HOUSE OF REPRESENTATIVES	H.B. NO.	2051
THIRTY-FIRST LEGISLATURE, 2022
STATE OF HAWAII

A BILL FOR AN ACT

 

 

Relating to Consumer Privacy.

 

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 

     SECTION 1.  The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"Chapter

HAWAII CONSUMER PRIVACY ACT

PART I.  GENERAL PROVISIONS

     §   -1  Short title.  This chapter shall be known as and may be cited as the Hawaii Consumer Privacy Act.

     §   -2  Definitions.  For purposes of this chapter:

     "Advertising and marketing" means a communication by a business or a person acting on the business's behalf in any medium intended to induce a consumer to obtain goods, services, or employment.

     "Aggregate consumer information" means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.  "Aggregate consumer information" does not include individual consumer records that have been deidentified.

     "Biometric information" means an individual's physiological, biological, or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid, that is used or is intended to be used alone or in combination with each other or with other identifying data, to establish individual identity.  "Biometric information" includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

     "Business" means:

     (1)  A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which this information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State, and that satisfies one or more of the following thresholds:

          (A)  Had annual gross revenues in excess of $25,000,000 in the preceding calendar year, which amount shall be adjusted for changes in the Consumer Price Index pursuant to section    ‑63(a)(5);

          (B)  Alone or in combination, annually buys, sells, or shares the personal information of one hundred thousand or more consumers or households; or

          (C)  Derives fifty per cent or more of its annual revenues from selling or sharing consumers' personal information;

     (2)  Any entity that controls or is controlled by a business that shares common branding with the business and with whom the business shares consumers' personal information.

               For purposes of this paragraph:

               "Control" or "controlled" means ownership of, or the power to vote, more than fifty per cent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company;

     (3)  A joint venture or partnership composed of businesses in which each business has at least a forty per cent interest.  For purposes of this chapter, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business; or

     (4)  A person that does business in the State, is not covered by paragraph (1), (2), or (3), and voluntarily certifies to the department that it is in compliance with, and agrees to be bound by, this chapter.

     "Business purpose" means the use of personal information for the business's operational purposes, or other notified purposes, or for the service provider or contractor's operational purposes, as defined by rules adopted pursuant to section    -63(a)(11); provided that the use of personal information shall be reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed or for another purpose that is compatible with the context in which the personal information was collected.  "Business purposes" includes:

     (1)  Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;

     (2)  Helping ensure security and integrity to the extent the use of a consumer's personal information is reasonably necessary and proportionate for these purposes;

     (3)  Debugging to identify and repair errors that impair existing intended functionality;

     (4)  Short-term, transient use, including but not limited to nonpersonalized advertising shown as part of a consumer's current interaction with the business; provided that the consumer's personal information shall not be disclosed to another third party and shall not be used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;

     (5)  Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business;

     (6)  Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer; provided that for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers;

     (7)  Undertaking internal research for technological development and demonstration; and

     (8)  Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

     "Categories of personal information" means the enumerated categories set forth in the definitions of "personal information" and "sensitive personal information" and those included by rules adopted pursuant to section    -63(a)(1).

     "Collects", "collected", or "collection" means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.  "Collects", "collected", or "collection" includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.

     "Commercial purpose" means advancing a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.

     "Common branding" means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.

     "Consent" means any freely given, specific, informed, and unambiguous indication of a consumer's wishes by which the consumer, or the consumer's legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.  "Consent" does not include:

     (1)  Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information;

     (2)  Hovering over, muting, pausing, or closing a given piece of content; or

     (3)  Agreement obtained through use of dark patterns.

     "Consumer" means a natural person who is a resident, as defined in section 235-1, however identified, including by any unique identifier.

     "Contractor" means a person to whom a business makes available a consumer's personal information for a business purpose, pursuant to a written contract with the business.

     "Cross-context behavioral advertising" means the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than a business, distinctly-branded website, application, or service with which the consumer intentionally interacts.

     "Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by rules.

     "Deidentified" means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer; provided that the business that possesses the information:

     (1)  Takes reasonable measures to ensure that the information cannot be associated with a consumer or household;

     (2)  Publicly commits to maintain and use the information in deidentified form and not attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this definition; and

     (3)  Contractually obligates any recipients of the information to comply with all provisions of this definition.

     "Department" means the department of commerce and consumer affairs.

     "Designated methods for submitting requests" means a mailing address, electric mail address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this chapter, and any new, consumer-friendly means of contacting a business.

     "Device" means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.

     "Director" means the director of commerce and consumer affairs.

     "Homepage" means the introductory page of an internet website and any internet web page where personal information is collected.  In the case of an online service, such as a mobile application, "homepage" means the application's platform page or download page; a link within the application, such as from the application configuration; about, information, or settings page; and any other location that allows consumers to review the notices required by this chapter, including but not limited to before downloading the application.

     "Household" means a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common devices or services.

     "Infer" or "inference" means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.

     "Intentionally interacts" means when a consumer intends to interact with a person, or disclose personal information to a person, via one or more deliberate interactions, including visiting the person's website or purchasing a good or service from the person.  "Intentionally interacts" does not include hovering over, muting, pausing, or closing a given piece of content.

     "Nonpersonalized advertising" means advertising and marketing that is based solely on a consumer's personal information derived from the consumer's current interaction with the business with the exception of the consumer's precise geolocation.

     "Personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  "Personal information" includes but is not limited to:

     (1)  Identifiers such as a real name, alias, mailing address, unique personal identifier, online identifier, Internet Protocol address, electronic mail address, account name, social security number, driver's license number or state identification card number, passport number, or other similar identifiers;

     (2)  Signature, physical characteristics or description, telephone number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;

     (3)  Characteristics of protected classifications under state or federal law;

     (4)  Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies;

     (5)  Biometric information;

     (6)  Internet or other electronic network activity information, including but not limited to browsing history, search history, and information regarding a consumer's interaction with an internet website application, or advertisement;

     (7)  Geolocation data;

     (8)  Audio, electronic, visual, thermal, olfactory, or similar information;

     (9)  Professional or employment-related information;

    (10)  Education information that is not publicly available personally identifiable information as defined in title 34 Code of Federal Regulations section 99.3, pursuant to the Family Educational Rights and Privacy Act (20 U.S.C. 1232g);

    (11)  Inferences drawn from any personal information to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes; and

    (12)  Sensitive personal information.

"Personal information" does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern; consumer information that is deidentified; or aggregate consumer information.

     "Precise geolocation" means any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by rules.

     "Probabilistic identifier" means the identification of a consumer or a consumer's device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.

     "Processing" means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means.

     "Profiling" means any form of automated processing of personal information, as further defined by rules pursuant to section    -63(a)(16), to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

     "Pseudonymize" means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information; provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.

     "Publicly available" means:

     (1)  Information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or

     (2)  Information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.

"Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge.

     "Research" means scientific analysis, systematic study, and observation, including basic research or applied research, that is designed to develop or contribute to public or scientific knowledge and that adheres or otherwise conforms to all other applicable ethics and privacy laws, including but not limited to studies conducted in the public interest in the area of public health.

     "Security and integrity" means the ability of:

     (1)  Networks or information systems to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information;

     (2)  Businesses to detect security incidents; resist malicious, deceptive, fraudulent, or illegal actions; and help prosecute those responsible for those actions; and

     (3)  Businesses to ensure the physical safety of natural persons.

     "Sell", "selling", "sale", or "sold", means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by a business to a third party for monetary or other valuable consideration.  For purposes of this chapter, a business does not sell personal information when:

     (1)  A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties;

     (2)  The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information; or

     (3)  The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business; provided that information is used or shared consistently with this chapter.

     "Sensitive personal information" means:

     (1)  Personal information that reveals:

          (A)  A consumer's social security, driver's license, state identification card, or passport number;

          (B)  A consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

          (C)  A consumer's precise geolocation;

          (D)  A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership;

          (E)  The contents of a consumer's mail, electronic mail, and text messages unless the business is the intended recipient of the communication; or

          (F)  A consumer's genetic data;

     (2)  The processing of biometric information for the purpose of uniquely identifying a consumer;

     (3)  Personal information collected and analyzed concerning a consumer's health; and

     (4)  Personal information collected and analyzed concerning a consumer's sex life or sexual orientation.

"Sensitive personal information" does not include publicly available information.

     "Service" or "services" means work, labor, and other related activities, including services furnished in connection with the sale or repair of goods.

     "Service provider" means a person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer's personal information for a business purpose pursuant to a written contract.

     "Share", "shared", or "sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by a business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.  For purposes of this chapter, a business does not share personal information when:

     (1)  A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties;

     (2)  The business uses or shares an identifier for a consumer who has opted out of the sharing of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer's personal information or limited the use of the consumer's sensitive personal information; or

     (3)  The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business; provided that information is used or shared consistently with this chapter.

     "Third party" means a person who is not any of the following:

     (1)  The business with whom a consumer intentionally interacts and that collects personal information from the consumer as part of the consumer's current interaction with the business under this chapter;

     (2)  A service provider to the business; or

     (3)  A contractor.

     "Unique identifier" or "unique personal identifier" means a persistent identifier that can be used to recognize a consumer, family, or device that is linked to a consumer or family, over time and across different services, including but not limited to a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers; or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family.  For purposes of this definition, "family" means a custodial parent or guardian and any children under eighteen years of age over which the parent or guardian has custody.

     "Verifiable consumer request" means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, by a natural person or a person registered with the department, authorized by the consumer to act on the consumer's behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can verify, using commercially reasonable methods, pursuant to rules adopted pursuant to section    -63(a)(7) to be the consumer about whom the business has collected personal information.  A business is not obligated to provide information to the consumer pursuant to sections    -21 and    -44, to delete personal information pursuant to section    -41, or to correct inaccurate personal information pursuant to section    -42, if the business cannot verify, pursuant to this definition and rules adopted pursuant to section    -63(a)(7), that the consumer making the request is the consumer about whom the business has collected personal information or is a person authorized by the consumer to act on such consumer's behalf.

     §   -3  Exemptions.  (a)  The obligations imposed on businesses by this chapter shall not restrict a business's ability to:

     (1)  Comply with federal, state, or local laws or comply with a court order or subpoena to provide personal information;

     (2)  Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or county authorities.  Law enforcement agencies, including any county police department, the department of public safety, or any state or county public body that employs law enforcement officers may direct a business pursuant to a law enforcement agency‑approved investigation with an active case number not to delete a consumer's personal information, and upon receipt of that direction, a business shall not delete that personal information for ninety days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumer's personal information.  For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumer's personal information for additional ninety-day periods.  A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumer's personal information shall not use the consumer's personal information for any purpose other than retaining the personal information to produce to law enforcement agencies in response to a court-issued subpoena, order, or warrant unless the consumer's deletion request is subject to an exemption from deletion under this chapter;

     (3)  Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or county law;

     (4)  Cooperate with a government agency request for emergency access to a consumer's personal information if a natural person is at risk or danger of death or serious physical injury; provided that:

          (A)  The request is approved by a high-ranking agency officer for emergency access to a consumer's personal information;

          (B)  The request is based on the agency's good faith determination that it has a lawful basis to access the personal information on a nonemergency basis; and

          (C)  The agency agrees to petition a court for an appropriate order within three days and destroy the information if that order is not granted;

     (5)  Exercise or defend legal claims;

     (6)  Collect, use, retain, sell, share, or disclose consumers' personal information that is deidentified or aggregate consumer information; and

     (7)  Collect, sell, or share a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of the State.  For purposes of this paragraph, commercial conduct takes place wholly outside of the State if the business collected that information while the consumer was outside of the State, no part of the sale of the consumer's personal information occurred in the State, and no personal information collected while the consumer was in the State is sold.  This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in the State and then collecting that personal information when the consumer and stored personal information is outside of the State.

     (b)  The obligations imposed on businesses by sections    ‑25,    -27,    ‑43,    -44, and    -45 shall not apply where compliance by the business with this chapter would violate an evidentiary privilege under Hawaii law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under Hawaii law as part of a privileged communication.

     (c)  This chapter shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency by a furnisher of information who provides information for use in a consumer report and by a user of a consumer report, as those terms are defined and described in the federal Fair Credit Reporting Act, title 15 United States Code sections 1681 to 1681x, as amended.

     This subsection shall apply only to the extent that the activity involving the collection, maintenance, disclosure, sale, communication or use of the personal information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act and the personal information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.

     (d)  This chapter shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act, title 15 United States Code sections 6801 to 6809, as amended, and its implementing regulations, or the federal Farm Credit Act of 1971, title 12 United States Code section 2001, et seq., as amended, and its implementing regulations.

     (e)  This chapter shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act of 1994, title 18 United States Code section 2721, et seq., as amended.

     (f)  Sections    -41 and    -45 shall not apply to a commercial credit reporting agency's collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumer's role as the owner, director, officer, or management employee of the business.

     For purposes of this subsection:

     "Business controller information" means the name of the owner, director, officer, or management employee of a business and the contact information, including a business title, for the owner, director, officer, or management employee.

     "Commercial credit reporting agency" means any person who, for monetary fees, dues, or on a cooperative nonprofit basis, provides commercial credit reports to third parties.

     "Director" means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

     "Management employee" means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural person's role as the primary manager of the business.

     "Officer" means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.

     "Owner" means a natural person that meets one of the following:

     (1)  Has ownership of, or the power to vote, more than fifty per cent of the outstanding shares of any class of voting security of a business;

     (2)  Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

     (3)  Has the power to exercise a controlling influence over the management of a company.

     (g)  The obligations imposed on businesses in sections    ‑41,    -42,    -43, and    -44 shall not apply to household data.

     (h)  This chapter shall not be construed to require a business to comply with a verifiable consumer request to delete a consumer's personal information under section    -41 to the extent the verifiable consumer request applies to a student's grades, educational scores, or educational test results that the business holds on behalf of the department of education or a public charter school at which the student is currently enrolled.

     This chapter does not require, in response to a request pursuant to section    -43, that a business disclose on educational standardized assessment or educational assessment or a consumer's specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment by providing an advantage to the consumer who submitted a verifiable consumer request or to another natural person.

     If a business does not comply with a request submitted pursuant to section    -41 or    -43, it shall notify the consumer that it is acting pursuant to this subsection.

     For purposes of this subsection, "educational standardized assessment or educational assessment" means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades one to twelve, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.

     (i)  Section    -41 and    -45 shall not apply to a business's use, disclosure, or sale of particular pieces of a consumer's personal information if the consumer has consented to the business's use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumer's photograph, if:

     (1)  The business has incurred significant expense in reliance on the consumer's consent;

     (2)  Compliance with the consumer's request to opt out of the sale of the consumer's personal information or to delete the consumer's personal information would not be commercially reasonable; or

     (3)  The business complies with the consumer's request as soon as it is commercially reasonable to do so.

     §   -4  Further exemptions; federal law.  (a)  This chapter shall not apply to any of the following:

     (1)  Protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, title 45 Code of Federal Regulations parts 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111‑5);

     (2)  A covered entity or business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, title 45 Code of Federal Regulations parts 160 and 164, established pursuant to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, to the extent that the covered entity or business associate maintains, uses, and discloses patient information in the same manner as protected health information as described in paragraph (1);

     (3)  Information that meets the following conditions:

          (A)  It is deidentified in accordance with the requirements for deidentification set forth in title 45 Code of Federal Regulations section 164.514; and

          (B)  It is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule;

          provided that information that meets these conditions and is subsequently reidentified shall no longer be eligible for the exemption under this paragraph and shall be subject to applicable federal and state data privacy and security laws, including but not limited to the Health Insurance Portability and Accountability Act and this chapter;

     (4)  Information that is collected, used, or disclosed in research, as defined in title 45 Code of Federal Regulations section 164.501, including but not limited to a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of title 45 Code of Federal Regulations part 164; the Federal Policy for the Protection of Human Subjects, also known as the Common Rule; good clinical practice guidelines issued by the International Council for Harmonisation; or human subject protection requirements of the United States Food and Drug Administration.

     (b)  For purposes of this section:

     "Business associate" has the same meaning as defined in title 45 Code of Federal Regulations section 160.103.

     "Covered entity" has the same meaning as defined in title 45 Code of Federal Regulations section 160.103.

     "Identifiable private information" has the same meaning as defined in title 45 Code of Federal Regulations section 46.102.

     "Individually identifiable health information" has the same meaning as defined in title 45 Code of Federal Regulations section 106.103.

     "Patient information" means identifiable private information, protected health information, individually identifiable health information, or medical information.

     "Protected health information" has the same meaning as defined in title 45 Code of Federal Regulations section 160.103.

     §   -5  Reidentification.  (a)  A business or other person shall not reidentify or attempt to reidentify information that has met the requirements of section    -4(a)(3), except for one or more of the following purposes:

     (1)  Treatment, payment, or health care operations conducted by a covered entity or business associate acting on behalf of, and at the written direction of, the covered entity.  For purposes of this paragraph, "treatment", "payment", "health care operations", "covered entity", and "business associate" have the same meaning as defined in title 45 Code of Federal Regulations section 164.501;

     (2)  Public health activities and purposes as described in title 45 Code of Federal Regulations section 164.512;

     (3)  Research, as defined in title 45 Code of Federal Regulations section 164.501, that is conducted in accordance with title 45 Code of Federal Regulations part 46, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule;

     (4)  Pursuant to a contract where the lawful holder of the deidentified information that meets the requirements of section    -4(a)(3) expressly engages a person or entity to attempt to reidentify the deidentified information in order to conduct testing, analysis, or validation of deidentification, or related statistical techniques, if the contract bans any other use or disclosure of the reidentified information and requires the return or destruction of the information that was reidentified upon completion of the contract; or

     (5)  If otherwise required by law.

     (b)  In accordance with section    -4(a)(3), information reidentified pursuant this section shall be subject to applicable federal and state data privacy and security laws, including but not limited to the Health Insurance Portability and Accountability Act and this chapter.

     (c)  Any contract for the sale or license of deidentified information that meets the requirements of section    ‑4(a)(3), where one of the parties is a person residing or doing business in the State, shall include the following, or substantially similar, provisions:

     (1)  A statement that the deidentified information being sold or licensed includes deidentified patient information;

     (2)  A statement that reidentification and attempted reidentification of the deidentified information by the purchaser or licensee of the information is prohibited pursuant to this section; and

     (3)  A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

     (d)  For purposes of this section, "reidentify" means the process of reversal of deidentification techniques, including but not limited to the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage of any statistical method, contrivance, computer software, or other means that have the effect of associating deidentified information with a specific identifiable individual.

     §   -6  Effect on rights and freedoms.  The rights afforded to consumers and the obligations imposed on businesses in this chapter shall not adversely affect the rights and freedoms of other natural persons.  A verifiable consumer request to delete a consumer's personal information pursuant to section    -41, to correct inaccurate personal information pursuant to section    ‑42, or for specific pieces of personal information pursuant to section    ‑43, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person.  A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and shall be under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business shall be under no legal obligation under this chapter or any other provision of law to take any action under this chapter in the event of a dispute between or among persons claiming rights to personal information in the business's possession.

     §   -7  Conflicting provisions.  This chapter is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers' personal information.  The provisions of this chapter apply to the collection and sale of all personal information collected by a business from consumers and are not limited to information collected electronically or over the Internet.  Wherever possible, law relating to consumers' personal information should be construed to harmonize with the provisions of this chapter, but in the event of a conflict between other laws and the provisions of this chapter, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

     §   -8  Liberal construction.  This chapter shall be liberally construed to effectuate its purpose.

PART II.  BUSINESS OBLIGATIONS

     §   -21  Businesses; duties.  (a) A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers of the following:

     (1)  The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared.  A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section;

     (2)  If the business collects sensitive personal information, the categories of sensitive personal information to be collected, the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared.  A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section; and

     (3)  The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine the period of retention; provided that a business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information or sensitive personal information was collected for longer than is reasonably necessary for that disclosed purpose.

     (b)  A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subsection (a) by providing the required information prominently and conspicuously on the homepage of its internet website.  In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.

     §   -22  Businesses; necessary and proportionate.  A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

     §   -23  Businesses; financial incentives allowable.  (a)  A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information.  A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that difference is reasonably related to the value provided to the business by the consumer's personal information.

     (b)  A business that offers any financial incentives pursuant to this section shall notify consumers of the financial incentives pursuant to section    -25.

     (c)  A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to section    -25 that clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.  If a consumer refuses to provide opt-in consent, then the business shall wait for at least twelve months before next requesting that the consumer provide opt-in consent, or as prescribed by rules adopted pursuant to section    -63.

     (d)  A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

     §   -24  Businesses; service provider; contractor; third parties; written contracts; required agreement provisions; liability.  (a)  A business that collects a consumer's personal information and sells that personal information to, or shares it with, a third party or discloses the personal information to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor that:

     (1)  Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes;

     (2)  Obligates the third party, service provider, or contractor to comply with applicable obligations under this chapter and obligates those persons to provide the same level of privacy protection as is required by this chapter;

     (3)  Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business's obligations under this chapter;

     (4)  Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this chapter; and

     (5)  Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

     (b)  A business that collects a consumer's personal information and that discloses it to a contractor for a business purpose shall enter into a contract with the contractor that:

     (1)  Prohibits the contractor from:

          (A)  Selling or sharing the personal information;

          (B)  Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by this chapter;

          (C)  Retaining, using, or disclosing the personal information outside of the direct business relationship between the contractor and the business; and

          (D)  Combining the personal information that the contractor receives pursuant to a written contract with the business with personal information that it receives from or on behalf of another person, or collects from its own interaction with the consumer; provided that the contractor may combine personal information to perform any business purpose as defined in rules adopted pursuant to section    -63(a)(10), except as provided for in paragraph (6) of the definition of business purpose;

     (2)  Includes a certification made by the contractor that the contractor understands and will comply with the restrictions in paragraph (1); and

     (3)  Permits, subject to agreement with the contractor, the business to monitor the contractor's compliance with the contract through various measures, including but not limited to ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every twelve months.

     (c)  A business that collects a consumer's personal information and that discloses it to a service provider for a business purpose shall enter into a contract with the service provider that prohibits the service provider from:

     (1)  Selling or sharing the personal information;

     (2)  Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by this chapter;

     (3)  Retaining, using, or disclosing the personal information outside of the direct business relationship between the service provider and the business; and

     (4)  Combining the personal information that the service provider receives from, or on behalf of, the business with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer; provided that the service provider may combine personal information to perform any business purpose as defined in rules adopted pursuant to section    -63(a)(10), except as provided for in paragraph (6) of the definition of "business purpose".  The contract may, subject to agreement with the service provider, permit the business to monitor the service provider's compliance with the contract through various measures, including but not limited to ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every twelve months.

     (d)  A business that discloses personal information to a service provider or contractor in compliance with this chapter shall not be liable under this chapter if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in this chapter; provided that at the time of disclosing the personal information, the business did not have actual knowledge, or reason to believe, that the service provider or contractor intended to commit such a violation.  A service provider or contractor shall not be liable under this chapter for the obligations of a business for which it provides services as set forth in this chapter; provided that the service provider or contractor shall be liable for its own violations of this chapter.

     (e)  A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumer's rights under this chapter as provided by the business shall not be liable under this chapter if the third party receiving the personal information uses it in violation of the restrictions set forth in this chapter; provided that at the time of disclosing the personal information, the business did not have actual knowledge, or reason to believe, that the third party intended to commit such a violation.

     (f)  If a contractor engages any other person to assist the contractor in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for that business purpose, the contractor shall notify the business of that engagement, which shall be pursuant to a written contract binding the other person to observe all the requirements set forth in subsection (b).

     (g)  If a service provider engages any other person to assist the service provider in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for that business purpose, the service provider shall notify the business of that engagement, which shall be pursuant to a written contract binding the other person to observe all the requirements set forth subsection (c).

     (h)  If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, the third party shall provide prior notice of the new or changed practice to the consumer.  The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this chapter.  This subsection shall not be construed to authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate section 480-2.

     (i)  This chapter shall not be construed to require a business, service provider, or contractor to:

     (1)  Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information;

     (2)  Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained; or

     (3)  Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.

     §   -25  Businesses; methods for submitting requests; disclosure.  (a)  In order to comply with sections    -21,    ‑41,    -42,    -43, ,    -44, and    -47, a business shall, in a form that is reasonably accessible to consumers:

     (1)  Make available to consumers two or more designated methods for submitting requests for deletion or correction pursuant to sections    -41 and    -42, respectively, or requests for information required to be disclosed pursuant to sections    -43 and    -44, including, at a minimum, a toll-free telephone number.  A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for requests for deletion or correction pursuant to sections    -41 and    -42, respectively, or for information required to be disclosed pursuant to sections    -43 and    -44;

     (2)  If the business maintains an internet website, make the internet website available to consumers to submit requests for deletion or correction pursuant to sections    -41 and    -42, respectively, or requests for information required to be disclosed pursuant to sections    -43 and    -44;

     (3)  Disclose and deliver the required information to a consumer free of charge, correct inaccurate personal information, or delete a consumer's personal information, based on the consumer's request, within forty-five days of receiving a verifiable consumer request from the consumer.  The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business's duty to disclose and deliver the information, correct inaccurate personal information, or delete personal information within forty-five days of receipt of the consumer's request.  The time period to provide the required information, correct inaccurate personal information, or delete personal information may be extended once by an additional forty-five days when reasonably necessary; provided that the consumer is provided notice of the extension within the first forty-five-day period.  The disclosure of the required information shall be made in writing and delivered through the consumer's account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer's option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.  The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request; provided that if the consumer has an account with the business, the business may require the consumer to use that account to submit a verifiable consumer request;

     (4)  Disclose required information for the twelve-month period preceding the business's receipt of the verifiable consumer request; provided that upon the adoption of a rule pursuant to section    -63(a)(9), a consumer may request that the business disclose the required information beyond the twelve-month period, and the business shall be required to provide that information unless doing so proves impossible or would involve a disproportionate effort.  Nothing in this paragraph shall require a business to keep personal information for any length of time;

     (5)  If a business receives a verifiable consumer request pursuant to section    -43 or    -44, disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer.  A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer's authorized agent, pursuant to section    -43 or    -44, to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor.  A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business's response to a verifiable consumer request, including but not limited to providing the business the consumer's personal information in the service provider's or contractor's possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information or by enabling the business to do the same.  A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of sections    -24(a),    -26, and    ‑28, taking into account the nature of the processing;

     (6)  For purposes of section    -43(b):

          (A)  To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer;

          (B)  Identify by categories the personal information collected about the consumer for the applicable period of time by reference to the enumerated categories that most closely describe the personal information collected; the categories of sources from which the consumer's personal information was collected; the business purpose or commercial purpose for collecting, selling, or sharing the consumer's personal information; and the categories of third parties to whom the business discloses the consumer's personal information; and

          (C)  Provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer's request without hindrance.

                    For purposes of this subparagraph, "specific pieces of personal information" does not include data generated to help ensure security and integrity or as prescribed by rule;

     (7)  For purposes of section    -44(b):

          (A)  Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer;

          (B)  Identify by categories the personal information of the consumer that the business sold or shared during the applicable period of time by reference to categories of personal information that most closely describes the personal information, and provide the categories of third parties to whom the consumer's personal information was sold or shared during the applicable period of time by reference to the categories of personal information that most closely describe the personal information sold or shared.  The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C); and

          (C)  Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose during the applicable period of time by reference to the categories of personal information that most closely describes the personal information, and provide the categories of persons to whom the consumer's personal information was disclosed for a business purpose during the applicable period of time by reference to the categories of personal information that most closely describes the personal information disclosed.  The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B);

     (8)  Disclose the following information in its online privacy policy or policies if the business has an online privacy policy and in any Hawaii-specific description of consumers' privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every twelve months:

          (A)  A description of a consumer's rights pursuant to sections    -21,    -41,    -42,    -43,    -44, and    -47, and two or more designated methods for submitting requests, except as provided in subsection (a)(1);

          (B)  For purposes of section    -43(c):

               (i)  A list of the categories of personal information the business has collected about consumers in the preceding twelve months by reference to the categories of personal information that most closely describe the personal information collected;

              (ii)  The categories of sources from which consumers' personal information is collected;

             (iii)  The business purpose or commercial purpose for collecting, selling, or sharing consumers' personal information; and

              (iv)  The categories of third parties to whom the business discloses consumers' personal information;

          (C)  For purposes of sections    -44(c)(1) and    ‑44(c)(2), two separate lists:

               (i)  A list of the categories of personal information the business has sold or shared about consumers in the preceding twelve months by reference to the categories of personal information that most closely describe the personal information sold or shared, or if the business has not sold or shared consumers' personal information in the preceding twelve months, the business shall prominently disclose that fact in its privacy policy; and

              (ii)  A list of the categories of personal information the business has disclosed about consumers for a business purpose in the preceding twelve months by reference to the categories of personal information that most closely describes the personal information disclosed, or if the business has not disclosed consumers' personal information for a business purpose in the preceding twelve months, the business shall disclose that fact;

     (9)  Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this chapter are informed of all requirements in sections    -21,    -41,    -42,    -43,    -44,    ‑47, and this section, and how to direct consumers to exercise their rights under those sections; and

    (10)  Use any personal information collected from the consumer in connection with the business's verification of the consumer's request solely for the purposes of verification and shall not further disclose the personal information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.

     (b)  A business shall not be obligated to provide the information required by sections    -43 and    -44 to the same consumer more than twice in a twelve-month period.

     (c)  Notwithstanding a business's obligations to respond to and honor consumer rights requests pursuant to this chapter:

     (1)  A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of ninety days where necessary, taking into account the complexity and number of the requests.  The business shall inform the consumer of any such extension within forty-five days of receipt of the request, together with the reasons for the delay;

     (2)  If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted for response by this subsection, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business; and

     (3)  If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request.  The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.

     §   -26  Businesses; security procedures.  A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.

     §   -27  Businesses; methods of limiting sale, sharing, and use of personal information and use of sensitive personal information.  (a)  A business that sells or shares consumers' personal information or uses or discloses consumers' sensitive personal information for purposes other than those authorized by section    -46(a) shall, in a form that is reasonably accessible to consumers:

     (1)  Provide a clear and conspicuous link on the business's internet homepage, titled "Do Not Sell or Share My Personal Information", to an internet web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer's personal information;

     (2)  Provide a clear and conspicuous link on the business's internet homepage, titled "Limit the Use of My Sensitive Personal Information", that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer's sensitive personal information to those uses authorized by section    -46(a);

     (3)  At the business's discretion, utilize a single, clearly labeled link on the business's internet homepage, in lieu of complying with paragraphs (1) and (2), if that link easily allows a consumer to opt out of the sale or sharing of the consumer's personal information and limit the use or disclosure of the consumer's sensitive personal information; and

     (4)  In the event that a business responds to opt-out requests received pursuant to paragraph (1), (2), or (3) by informing the consumer of a charge for the use of any product or service, present the terms of any financial incentive offered pursuant to section    -23 for the retention, use, sale, or sharing of the consumer's personal information.

     (b)  A business shall not be required to comply with subsection (a) if the business allows a consumer to opt out of the sale or sharing of the consumer's personal information and limit the use of the consumer's sensitive personal information through an opt-out preference signal sent with the consumer's consent by a platform, technology, or mechanism, based on technical specifications set forth in rules adopted pursuant to section    -63(a)(22), to the business indicating the consumer's intent to opt out of the business's sale or sharing of the consumer's personal information or limit the use or disclosure of the consumer's sensitive personal information, or both.

     (c)  A business that allows a consumer to opt out of the sale or sharing of the consumer's personal information and limit the use of the consumer's sensitive personal information pursuant to subsection (b) may provide a link to a web page that enables the consumer to consent to the business ignoring the opt-out preference signal with respect to that business's sale or sharing of the consumer's personal information or the use of the consumer's sensitive personal information for additional purposes; provided that:

     (1)  The consent web page also allows the consumer or a person authorized by the consumer to revoke the consent as easily as the consent is affirmatively provided;

     (2)  The link to the web page does not degrade the consumer's experience on the web page the consumer intends to visit and has a similar look, feel, and size relative to other links on the same web page; and

     (3)  The consent web page complies with technical specifications set forth in rules adopted pursuant to section    -63(a)(22).

     (d)  A business that complies with subsection (a) shall not be required to comply with subsection (b), but may elect whether to comply with either subsection (a) or subsection (b).

     (e)  A business that is subject to this section shall not require a consumer to create an account or provide additional information beyond what is necessary in order to direct the business not to sell or share the consumer's personal information or to limit use or disclosure of the consumer's sensitive personal information.

     (f)  A business that is subject to this section shall:

     (1)  Include a description of a consumer's rights pursuant to sections    -45 and    -46, along with separate links to the "Do Not Sell or Share My Personal Information" internet web page and the "Limit the Use of My Sensitive Personal Information" internet web page, if applicable; a single link to both choices; or a statement that the business responds to and abides by opt-out preference signals sent by a platform, technology, or mechanism in accordance with subsection (b), in:

          (A)  Its online privacy policy, if any; and

          (B)  Any Hawaii-specific description of consumers' privacy rights;

     (2)  Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this chapter are informed of all requirements in sections    -45 and    -46 and this section and how to direct consumers to exercise their rights under those sections;

     (3)  For a consumer who exercises the consumer's right to opt-out of the sale or sharing of the consumer's personal information or limit the use or disclosure of the consumer's sensitive personal information, refrain from selling or sharing the consumer's personal information or using or disclosing the consumer's sensitive personal information and wait for at least twelve months before requesting that the consumer authorize the sale or sharing of the consumer's personal information or the use and disclosure of the consumer's sensitive personal information for additional purposes, or as authorized by rule;

     (4)  For a consumer under sixteen years of age who does not consent to the sale or sharing of the consumer's personal information, refrain from selling or sharing the personal information of that consumer and wait for at least twelve months before requesting the consumer's consent again, or as authorized by rule or until the consumer attains sixteen years of age; and

     (5)  Use any personal information collected from the consumer in connection with the submission of the consumer's opt-out request solely for the purposes of complying with the opt-out request.

     (g)  Nothing in this chapter shall be construed to require a business to comply with this chapter by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to Hawaii consumers and includes the required links and text, and the business takes reasonable steps to ensure that Hawaii consumers are directed to the homepage for Hawaii consumers and not the homepage made available to the public generally.

     (h)  A consumer may authorize another person to opt-out of the sale or sharing of the consumer's personal information and to limit the use of the consumer's sensitive personal information on the consumer's behalf, including through an opt-out preference signal pursuant to subsection (b).  A business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf, pursuant to rules adopted by the director regardless of whether the business has elected to comply with subsection (a) or (b).  A business that elects to comply with subsection (a) may respond to the consumer's opt-out consistent with section    -47.

     (i)  If a business communicates a consumer's opt-out request to any person authorized by the business to collect personal information, the person shall thereafter only use that consumer's personal information for a business purpose specified by the business, or as otherwise permitted by this chapter, and shall be prohibited from:

     (1)  Selling or sharing the personal information; and

     (2)  Retaining, using, or disclosing that consumer's personal information:

          (A)  For any purpose other than for the specific purpose of performing the services offered to the business;

          (B)  Outside of the direct business relationship between the person and the business; and

          (C)  For a commercial purpose other than providing the services to the business.

     (j)  A business that communicates a consumer's opt-out request to a person pursuant to subsection (i) shall not be liable under this chapter if the person receiving the opt-out request violates the restrictions set forth in this chapter; provided that at the time of communicating the opt-out request, the business did not have actual knowledge, or reason to believe, that the person intended to commit such a violation.  Any provision of a contract or agreement of any kind that purports to waive or limit in any way this subsection shall be void and unenforceable.

     §   -28  Businesses; construction; trade secrets.  Nothing in this part shall require a business to disclose trade secrets, as specified in rules adopted pursuant to section    -63(a)(3).

     §   -29  Waiver; limitation; void and unenforceable.  Any provision of a contract or agreement of any kind, including a representative action waiver, that purports to waive or limit in any way rights under this chapter, including but not limited to any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.  This section shall not prevent a consumer from declining to request information from a business, declining to opt out of a business's sale of the consumer's personal information, or authorizing a business to sell or share the consumer's personal information after previously opting out.

     §   -30  Research.  Research with personal information that may have been collected from a consumer in the course of the consumer's interactions with a business's service or device for other purposes shall be:

     (1)  Compatible with the business purpose for which the personal information was collected;

     (2)  Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, by a business;

     (3)  Subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, other than as needed to support the research;

     (4)  Subject to business processes that specifically prohibit reidentification of the information, other than as needed to support the research;

     (5)  Made subject to business processes to prevent inadvertent release of deidentified information;

     (6)  Protected from any reidentification attempts;

     (7)  Used solely for research purposes that are compatible with the context in which the personal information was collected; and

     (8)  Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals as are necessary to carry out the research purpose.

PART III.  CONSUMER RIGHTS

     §   -41  Consumers; right to delete personal information.  (a)  A consumer shall have the right to request that a business delete any personal information about the consumer that the business has collected from the consumer.

     (b)  A business that collects personal information about consumers shall disclose, pursuant to section    -25, the consumer's rights to request the deletion of the consumer's personal information.

     (c)  A business that receives a verifiable consumer request from a consumer to delete the consumer's personal information pursuant to subsection (a) shall delete the consumer's personal information from its records, notify any service providers or contractors to delete the consumer's personal information from their records, and notify all third parties to whom the business has sold or shared the personal information to delete the consumer's personal information unless this proves impossible or involves disproportionate effort.

     (d)  The business may maintain a confidential record of deletion requests solely for the purpose of preventing the personal information of a consumer who has submitted a deletion request from being sold, for compliance with laws, or for other purposes, solely to the extent permissible under this chapter.

     (e)  A service provider or contractor shall cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, shall delete the consumer's personal information, or enable the business to delete the consumer's personal information, and shall notify any of its own service providers or contractors to delete personal information about the consumer collected, used, processed, or retained by the service provider or contractor.  The service provider or contractor shall notify any service providers, contractors, or third parties who may have accessed personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, to delete the consumer's personal information unless this proves impossible or involves disproportionate effort.  A service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor to the extent that the service provider or contractor has collected, used, processed, or retained the consumer's personal information in its role as a service provider or contractor to the business.

     (f)  A business, or a service provider or contractor acting pursuant to its contract with the business, another service provider, or another contractor, shall not be required to comply with a deletion request submitted by the consumer if it is reasonably necessary for the business, service provider, or contractor to maintain the consumer's personal information in order to:

     (1)  Complete the transaction for which the personal information was collected; fulfill the terms of a written warranty or product recall conducted in accordance with federal law; provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business's ongoing business relationship with the consumer; or otherwise perform a contract between the business and the consumer;

     (2)  Help ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes;

     (3)  Debug to identify and repair errors that impair existing intended functionality;

     (4)  Exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law;

     (5)  Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business's deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if the consumer has provided informed consent;

     (6)  Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and compatible with the context in which the consumer provided the personal information; and

     (7)  Comply with a legal obligation.

     §   -42  Consumers; right to correct inaccurate personal information.  (a)  A consumer shall have the right to request that a business correct inaccurate personal information about the consumer that is maintained by the business, taking into account the nature of the personal information and the purposes of the processing of the personal information.

     (b)  A business that collects personal information about consumers shall disclose, pursuant to section    -25, the consumer's right to request correction of inaccurate personal information.

     (c)  A business that receives a verifiable consumer request to correct inaccurate personal information shall use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer, pursuant to section    -25 and rules adopted pursuant to section    ‑63(a)(8).

     §   -43  Consumers; right to know what personal information is collected; right to access personal information.  (a)  A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

     (1)  The categories of personal information the business has collected about that consumer;

     (2)  The categories of sources from which the personal information is collected;

     (3)  The business purpose or commercial purpose for collecting, selling, or sharing personal information;

     (4)  The categories of third parties to whom the business discloses personal information; and

     (5)  The specific pieces of personal information the business has collected about that consumer.

     (b)  A business that collects personal information about a consumer shall disclose to the consumer, pursuant to section    ‑25(a)(6), the information specified in subsection (a) upon receipt of a verifiable consumer request from the consumer; provided that a business shall be deemed to be in compliance with subsection (a)(1) through (4) to the extent that the categories of information and the business purpose or commercial purpose for collecting, selling, or sharing personal information the business would be required to disclose to the consumer pursuant to subsection (a)(1) through (4) is the same as the information the business has disclosed pursuant to subsection (c)(1) through (4).

     (c)  A business that collects personal information about consumers shall disclose, pursuant to section    -25(a)(8)(B):

     (1)  The categories of personal information the business has collected about consumers;

     (2)  The categories of sources from which the personal information is collected;

     (3)  The business purpose or commercial purpose for collecting, selling, or sharing personal information;

     (4)  The categories of third parties to whom the business discloses personal information; and

     (5)  That a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.

     (d)  Personal information shall not be considered to have been disclosed by a business when a consumer instructs a business to transfer the consumer's personal information from one business to another in the context of switching services.

     §   -44  Consumers; right to know what personal information is sold or shared and to whom.  (a)  A consumer shall have the right to request that a business that sells or shares the consumer's personal information, or that discloses the personal information for a business purpose, disclose to that consumer:

     (1)  The categories of personal information the business collected about the consumer;

     (2)  The categories of personal information about the consumer that the business sold or shared and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each category of third parties to whom the personal information was sold or shared; and

     (3)  The categories of personal information about the consumer that the business disclosed for a business purpose and the categories of persons to whom the categories of personal information were disclosed for a business purpose.

     (b)  A business that sells or shares personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose, pursuant to section    -25(a)(7), the information specified in subsection (a) to the consumer upon receipt of a verifiable consumer request from the consumer.

     (c)  A business that sells or shares consumers' personal information, or that discloses consumers' personal information for a business purpose, shall disclose, pursuant to section    ‑25(a)(8)(C):

     (1)  The category or categories of consumers' personal information the business has sold or shared; provided that if the business has not sold or shared consumers' personal information, the business shall disclose that fact; and

     (2)  The category or categories of consumers' personal information the business has disclosed for a business purpose; provided that if the business has not disclosed consumers' personal information for a business purpose, the business shall disclose that fact.

     (d)  A third party shall not sell or share personal information about a consumer that has been sold to, or shared with, the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to section    -45.

     §   -45  Consumers; right to opt out of sale or sharing of personal information.  (a)  A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information.  This right may be referred to as the right to opt out of sale or sharing.

     (b)  A business that sells consumers' personal information to, or shares personal information with, third parties shall provide notice to consumers, pursuant to section    -27(b), that this personal information may be sold or shared and that consumers have the right to opt out of the sale or sharing of their personal information.

     (c)  Notwithstanding subsection (a), a business shall not sell or share a consumer's personal information if the business has actual knowledge that the consumer is less than sixteen years of age, unless the consumer, in the case of consumers at least thirteen years of age and less than sixteen years of age, or the consumer's parent or guardian, in the case of consumers who are less than thirteen years of age, has affirmatively authorized the sale or sharing of the consumer's personal information.  A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age.

     (d)  A business that has received direction from a consumer not to sell or share the consumer's personal information or, in the case of a minor consumer's personal information has not received consent to sell or share the minor consumer's personal information, shall be prohibited, pursuant to section    ‑27(f)(3), from selling or sharing the consumer's personal information after the business's receipt of the consumer's direction, unless the consumer subsequently provides consent for the sale or sharing of the consumer's personal information.

     (e)  This section shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle's manufacturer, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to title 49 United States Code sections 30118 through 30120; provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared shall not sell, share, or use that information for any other purpose.

     For purposes of this subsection:

     "Ownership information" means the name of the registered owner and the contact information for the owner.

     "Vehicle information" means the vehicle identification number, make, model, year, and odometer reading.

     §   -46  Consumers; right to limit use and disclosure of sensitive personal information.  (a)  A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit the business's use of the consumer's sensitive personal information to the use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, or perform the services set forth in paragraphs (2), (4), (5), and (8) of the definition of business purpose and as authorized by rules adopted pursuant to section    ‑63(a)(21).  A business that uses or discloses a consumer's sensitive personal information for purposes other than those specified in this subsection shall provide notice to consumers, pursuant to section    -27(a), that this sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.

     (b)  A business that has received direction from a consumer not to use or disclose the consumer's sensitive personal information, except as authorized by subsection (a), shall be prohibited, pursuant to section    -27(f)(3), from using or disclosing the consumer's sensitive personal information for any other purpose after the business's receipt of the consumer's direction, unless the consumer subsequently provides consent for the use or disclosure of the consumer's sensitive personal information for additional purposes.

     (c)  A service provider or contractor that assists a business in performing the purposes authorized by subsection (a) shall not use the consumer's sensitive personal information after the service provider or contractor has received instructions from the business, and to the extent the service provider or contractor has actual knowledge that the personal information is sensitive personal information, for any other purpose.  A service provider or contractor shall only be required to limit the service provider's or contractor's use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.

     (d)  Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer shall not be subject to this section, as further defined in rules adopted pursuant to section    -63(a)(21), and shall be treated as personal information for purposes of all other sections of this chapter.

     §   -47  Consumers; right of no retaliation following opt out or exercise of other rights.  (a)  A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this chapter, including but not limited to:

     (1)  Denying goods or services to the consumer;

     (2)  Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;

     (3)  Providing a different level or quality of goods or services to the consumer; or

     (4)  Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

     (b)  Nothing in this section shall prohibit a business, pursuant to section    -23, from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer's data.

     (c)  This section shall not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs consistent with this chapter.

PART IV.  ADMINISTRATION AND ENFORCEMENT

     §   -61  Administrative enforcement.  (a)  Any business, service provider, contractor, or other person that violates this chapter shall be liable for an administrative fine of no more than:

     (1)  $2,500 for each violation; or

     (2)  $7,500 for each intentional violation involving the personal information of consumers for whom the business, service provider, contractor, or other person has actual knowledge are under sixteen years of age,

as adjusted pursuant to section    -63(a)(5), in an administrative enforcement action brought by the department.

     (b)  Any administrative fine assessed for a violation of this chapter, and the proceeds of any settlement of an action brought pursuant to subsection (a), shall be deposited in the compliance resolution fund established pursuant to section 26‑9(o) with the intent to fully offset any costs incurred by the department in connection with this chapter.

     §   -62  No private right of action.  Nothing in this chapter shall be interpreted to serve as the basis for a private right of action under any other law.  This section shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States Constitution or Hawaii State Constitution.

     §   -63  Rules.  (a)  The department shall adopt rules pursuant to chapter 91 to further the purposes of this chapter, including but not limited to the following areas:

     (1)  Updating or adding categories of personal information to those enumerated in the definitions of "personal information" and "sensitive personal information" to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns;

     (2)  Updating as needed the definitions of "deidentified" and "unique identifier" to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns; provided that the authority to update the definition of "deidentified" shall not apply to deidentification standards set forth in title 45 Code of Federal Regulations section 164.514, where such information previously was "protected health information" as defined in title 45 Code of Federal Regulations section 160.103; and adding, modifying, or deleting categories to the definition of "designated methods for submitting requests" to facilitate a consumer's ability to obtain information from a business pursuant to section    -25;

     (3)  Establishing any exceptions necessary to comply with state or federal law, including but not limited to those relating to trade secrets and intellectual property rights with the intention that trade secrets shall not be disclosed in response to a verifiable consumer request;

     (4)  Establishing rules and procedures:

          (A)  To facilitate and govern the submission of a request by a consumer to opt-out of the sale or sharing of personal information pursuant to section    -45 and limit the use of a consumer's sensitive personal information pursuant to section    -46 to ensure that consumers have the ability to exercise their choices without undue burden and prevent business from engaging in deceptive or harassing conduct, including retaliation against consumers for exercising their rights, while allowing businesses to inform consumers of the consequences of their decision to opt out of the sale or sharing of their personal information or limit the use of their sensitive personal information;

          (B)  To govern business compliance with a consumer's opt-out request; and

          (C)  For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information;

     (5)  Adjusting the monetary thresholds, in January of every odd-numbered year to reflect any increase in the Consumer Price Index, in paragraph (1)(A) of the definition of "business" and section    -61(a);

     (6)  Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this chapter are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentives;

     (7)  Establishing rules and procedures to further the purposes of sections    -41,    -42,    -43, and    ‑44 and facilitate a consumer's or the consumer's authorized agent's ability to delete personal information pursuant to section    -41, correct inaccurate personal information pursuant to section    -42, or obtain information pursuant to section    -25, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business's determination that a request for information received from a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business's authentication of the consumer's identity;

     (8)  Establishing how often, and under what circumstances, a consumer may request a correction of inaccurate personal information pursuant to section    -42, including standards governing:

          (A)  How a business responds to a request for correction, including exceptions for requests to which a response is impossible or would involve disproportionate effort, and requests for correction of accurate personal information;

          (B)  How concerns regarding the accuracy of the personal information may be resolved;

          (C)  The steps a business may take to prevent fraud; and

          (D)  If a business rejects a request to correct personal information collected and analyzed concerning a consumer's health, the right of a consumer to provide a written addendum to the business with respect to any item or statement regarding any personal information that the consumer believes to be incomplete or incorrect; provided that the addendum shall be limited to two hundred fifty words per alleged incomplete or incorrect item and shall clearly indicate in writing that the consumer requests the addendum to be made a part of the consumer's record;

     (9)  Establishing the standard to govern a business's determination, pursuant to section    -25(a)(4), that providing information beyond the twelve-month period in a response to a verifiable consumer request is impossible or would involve a disproportionate effort;

    (10)  Adopting rules further defining and adding to the definition of business purpose, including other notified purposes, for which businesses, service providers, and contractors may use consumers' personal information consistent with consumers' expectations, and further defining the business purposes for which service providers and contractors may combine consumers' personal information obtained from different sources, except as provided for in paragraph (6) of the definition of "business purpose";

    (11)  Adopting rules identifying those business purposes, including other notified purposes, for which service providers and contractors may use consumers' personal information received pursuant to a written contract with a business, for the service provider or contractor's own business purposes, with the goal of maximizing consumer privacy;

    (12)  Adopting rules to further define "intentionally interacts", with the goal of maximizing consumer privacy;

    (13)  Adopting rules to further define "precise geolocation", including if the size defined is not sufficient to protect consumer privacy in sparsely populated areas or when the personal information is used for normal operational purposes, including billing;

    (14)  Adopting rules to define the term "specific pieces of information obtained from the consumer" with the goal of maximizing a consumer's right to access relevant personal information while minimizing the delivery of information to a consumer that would not be useful to the consumer, including system log information and other technical data.  For delivery of the most sensitive personal information, the rules may require a higher standard of authentication; provided that the department shall monitor the impact of the higher standard on the right of consumers to obtain their personal information to ensure that the requirements of verification do not result in the unreasonable denial of verifiable consumer requests;

    (15)  Adopting rules requiring businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security, to:

          (A)  Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.  The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities; and

          (B)  Submit to the department on a regular basis a risk assessment with respect to the business's processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public;

    (16)  Adopting rules governing access and opt-out rights with respect to businesses' use of automated decisionmaking technology, including profiling and requiring businesses' response to access requests to include meaningful information about the logic involved in those decisionmaking processes, as well as a description of the likely outcome of the process with respect to the consumer;

    (17)  Adopting rules to further define a "law enforcement agency-approved investigation" for purposes of the exception in section    -3(a)(2);

    (18)  Adopting rules to define the scope and process for the exercise of the department's audit authority, establish criteria for selection of persons to audit, and protect consumers' personal information from disclosure to an auditor in the absence of a court order, warrant, or subpoena;

    (19)  Adopting rules to define the requirements and technical specifications for an opt-out preference signal sent by a platform, technology, or mechanism, to indicate a consumer's intent to opt out of the sale or sharing of the consumer's personal information and limit the use or disclosure of the consumer's sensitive personal information.  The requirements and specifications for the opt-out preference signal shall be updated from time to time to reflect the means by which consumers interact with businesses, and shall:

          (A)  Ensure that the manufacturer of a platform or browser or device that sends the opt-out preference signal cannot unfairly disadvantage another business;

          (B)  Ensure that the opt-out preference signal is consumer-friendly, clearly described, and easy to use by an average consumer and does not require that the consumer provide additional information beyond what is necessary;

          (C)  Clearly represent a consumer's intent and be free of defaults constraining or presupposing that intent;

          (D)  Ensure that the opt-out preference signal does not conflict with other commonly used privacy settings or tools that consumers may employ;

          (E)  Provide a mechanism for the consumer to selectively consent to a business's sale of the consumer's personal information, or the use or disclosure of the consumer's sensitive personal information, without affecting the consumer's preferences with respect to other businesses or disabling the opt-out preference signal globally; and

          (F)  State that in the case of a page or setting view that the consumer accesses to set the opt-out preference signal, the consumer should see up to three choices, including:

               (i)  Global opt out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information;

              (ii)  Choice to "Limit the Use of My Sensitive Personal Information."; and

             (iii)  Choice titled "Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.";

    (20)  Adopting rules to establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer's parent or guardian, to specify that the consumer is less than thirteen years of age or at least thirteen years of age and less than sixteen years of age;

    (21)  Adopting rules, with the goal of strengthening consumer privacy while considering the legitimate operational interests of businesses, to govern the use or disclosure of a consumer's sensitive personal information, notwithstanding the consumer's direction to limit the use or disclosure of the consumer's sensitive personal information, including:

          (A)  Determining any additional purposes for which a business may use or disclose a consumer's sensitive personal information;

          (B)  Determining the scope of activities permitted under paragraph (8) of the definition of "business purpose", as authorized by section    ‑46(a), to ensure that the activities do not involve health-related research;

          (C)  Ensuring the functionality of the business's operations; and

          (D)  Ensuring that the exemption in section    -46(d) for sensitive personal information applies to information that is collected or processed incidentally, or without the purpose of inferring characteristics about a consumer, while ensuring that businesses do not use the exemption for the purpose of evading consumers' rights to limit the use and disclosure of their sensitive personal information under section    -46;

    (22)  Adopting rules to govern how a business that has elected to comply with section    -27(b) responds to the opt-out preference signal and provides consumers with the opportunity subsequently to consent to the sale or sharing of their personal information or the use and disclosure of their sensitive personal information for purposes in addition to those authorized by section    -46(a).  The rules shall:

          (A)  Strive to promote competition and consumer choice and be technology neutral;

          (B)  Ensure that the business does not respond to an opt-out preference signal by:

               (i)  Intentionally degrading the functionality of the consumer experience;

              (ii)  Charging the consumer a fee in response to the consumer's opt-out preferences;

             (iii)  Making any products or services not function properly or fully for the consumer, as compared to consumers who do not use the opt-out preference signal;

              (iv)  Attempting to coerce the consumer to opt in to the sale or sharing of the consumer's personal information, or the use or disclosure of the consumer's sensitive personal information, by stating or implying that the use of the opt-out preference signal will adversely affect the consumer as compared to consumers who do not use the opt-out preference signal, including stating or implying that the consumer will not be able to use the business's products or services or that those products or services may not function properly or fully; and

               (v)  Displaying any notification or pop-up in response to the consumer's opt-out preference signal;

          (C)  Ensure that any link to a web page or its supporting content that allows the consumer to consent to opt in:

               (i)  Is not part of a popup, notice, banner, or other intrusive design that obscures any part of the web page the consumer intended to visit from full view or that interferes with or impedes in any way the consumer's experience visiting or browsing the web page or website the consumer intended to visit;

              (ii)  Does not require or imply that the consumer must click the link to receive full functionality of any products or services, including the website;

             (iii)  Does not make use of any dark patterns; and

              (iv)  Applies only to the business with which the consumer intends to interact; and

          (D)  Strive to curb coercive or deceptive practices in response to an opt-out preference signal but should not unduly restrict businesses that are trying in good faith to comply with section    ‑27;

    (23)  Review existing insurance code provisions and rules relating to consumer privacy, except those relating to insurance rates or pricing, to determine whether any provisions of the insurance code provide greater protection to consumers than the provisions of this chapter.  Upon completing its review, the director shall adopt a rules that applies only the more protective provisions of this chapter to insurance companies; and

    (24)  Harmonizing the rules governing opt-out mechanisms, notices to consumers, and other operational mechanisms in this chapter to promote clarity and the functionality of this chapter for consumers.

     (b)  The director may adopt additional rules as necessary to further the purposes of this chapter.

     §   -64  Anti-avoidance.  A court or the department shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this chapter:

     (1)  If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this chapter, including the disclosure of information by a business to a third party in order to avoid the definitions of "sell" or "share"; or

     (2)  If steps or transactions were taken to purposely avoid the definitions of "sell" or "share" by eliminating any monetary or other valuable consideration, including by entering into contracts that do not include an exchange for monetary or other valuable consideration, but where a party is obtaining something of value or use."

     SECTION 2.  The director of commerce and consumer affairs shall not bring an enforcement action under section    -61, Hawaii Revised Statutes, added by section 1 of this Act, until six months after the publication of the final rules adopted pursuant to section    -63, Hawaii Revised Statutes, added by section 1 of this Act, or January 1, 2024, whichever is sooner.

     SECTION 3.  There is appropriated out of the general revenues of the State of Hawaii the sum of $           or so much thereof as may be necessary for fiscal year 2022-2023 for the purposes of this Act.

     The sum appropriated shall be expended by the department of commerce and consumer affairs for the purposes of this Act.

     SECTION 4.  This Act shall take effect on January 1, 2023; provided that section 3 of this Act shall take effect on July, 1 2022.

 

INTRODUCED BY:	_____________________________

 

 

Report Title:

Hawaii Consumer Privacy Act; Business Obligations; Consumer Rights; Personal Information; Appropriation

 

Description:

Establishes the Hawaii consumer privacy act.  Specifies various consumer rights with respect to the collection of personal information by businesses.  Outlines the obligations on businesses with respect to the collection, disclosure, sharing, and selling of consumer personal information.  Specifies the requirements for administration and enforcement by the department, including adoption of rules.  Appropriates funds.  Effective 1/1/2023.

 

 

 

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.