Bill Text: HI SB2581 | 2024 | Regular Session | Introduced
Bill Title: Relating To Privacy.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced) 2024-01-24 - Referred to CPN, WAM/JDC. [SB2581 Detail]
Download: Hawaii-2024-SB2581-Introduced.html
|
THE SENATE |
S.B. NO. |
2581 |
|
THIRTY-SECOND LEGISLATURE, 2024 |
|
|
|
STATE OF HAWAII |
|
|
|
|
|
|
|
|
||
|
|
||
A BILL FOR AN ACT
relating to privacy.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
"Chapter
CONSUMER PRIVACY
PART I.
GENERAL PROVISIONS
§ -1 Definitions. As used in this chapter:
"Biometric information" means an individual's physiological, biological, or behavioral characteristics, including an individual's deoxyribonucleic acid, which can be used singly or in combination with each other or with other identifying data to establish individual identity. "Biometric information" includes imagery of the iris, retina, fingerprint, face, hand, palm, or vein patterns; voice recordings from which an identifier template, such as a faceprint, minutiae template, or voiceprint, can be extracted; and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
"Business" has the same meaning as in section 487J‑1.
"Collect", "collected", or "collection" means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, including receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.
"Consumer" means an individual residing
in the State.
"Data broker" means a business, or
unit or units of a business, separately or together, that knowingly collects
and sells or licenses to third parties the personal information of a consumer
with whom the business does not have a direct relationship. "Data broker" does not include:
(1) An entity to the extent that it is covered by the federal Fair Credit Reporting Act, title 15 United States Code section 1681 et seq.;
(2) An entity to the extent that it is covered by the Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations; or
(3) An entity to the extent that it is covered by chapter 431, article 3A.
"Deidentified" means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
"Device" means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.
"Direct relationship" means a relationship,
past or present, between a consumer and a business in which the consumer is: a customer, client, subscriber, or user of the
business's goods or services; employee, contractor, or agent of the business;
investor in the business; or donor to the business. "Direct relationship" does not
include the following activities conducted by a business, or the collection and
sale or licensing of personal information incidental to conducting these
activities:
(1) Developing or maintaining third-party e-commerce or application platforms;
(2) Providing directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
(3) Providing publicly available information related to a consumer's business or profession; and
(4) Providing publicly available information via real-time or near real-time alert services for health or safety purposes.
"Family" means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
"License" means to grant one's
business' access to, or distribution of, data to another business in exchange
for consideration. "License"
does not include the sharing of data for the sole benefit of the business
providing the data, where that business maintains sole control over the use of
the data.
"Office" means the office of
consumer protection.
"Person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, or any other organization or group of persons acting in concert.
"Personal information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes the following:
(1) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers;
(2) Personal information as defined in section 487N-1;
(3) Characteristics of protected classifications under federal or state law;
(4) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
(5) Biometric information;
(6) Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer's interaction with a website, application, or advertisement;
(7) Geolocation information;
(8) Audio, electronic, visual, thermal, olfactory, or similar information;
(9) Professional or employment-related information;
(10) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 C.F.R. part 99); and
(11) Inferences drawn from any of the information identified in this chapter to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
"Publicly available" means available information from federal, state, or local government records, including any conditions associated with the information. "Publicly available" does not include:
(1) Biometric information collected by a business about a consumer without the consumer's knowledge; and
(2) Consumer information that is deidentified or aggregate consumer information.
"Sell", "selling", "sale", or "sold" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.
"Unique personal identifier" means a persistent identifier that can be used to recognize a consumer, family, or device that is linked to a consumer or family, over time and across different services, including but not limited to a device identifier; an internet protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
"Verifiable consumer request" means a request made by a consumer, or on behalf of the consumer's minor child, whom the business verifies is a consumer of the business's services.
part ii.
data brokers
§ -21 Annual registration. (a) On or before January 31 of
each year following a year in which a business meets the definition of data
broker, a data broker shall:
(1) Register with the office;
(2) Pay a registration fee in an amount determined by the office, to be deposited into the data brokers' registry special fund; and
(3) Provide the following information to the office:
(A) The name and primary physical, electronic mail, and internet addresses of the data broker;
(B) If the data broker permits a consumer to opt out of the data broker's collection of personal information, opt out of its databases, or opt out of certain sales of data:
(i) The method for requesting an opt-out;
(ii) Which activities and sales the opt-out applies to; and
(iii) Whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer's behalf;
(C) A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out; and
(D) Any additional information or explanation
the data broker chooses to provide concerning its data collection practices.
(b)
The office shall create a page on its website where the information
provided by data brokers under this chapter shall be accessible to the public.
(c) A data broker that fails to register with the office as required by this section shall be liable for administrative fines and costs in an administrative action brought by the office as follows:
(1) An administrative fine as determined by the office for each day the data broker fails to register as required by this section;
(2) An amount equal to the fees that were due during the period it failed to register; and
(3) Expenses incurred by the office in the investigation and administration of the action as the court deems appropriate.
(d) Any penalties, fines, fees, and expenses received pursuant to subsection (c) shall be deposited in the data brokers' registry special fund.
§ -22 Personal information; deletion. (a) The office shall establish an accessible deletion mechanism that:
(1) Implements and maintains reasonable security procedures and practices, including but not limited to administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers' personal information from unauthorized use, disclosure, access, destruction, or modification;
(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor;
(3) Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2); and
(4) Allows a consumer to make a request to alter a previous request made under this subsection after at least forty-five days have passed since the consumer last made a request under this subsection.
(b) The accessible deletion mechanism established pursuant to subsection (a) shall meet the following requirements:
(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request;
(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy‑protecting ways determined by the office to aid in the deletion request;
(3) The accessible deletion mechanism shall allow data brokers registered with the office to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism, unless otherwise specified in this chapter;
(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the office;
(5) The accessible deletion mechanism shall not charge a consumer to make a request as described in paragraph (1);
(6) The accessible deletion mechanism shall allow a consumer to make a request as described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers;
(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities;
(8) The accessible deletion mechanism shall support the ability of a consumer's authorized agents to aid in the deletion request;
(9) The accessible deletion mechanism shall allow the consumer, or the consumer's authorized agent, to verify the status of the consumer's deletion request; and
(10) The accessible deletion mechanism shall provide a description of all of the following:
(A) The deletion permitted by this section, including but not limited to the actions required by subsections (c), (d), and (e);
(B) The process for submitting a deletion request pursuant to this section; and
(C) Examples of the types of information that may be deleted.
(c) A data broker shall access the accessible deletion mechanism established pursuant to subsection (a) at least once every forty-five days and shall conduct the following:
(1) Within forty-five days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section;
(2) In cases where a data broker denies a consumer request to delete under this chapter because the request cannot be verified, process the request and refrain from selling or sharing the consumer's personal information or using or disclosing the consumer's sensitive personal information; provided that the data broker shall request, after at least twelve months after processing the consumer request, the consumer to authorize the sale or sharing of the consumer's personal information or the use and disclosure of the consumer's sensitive personal information;
(3) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in paragraph (1); and
(4) Direct all service providers or contractors associated with the data broker to process a request described by paragraph (2) as an opt-out of the sale or sharing of the consumer's personal information.
(d) A data broker shall delete all personal information of a consumer at least once every forty-five days pursuant to this section after the consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to subsection (f).
(e) A data broker shall not sell or share new personal information of the consumer after a consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section unless the consumer requests otherwise or selling or sharing the personal information is permitted under subsection (d).
(f) Notwithstanding subsection (c), a data broker shall not be required to delete a consumer's personal information if either of the following apply:
(1) It is reasonably necessary for the data broker to maintain the personal information to:
(A) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
(B) Help to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes;
(C) Debug to identify and repair errors that impair existing intended functionality;
(D) Exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law;
(E) Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if the consumer has provided informed consent;
(F) Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and compatible with the context in which the consumer provided the information; or
(G) Comply with a legal obligation; or
(2) The deletion is not required to:
(A) Comply with federal, state, or county laws or comply with a court order or subpoena to provide information;
(B) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or county authorities;
(C) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or county law;
(D) Cooperate with a government agency request for emergency access to a consumer's personal information if a natural person is at risk or danger of death or serious physical injury; provided that:
(i) The request is approved by the head of the entity for emergency access to a consumer's personal information;
(ii) The request is based on the agency's good faith determination that it has a lawful basis to access the information on a nonemergency basis; and
(iii) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted;
(E) Exercise or defend legal claims;
(F) Collect, use, retain, sell, share, or disclose consumers' personal information that is deidentified or aggregate consumer information;
(G) Collect, sell, or share a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of the State; or
(H) Comply with any federal or state law protecting medical or health information.
(g) Personal information described in subsection (f) shall only be used for the purposes described in subsection (f) and shall not be used or disclosed for any other purpose, including but not limited to marketing purposes.
(h) Beginning January 1, 2025, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section. The data broker shall submit a report resulting from the audit and any related materials to the office within five business days of a written request from the office. A data broker shall maintain the report and materials for at least six years following completion of the audit.
(i) A data broker required to register under this chapter that fails to comply with the requirements of this section shall be liable for administrative fines and costs in an administrative action brought by the office as follows:
(1) An administrative fine as determined by the office for each deletion request for each day the data broker fails to delete information pursuant to this section; and
(2) Reasonable expenses incurred by the office in the investigation and administration of the action.
(j) Any penalties, fines, fees, and expenses received pursuant to subsection (i) shall be deposited in the data brokers' registry special fund.
§ -23 Data brokers' registry special fund. (a) There is established in the state treasury the data brokers' registry special fund, into which shall be deposited:
(1) Registration fees collected pursuant to section ‑21(a)(2);
(2) Any penalties, fines, fees, and expenses received pursuant to sections -21(d) and -22(j);
(3) Appropriations made by the legislature for deposit into the special fund;
(4) Any grant or donation made to the special fund; and
(5) Any interest earned on the balance of the special fund.
(b) Moneys in the special fund shall be expended for:
(1) The costs of establishing and maintaining the informational website described in section -21(b);
(2) The costs incurred by the state courts and the office in connection with enforcing this chapter; and
(3) The costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in section -22(a).
§ -24 Rules. The office shall adopt rules pursuant to chapter 91 necessary to effectuate this chapter.
§ -25 Limitation of administrative action. No administrative action brought pursuant to this chapter alleging a violation of any of the provisions of this chapter shall commence more than five years after the date on which the violation occurred."
SECTION 2. This Act shall take effect upon its approval.
|
INTRODUCED BY: |
_____________________________ |
|
|
|
Report Title:
Office of Consumer Protection; Consumers; Privacy; Data Brokers; Personal Information
Description:
Establishes provisions allowing for consumers to request data brokers that maintain their personal information to delete any personal information related to the consumer.
The summary description
of legislation appearing on this page is for informational purposes only and is
not legislation or evidence of legislative intent.
