Like many states across the U.S., Hawaii and Maryland have introduced new privacy legislation this year geared toward protecting consumers’ personal information.
Hawaii SB 2451
Hawaii SB 2451 adds a new section to Chapter 487J of the Hawaii Revised Statutes which currently provides various protections for Social Security numbers, identification card information and certain health information.
The new section provides that a third party cannot use or sell personal information (“PI”) that it purchased from a business unless the consumer:
- Received notice;
- Provided “express written consent”; and
- Did not opt-out after being given the opportunity to do so.
Like the CCPA, the bill defines a “third party” in terms of what it is not, which in this case means a person who is not:
- A business that collects PI from consumers; or
- A person who receives PI from a business for a business purpose pursuant to a written contract that restricts further use of the PI.
“Business” is already defined in existing § 487J-1 and “means a sole proprietorship, partnership, limited partnership, corporation, limited liability company, association, or any other form of business entity. The term also includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. The term also includes an entity whose business is records destruction.”
A business that sells consumers’ information must provide notice to that effect, including a link titled “Do Not Sell My Personal Information.”
The legislation provides no exemptions and enforcement is presumably pursuant to existing § 487J-3 which provides for a civil penalty up to $2,500 per violation and a private right of action for actual damages and attorney’s fees.
Maryland HB 249
- Is for profit;
- Collects consumers’ PI; and
- Meets one of the following:
- Annual gross revenue over $25M;
- Annually buys, receives, sells or shares for commercial purposes the PI of 100,000 or more consumers; or
- Derives 50% of annual revenue from selling consumers’ PI.
The legislation is unique in that it provides consumers the right to opt-out of the “disclosure” of their PI to third parties. “Disclosure” is defined as “a transfer of a consumer’s personal information by a business to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.” It does not include:
- A transfer of PI to a service provider for an operational purpose;
- Identification of a consumer who has opted-out to alert third parties; or
- A transfer of PI “as an asset that is part of a transaction in which the third party assumes control of all or part of the business.”
“Service provider” is defined as an entity that processes PI pursuant to a contract that contains certain restrictions. “Third party” is undefined.
A business must post a link on its homepage allowing a consumer to opt-out of the disclosure of her or his PI, and the business may not discriminate against those who exercise the opt-out.
A violation would constitute an unfair, abusive, or deceptive trade practice under Maryland’s Consumer Protection Act which provides a private right of action and a civil penalty up to $10,000 for a first violation.