti-Cal Providers Get a Boost in 2018-2019 Budget