Can I collect personal information from my customers in California in Idaho? What are the requirements?

Collecting Personal Information of California Customers in Idaho

If you are collecting personal information of California customers in Idaho, you must comply with both California and Idaho laws.

Under California law, businesses that collect personal information of California residents must comply with the California Consumer Privacy Act (CCPA) ^[1.1](^[1.1]). The CCPA applies to businesses that meet certain criteria, including those that have an annual gross revenue of over $25 million, buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices, or derive 50 percent or more of their annual revenue from selling California residents’ personal information ^[1.1](^[1.1]).

Under Idaho law, if you own or license computerized data that includes personal information about a resident of Idaho, you must comply with the Disclosure of Breach of Security of Computerized Personal Information by an Agency, Individual or a Commercial Entity law ^[1.1](^[1.1]). This law requires you to conduct a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused if you become aware of a breach of the security of the system. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, you must give notice as soon as possible to the affected Idaho resident ^[1.1](^[1.1]).

Requirements for Collecting Personal Information

To comply with both California and Idaho laws, you must ensure that you are collecting personal information in a lawful and transparent manner. You must provide a privacy notice that includes the categories of nonpublic personal financial information you collect or disclose, the categories of third parties to whom you disclose nonpublic personal financial information, and an explanation of the consumer’s right to opt-out of the disclosure of nonpublic personal financial information to nonaffiliated third parties ^[2.3](^[2.5]).

Additionally, you must ensure that you have appropriate security practices and procedures in place to protect the confidentiality and security of nonpublic personal financial information in accordance with your policy ^[2.3](^[2.3]).

Under Idaho law, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship ^[2.1](^[2.1]). You are not obligated to provide an annual notice to a former customer ^[2.1](^[2.1]). You are not obligated to provide the annual privacy notice to a current customer if you provide nonpublic personal information to nonaffiliated third parties only in accordance with Sections 450, 451, and 452, and have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with Section 100 or Section 150 ^[2.1](^[2.1]).

It is unlawful for any person to obtain or record personal identifying information of another person without the authorization of that person, with the intent that the information be used to obtain, or attempt to obtain, credit, money, goods or services without the consent of that person ^[3.2](^[3.2]). It is also unlawful for any person to falsely assume or pretend to be a member of the armed forces of the United States or an officer or employee acting under authority of the United States or any department, agency or office thereof or of the state of Idaho or any department, agency or office thereof, and in such pretended character, seek, demand, obtain or attempt to obtain personal identifying information of another person ^[3.1](^[3.1]).

Limits on Disclosure and Sharing of Personal Information

Under Idaho law, you must comply with Section 400, which requires you to provide an initial notice and opt-out notice to consumers, and give them a reasonable opportunity to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties before disclosing the information ^[2.4](^[2.4]). If a consumer opts out, you cannot disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by Sections 450, 451, and 452 ^[2.4](^[2.4]). You will not disclose any nonpublic personal financial information about a consumer that you have collected, regardless of whether you collected it before or after receiving the direction to opt out from the consumer, unless you comply with Section 400 ^[2.4](^[2.4]). You will not disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer ^[2.6].

It is recommended that you consult with a legal professional to ensure that you are complying with both California and Idaho laws when collecting personal information of California customers in Idaho.

Source(s):

• [1.1] DISCLOSURE OF BREACH OF SECURITY OF COMPUTERIZED PERSONAL INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY.
• [2.1] ANNUAL PRIVACY NOTICE TO CUSTOMERS.
• [3.1] ACQUISITION OF PERSONAL IDENTIFYING INFORMATION BY FALSE AUTHORITY.
• [2.3] SATISFYING THE PRIVACY NOTICE INFORMATION REQUIREMENTS.
• [3.2] MISAPPROPRIATION OF PERSONAL IDENTIFYING INFORMATION.
• [2.4] LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION TO NONAFFILIATED THIRD PARTIES.
• [2.5] INFORMATION TO BE INCLUDED IN PRIVACY NOTICES.
• [2.6] LIMITS ON SHARING ACCOUNT NUMBER INFORMATION FOR MARKETING PURPOSES.

Jurisdiction

Idaho, California

• Privacy