I. Introduction
In an era characterized by digital advancements and growing concerns over privacy, legislative initiatives at the state level in the US are on the rise, aimed at enhancing protections for consumer data. Hawaii's Consumer Data Protection Act (HCDPA) marks a significant stride towards enhancing consumer’s privacy rights and imposes multiple obligations on businesses.
HCDPA not only reflects the increasing global focus on the privacy of individuals but also lays out a comprehensive framework that regulates how businesses operating in Hawaii are allowed to collect, process, and share personal data. If passed, HCDPA will be enacted on July 1, 2024.
This guide delves into HCDPA’s key provisions, implications for organizations, and the broader impact of the Act on privacy practices and regulatory compliance in the digital age.
II. Who Needs to Comply with HCDPA
A. Material Scope
The HCDPA applies to the persons who conduct business in Hawaii or produce products or services that target Hawaii residents and who meet at least one of the following criteria:
- Control or process the personal data of at least 100,000 consumers per year; or
- Control or process the personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data per year.
B. Exemptions
The HCDPA exempts certain entities from the application of its provisions, including the following:
- Any government entity;
- Any nonprofit organization;
- Any institution of higher education;
- The National Insurance Crime Bureau.
In addition, the following information and data are exempt from the application of the HCDPA:
- Protected health information;
- Nonpublic personal information;
- Confidential records;
- Identifiable private information;
- Information and documents created for purposes of the Healthcare Quality Improvement Act;
- Patient safety work product for purposes of the Patient Safety and Quality Improvement Act;
- Personal data obtained from healthcare-related information, when de-identified according to Health Insurance Portability and Accountability Act's de-identification standards;
- Personal information similar to or treated similarly with the data exempted from the scope of this Act, maintained by covered entities or business associates as defined in the Health Insurance Portability and Accountability Act, or by programs or qualified service organizations as defined in Title 42 Code of Federal Regulations;
- Personal data used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act;
- Personal data related to a consumer's creditworthiness, credit standing, reputation, or other characteristics by consumer reporting agencies, furnishers, and users of consumer reports, as authorized under the Fair Credit Reporting Act (FCRA);
- Personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act;
- Personal data regulated by the Family Educational Rights and Privacy Act;
- Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act;
- Personal data of individuals applying to, employed by, or acting as agents or independent contractors of a controller, processor, or third party, the data of their emergency contact, and the data necessary to retain to administer benefits for another individual relating to them; and
- Personal data of children when verifiable parental consent is acquired pursuant to the Children's Online Privacy Protection Act.
III. Definitions of Key Terms
A. Biometric Data
Data generated by automatic measurements of an individual's biological characteristics, including fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. It does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the HIPAA.
B. Child
Any natural person younger than thirteen years of age.
C. Consent
A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. It includes a written statement, a statement written by electronic means, or any other unambiguous affirmative action.
D. Personal Data
Any information that is linked or could be reasonably linkable to an identified or identifiable natural person. "Personal data" does not include de-identified data or publicly available information.
E. Sensitive Data
A category of personal data, it includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sexual history, sexual orientation, or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying a natural person, personal data collected from a known child, or precise geolocation data.
IV. Obligations for Organizations Under HCDPA
A. Consent Requirements
Organizations must not process a consumer's personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes for which the personal data is processed, as disclosed to the consumer unless the consumer provides consent. Consent must be freely given, specific, informed, and unambiguous.
Additionally, the data controller must not process a consumer's personal data for targeted advertising or sell it without the consumer's consent if the controller knows that the consumer is at least thirteen but younger than sixteen years old.
Controllers are prohibited from processing a consumer's sensitive data without their explicit consent. Additionally, when processing sensitive data pertaining to a known child, controllers must comply with the Children's Online Privacy Protection Act (COPPA).
B. Data Minimization Requirements
Controllers should only collect personal data that is adequate, relevant, and reasonably necessary for the disclosed purpose(s) of processing. Unless the controller receives the consumer’s consent, they must not process personal data for purposes that are neither consistent with nor reasonably required to achieve the specified purposes for which the personal data is processed.
C. Privacy Notice Requirements
Controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:
- The categories of personal data processed by the controller;
- The purpose for processing personal data;
- The ways in which consumers can exercise their rights, such as the procedure for appealing the controller's decision on the customer's request;
- The categories of personal data that the controller shares with third parties, if any;
- The categories of third parties, if any, with whom the controller shares personal data; and
- A working email address or other online method by which the consumer may communicate with the controller.
D. Security Requirements
To safeguard sensitive data and personal data’s integrity and accessibility, organizations must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. The procedures must be suitable for the volume and category of personal data in question.
E. Data Protection Impact Assessment
Organizations are required to conduct data protection impact assessments (DPIA) for each of the following processing activities involving personal data:
- The processing of personal data for targeted advertising purposes;
- The sale of personal data;
- Processing personal information for profiling where there is a reasonably foreseeable risk that the profiling may lead to:
- Unlawful discriminatory effect on consumers, or unfair or misleading treatment of them;
- Financial, physical, or reputational injury to consumers;
- A physical or other interference that would be considered objectionable to a reasonable person upon a consumer's privacy, solitude, or private affairs; or
- Other substantial injury to consumers;
- The processing of sensitive data; and
- Any processing operations involving personal data that put customers at heightened risk of harm.
Processing activities created or generated after January 1, 2026, will be subject to the DPIA requirements.
V. Obligations of Data Processors
The HCDPA imposes obligations on data processors where processors must assist the controller, including:
- Taking into account the processing and the data that the processor has access to, using the necessary organizational and technological safeguards to the extent that it is practically possible to assist the controller's duty to respond to consumer rights requests.
- Taking into account the type of processing and the data that the processor has access to in order to assist the controller in fulfilling its responsibilities for the security of processing personal data and notifying third parties of security breaches, and
- Giving the controller the information they need to conduct and record data protection assessments.
The processor's data processing practices with regard to processing carried out on behalf of the controller must be governed by a contract between the controller and the processor. The contract must include the processing instructions, the nature and goal of the processing, the categories of data that will be processed, how long the processing will take, and each party's rights and responsibilities.
VI. Data Subject Rights
A. Right to Access
Consumers have the right to confirm whether or not a controller is processing the consumer's personal data and to access such data.
B. Right to Correct Inaccuracies
Consumers have the right to correct inaccuracies in their personal data.
C. Right to Delete
Consumers have the right to delete their personal data being processed by the controller.
D. Right to Obtain a Copy
Consumers have the right to request a copy of their personal data that they have previously given to the controller in a format that is portable and readily usable. If the processing is carried out by automated means, it enables consumers to transfer the data to another controller without issues.
E. Right to Opt-Out
Consumers have the right to opt-out of the processing of personal data for targeted advertising, to be sold, or to be used for profiling in support of decisions made by the controller that affect their ability to access or receive financial and lending services, housing, insurance, education, criminal justice, employment opportunities, health care services, or basic necessities like food and water.
Appointment of an Authorized Agent
Consumers have the option to designate an individual to serve as their authorized agent, act on their behalf, or opt-out of the processing of their personal data.
If a controller is able to independently confirm the identity of the consumer and the authorized agent's legal capacity to act on the consumer's behalf, it must comply with the opt-out request received from the authorized agent.
Processing of Minors
When a known child's personal data is processed, the child's parent or legal guardian may use their right to exercise consumer rights on the child's behalf. The guardian or conservator of the consumer may exercise the consumer's rights in the event that processing personal data pertaining to the consumer is subject to a conservatorship, guardianship, or other protective arrangement.
Response Period of Consumer Rights
Upon receipt of the consumer request, a controller is required to provide a prompt response to the customer, ideally within 45 days. When it is deemed reasonably necessary, taking into account the complexity and volume of the consumer's requests, the response period may be extended once by an additional 45 days. However, the controller must notify the consumer of the extension within the first 45-day response period, along with the reason for the extension.
When a controller decides not to act on a consumer's request, they must notify the consumer in writing of their decision, the reason they chose not to act, and how to appeal the decision. This notification must be sent to the consumer as soon as possible but no later than 45 days after the request is received.
A controller should provide information at no cost to a consumer up to two times a year in response to the consumer's request. The controller may refuse to act upon a consumer request or impose a reasonable price to offset the administrative expenses of complying with the request if it is clearly excessive, repeated, or manifestly unfounded. It will be the controller's responsibility to prove that the request is obviously excessive, repeated, or manifestly unfounded.
Appeal Process
Every controller must set up an appeals procedure that enables a consumer to challenge a controller's decision not to act on a request within a fair amount of time after the consumer receives the decision. The appeals procedure must resemble the procedure for submitting requests to take action.
A controller must notify the consumer in writing of its decision, together with a documented justification for the decision, within sixty (60) days of receiving an appeal. In addition, if the consumer's appeal is rejected, the controller is required to provide them access to an online complaint portal or another means of contacting the department.
VII. Regulatory Authority
The Department of the Attorney General has the exclusive authority to enforce the HCDPA. The Department must provide a controller or processor with a 30-day written notice outlining the precise provisions that have been violated.
No action will be taken against the controller or processor if, during the 30-day period, the controller or processor resolves the alleged violation and submits to the department a clear written statement that the alleged violation has been resolved and that there won't be any more violations.
VIII. Penalties for Non-Compliance
The Department of the Attorney General may bring an action in the name of the State, request an injunction to stop any HCDPA violations and seek to impose civil penalties of no more than $7,500 for each violation if a controller or processor continues to violate the HCDPA after the cure period has passed or violates the express written statement that was initially provided to the Department.
IX. How an Organization Can Operationalize HCDPA
Organizations can operationalize Hawaii's Consumer Data Protection Act (HCDPA) by:
- Establishing clearly defined policies and procedures for processing data in compliance with HCDPA’s provisions;
- Developing clear and accessible understandable privacy notices that comply with HCDPA’s requirements;
- Obtaining explicit consent from users before processing their personal data;
- Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
- Train employees who handle the consumers’ data on the organization's policies and procedures and the requirements of the HCDPA.
X. How Securiti Can Help
Securiti’s Data Command Center enables organizations to comply with Hawaii's Consumer Data Protection Act (HCDPA) by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.