Press "Enter" to skip to content

Hawaii and Maryland Jump on the Privacy Bandwagon with New Legislation

privacy legislationLike many states across the U.S., Hawaii and Maryland have introduced new privacy legislation this year geared toward protecting consumers’ personal information.

Hawaii SB 2451

Hawaii SB 2451 adds a new section to Chapter 487J of the Hawaii Revised Statutes which currently provides various protections for Social Security numbers, identification card information and certain health information. 

The new section provides that a third party cannot use or sell personal information (“PI”) that it purchased from a business unless the consumer:

  1. Received notice;
  2. Provided “express written consent”; and
  3. Did not opt-out after being given the opportunity to do so.

Like the CCPA, the bill defines a “third party” in terms of what it is not, which in this case means a person who is not:

  1. A business that collects PI from consumers; or
  2. A person who receives PI from a business for a business purpose pursuant to a written contract that restricts further use of the PI.

“Business” is already defined in existing § 487J-1 and “means a sole proprietorship, partnership, limited partnership, corporation, limited liability company, association, or any other form of business entity. The term also includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. The term also includes an entity whose business is records destruction.”

A business that sells consumers’ information must provide notice to that effect, including a link titled “Do Not Sell My Personal Information.” 

The legislation provides no exemptions and enforcement is presumably pursuant to existing § 487J-3 which provides for a civil penalty up to $2,500 per violation and a private right of action for actual damages and attorney’s fees.

Maryland HB 249

Maryland HB 249 would add the statutory subtitle “Consumer Personal Information Privacy” to Title 14 of the Commercial Law.  The new law would apply to a “business” that:

  1. Is for profit;
  2. Collects consumers’ PI; and
  3. Meets one of the following:
    1. Annual gross revenue over $25M;
    2. Annually buys, receives, sells or shares for commercial purposes the PI of 100,000 or more consumers; or
    3. Derives 50% of annual revenue from selling consumers’ PI.

The legislation is unique in that it provides consumers the right to opt-out of the “disclosure” of their PI to third parties.  “Disclosure” is defined as “a transfer of a consumer’s personal information by a business to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.”  It does not include:

  • A transfer of PI to a service provider for an operational purpose;
  • Identification of a consumer who has opted-out to alert third parties; or
  • A transfer of PI “as an asset that is part of a transaction in which the third party assumes control of all or part of the business.”

“Service provider” is defined as an entity that processes PI pursuant to a contract that contains certain restrictions.  “Third party” is undefined.

A business must post a link on its homepage allowing a consumer to opt-out of the disclosure of her or his PI, and the business may not discriminate against those who exercise the opt-out.

A violation would constitute an unfair, abusive, or deceptive trade practice under Maryland’s Consumer Protection Act which provides a private right of action and a civil penalty up to $10,000 for a first violation.

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.