Press "Enter" to skip to content

Hawaii and Maryland Jump on the Privacy Bandwagon with New Legislation

privacy legislationLike many states across the U.S., Hawaii and Maryland have introduced new privacy legislation this year geared toward protecting consumers’ personal information.

Hawaii SB 2451

Hawaii SB 2451 adds a new section to Chapter 487J of the Hawaii Revised Statutes which currently provides various protections for Social Security numbers, identification card information and certain health information. 

The new section provides that a third party cannot use or sell personal information (“PI”) that it purchased from a business unless the consumer:

  1. Received notice;
  2. Provided “express written consent”; and
  3. Did not opt-out after being given the opportunity to do so.

Like the CCPA, the bill defines a “third party” in terms of what it is not, which in this case means a person who is not:

  1. A business that collects PI from consumers; or
  2. A person who receives PI from a business for a business purpose pursuant to a written contract that restricts further use of the PI.

“Business” is already defined in existing § 487J-1 and “means a sole proprietorship, partnership, limited partnership, corporation, limited liability company, association, or any other form of business entity. The term also includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. The term also includes an entity whose business is records destruction.”

A business that sells consumers’ information must provide notice to that effect, including a link titled “Do Not Sell My Personal Information.” 

The legislation provides no exemptions and enforcement is presumably pursuant to existing § 487J-3 which provides for a civil penalty up to $2,500 per violation and a private right of action for actual damages and attorney’s fees.

Maryland HB 249

Maryland HB 249 would add the statutory subtitle “Consumer Personal Information Privacy” to Title 14 of the Commercial Law.  The new law would apply to a “business” that:

  1. Is for profit;
  2. Collects consumers’ PI; and
  3. Meets one of the following:
    1. Annual gross revenue over $25M;
    2. Annually buys, receives, sells or shares for commercial purposes the PI of 100,000 or more consumers; or
    3. Derives 50% of annual revenue from selling consumers’ PI.

The legislation is unique in that it provides consumers the right to opt-out of the “disclosure” of their PI to third parties.  “Disclosure” is defined as “a transfer of a consumer’s personal information by a business to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.”  It does not include:

  • A transfer of PI to a service provider for an operational purpose;
  • Identification of a consumer who has opted-out to alert third parties; or
  • A transfer of PI “as an asset that is part of a transaction in which the third party assumes control of all or part of the business.”

“Service provider” is defined as an entity that processes PI pursuant to a contract that contains certain restrictions.  “Third party” is undefined.

A business must post a link on its homepage allowing a consumer to opt-out of the disclosure of her or his PI, and the business may not discriminate against those who exercise the opt-out.

A violation would constitute an unfair, abusive, or deceptive trade practice under Maryland’s Consumer Protection Act which provides a private right of action and a civil penalty up to $10,000 for a first violation.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.