Can I share personal information about my customers with third parties in Hawaii? What are the requirements?

Sharing Personal Information with Third Parties in Hawaii

In Hawaii, a licensee may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the following requirements are met ^[1.1]:

1. The licensee has provided to the consumer an initial notice as required under section 431:3A-201;
2. The licensee has provided to the consumer an opt-out notice as required under section 431:3A-204;
3. The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt-out of the disclosure; and
4. The consumer does not opt-out.

A licensee shall comply with this section, whether or not the licensee and the consumer have established a customer relationship. If a licensee fails to comply with this section, the licensee may not disclose, directly or through any affiliate, any nonpublic personal financial information about a consumer that the licensee has collected, whether or not the licensee collected it before or after receiving the direction to opt-out from the consumer ^[1.1].

A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt-out ^[1.1].

Annual Privacy Notice Requirements

A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. For the purposes of this section, “annually” means at least once in any period of twelve consecutive months during which that relationship exists. A licensee may define the twelve-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis ^[1.2].

Exceptions to Notice and Opt-Out Requirements

The requirements for initial notice in section 431:3A-201, the opt-out in sections 431:3A-204, and 431:3A-301, and service providers and joint marketing in section 431:3A-401 shall not apply if a licensee discloses nonpublic personal financial information:

1. With the consent or at the direction of the consumer, who has not revoked the consent or direction;
2. To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction;
3. To protect against or prevent actual or potential fraud or unauthorized transactions;
4. For required institutional risk control;
5. For resolving consumer disputes or inquiries;
6. To persons holding a legal or beneficial interest relating to the consumer or to persons acting in a fiduciary or representative capacity on behalf of the consumer;
7. To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, or the licensee’s attorneys, accountants, and auditors;
8. To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, Title 12 United States Code section 3401 et seq., as amended, to law enforcement agencies including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, and the Secretary of the Treasury, with respect to Title 31 United States Code chapter 53, subchapter II (Records and Reports on Monetary Instruments and Transactions), as amended, and Title 12 United States Code chapter 21 (Financial Recordkeeping), as amended, a state insurance authority, and the Federal Trade Commission, self‐regulatory organizations, or for an investigation on a matter related to public safety;
9. To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act, Title 15 United States Code section 1681, et seq., as amended, or from a consumer report reported by a consumer reporting agency;
10. In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit;
11. To comply with federal, state, or local laws, rules, and other applicable legal requirements;
12. To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities;
13. To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law; or
14. For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers’ compensation plan ^[1.4].

Destruction of Personal Information Records

Any business or government agency that conducts business in Hawaii and any business or government agency that maintains or otherwise possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. The reasonable measures shall include implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, recycling, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed; implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed; and describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity ^[2.1].

Conclusion

In Hawaii, a licensee may share personal information about customers with third parties only if the requirements for disclosure are met. The licensee must provide an initial notice, an opt-out notice, and a reasonable opportunity for the consumer to opt-out of the disclosure. The licensee must also comply with annual privacy notice requirements and include specific information in the privacy notices. There are exceptions to the notice and opt-out requirements, but they are limited. Additionally, businesses and government agencies must take reasonable measures to protect against unauthorized access to or use of personal information in connection with or after its disposal.

Source(s):

• [1.1] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [2.1] Destruction of personal information records
• [1.2] Annual privacy notice to customers required.
• [1.4] Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.

Jurisdiction

Hawaii

• Privacy