Can I store personal information about my customers in Idaho? What are the requirements?

Storing Personal Information of Customers in Idaho

Yes, you can store personal information about your customers in Idaho, but you must comply with the Idaho Consumer Protection Act (ICPA) and the Idaho Identity Theft Statute (IITS) ^[1.1].

Idaho Consumer Protection Act (ICPA)

Under the ICPA, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship ^[1.1]. You must categorize the nonpublic personal financial information you collect and disclose, and provide a few examples to illustrate the types of information in each category ^[1.4]. You must also describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information ^[1.4].

If you provide nonpublic personal information to nonaffiliated third parties only in accordance with Sections 450, 451, and 452, and have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with Section 100 or Section 150, you are not obligated to provide the annual privacy notice to a current customer ^[1.1].

Idaho Identity Theft Statute (IITS)

Under the IITS, you must take reasonable measures to protect against unauthorized access to and use of personal identifying information ^[2.1]. You must also provide notice to affected individuals in the event of a breach of the security of the system that contains personal identifying information ^[2.1].

Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information

There are exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information. For example, the requirements for initial notice to consumers, the opt-out, and service providers and joint marketing do not apply when a licensee discloses nonpublic personal financial information with the consent or at the direction of the consumer, to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction, to protect against or prevent actual or potential fraud or unauthorized transactions, for prescribed institutional risk control or for resolving consumer disputes or inquiries, to persons holding a legal or beneficial interest relating to the consumer, or to persons acting in a fiduciary or representative capacity on behalf of the consumer ^[1.2].

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties

There are limits on the disclosure of nonpublic personal financial information to nonaffiliated third parties. A licensee will not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has provided to the consumer an initial notice, an opt-out notice, and given the consumer a reasonable opportunity to opt out of the disclosure before it discloses the information to the nonaffiliated third party ^[1.5].

In summary, you can store personal information about your customers in Idaho, but you must comply with the ICPA and the IITS. You must provide a clear and conspicuous notice to customers, categorize the nonpublic personal financial information you collect and disclose, describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information, and take reasonable measures to protect against unauthorized access to and use of personal identifying information. There are exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information, and there are limits on the disclosure of nonpublic personal financial information to nonaffiliated third parties.

Source(s):

• [1.1] ANNUAL PRIVACY NOTICE TO CUSTOMERS.
• [1.2] OTHER EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION.
• [1.4] SATISFYING THE PRIVACY NOTICE INFORMATION REQUIREMENTS.
• [1.5] LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION TO NONAFFILIATED THIRD PARTIES.
• [2.1] RECORDS EXEMPT FROM DISCLOSURE — PERSONNEL RECORDS, PERSONAL INFORMATION, HEALTH RECORDS, PROFESSIONAL DISCIPLINE.

Jurisdiction

Idaho

• Privacy