Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I collect personal information from my customers in California in Arkansas? What are the requirements?

Based on the provided context documents, it appears that there are specific requirements for collecting personal information from customers in California and Arkansas.

Requirements for Collecting Personal Information in California

According to Civ Code CACL 1798.14 and Civ Code CACL 1798.24, an agency in California shall maintain in its records only personal information which is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government. Additionally, an agency in California shall not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the information is disclosed in certain ways. These include:

  • With the prior written voluntary consent of the individual to whom the information pertains, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent.
  • To the duly appointed guardian or conservator of the individual or a person representing the individual if it can be proven with reasonable certainty through the possession of agency forms, documents, or correspondence that this person is the authorized representative of the individual to whom the information pertains.
  • To those officers, employees, attorneys, agents, or volunteers of the agency that have custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and is related to the purpose for which the information was acquired.
  • To a person, or to another agency if the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a purpose for which the information was collected and the use or transfer is in accordance with Section 1798.25.
  • To a governmental entity if required by state or federal law.
  • Pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, the agency reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law.
  • To any person pursuant to a search warrant.

Therefore, if you are collecting personal information from customers in California, you must obtain their prior written voluntary consent or disclose the information in accordance with the other requirements listed above.

Requirements for Collecting Personal Information in Arkansas

According to ARAR 054.00.74-11, ARAR 054.00.74-12, ARAR 054.00.74-15, and ARAR 054.00.74-16, a person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Additionally, a person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

Furthermore, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has provided to the consumer an initial notice as required under Section 5, an opt-out notice as required in Section 8, and has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure. However, there are exceptions to the opt-out requirements listed in ARAR 054.00.74-16.

Therefore, if you are collecting personal information from customers in Arkansas, you must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. You must also take all reasonable steps to destroy or arrange for the destruction of a customer’s records within your custody or control containing personal information that is no longer to be retained by you. Additionally, you must provide an initial notice and opt-out notice to the consumer and give them a reasonable opportunity to opt-out of the disclosure, unless an exception applies.

Conclusion

Based on the provided context documents, it appears that there are specific requirements for collecting personal information from customers in California and Arkansas. Therefore, you must comply with these requirements if you are collecting personal information from customers in these states.

Jurisdiction

California, Arkansas