Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I collect personal information from my customers in California in Hawaii? What are the requirements?

Collecting Personal Information in Hawaii and California

If you are collecting personal information from customers in Hawaii and California, you must comply with the relevant laws and regulations in both states.

Hawaii Requirements

In Hawaii, any business or government agency that conducts business in Hawaii and maintains or possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal [1.1]([CCPA]:). The reasonable measures shall include implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed [1.1]([CCPA]:).

If you are a disposal business that conducts business in Hawaii or disposes of personal information of residents of Hawaii, you shall take reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to, or use of, personal information during or after the collection, transportation, and disposing of such information [1.1]([CCPA]:).

California Requirements

In California, businesses that collect personal information are required to provide consumers with certain notices and disclosures. The California Consumer Privacy Act (CCPA) requires businesses to provide consumers with a notice at or before the point of collection that describes the categories of personal information to be collected and the purposes for which the categories of personal information shall be used [CCPA].

Additionally, businesses must provide consumers with a privacy policy that describes the categories of personal information collected, the sources of the personal information, the purposes for which the personal information will be used, and the categories of third parties with whom the personal information will be shared [CCPA].

Annual Privacy Notice

In Hawaii, a licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship [3.1]([1.2]:).

Reporting Requirements

In Hawaii, a government agency shall submit a written report to the legislature within twenty days after the discovery of a material occurrence of unauthorized access to personal information records in connection with or after its disposal by or on behalf of the government agency [1.2].

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

In Hawaii, if a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in section 431:3A-402 or 431:3A-403, the licensee’s disclosure and use of that information shall be as follows [3.2]([3.4]:):

  • The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information.
  • The licensee may disclose the information to its affiliates who may disclose and use the information only to the extent that the licensee may disclose and use the information.
  • The licensee may disclose and use the information pursuant to an exception under section 431:3A-402 or 431:3A-403, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and for Joint Marketing

In Hawaii, the opt-out requirements in sections 431:3A-204 and 431:3A-301 shall not apply if a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with section 431:3A-201 and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in sections 431:3A-402 and 431:3A-403 in the ordinary course of business to carry out those purposes [3.4].

Conclusion

To summarize, if you are collecting personal information from customers in Hawaii and California, you must comply with the relevant laws and regulations in both states. In Hawaii, you must take reasonable measures to protect against unauthorized access to or use of personal information, and implement policies and procedures for the destruction or erasure of electronic media and other nonpaper media containing personal information. In California, you must provide consumers with notices and disclosures at or before the point of collection and a privacy policy that describes the categories of personal information collected, the sources of the personal information, the purposes for which the personal information will be used, and the categories of third parties with whom the personal information will be shared. Additionally, in Hawaii, you must provide customers with an annual privacy notice, and report to the legislature within twenty days after the discovery of a material occurrence of unauthorized access to personal information records. Finally, in Hawaii, there are limits on redisclosure and reuse of nonpublic personal financial information, and an exception to opt-out requirements for disclosure of nonpublic personal financial information for service providers and for joint marketing.

Source(s):
Jurisdiction

Hawaii, California