Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

LLM Firewall

Secure your GenAI applications with distributed and context-aware LLM firewalls

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

LLM Firewall

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View

LLM Firewall

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

An Overview of Hawaii’s Consumer Data Protection Act – Senate Bill 3018

By Anas Baig | Reviewed By Salma Khan

Published May 24, 2024 / Updated June 28, 2024

I. Introduction

In an era characterized by digital advancements and growing concerns over privacy, legislative initiatives at the state level in the US are on the rise, aimed at enhancing protections for consumer data. Hawaii's Consumer Data Protection Act (HCDPA) marks a significant stride towards enhancing consumer’s privacy rights and imposes multiple obligations on businesses.

HCDPA not only reflects the increasing global focus on the privacy of individuals but also lays out a comprehensive framework that regulates how businesses operating in Hawaii are allowed to collect, process, and share personal data. If passed, HCDPA will be enacted on July 1, 2024.

This guide delves into HCDPA’s key provisions, implications for organizations, and the broader impact of the Act on privacy practices and regulatory compliance in the digital age.

II. Who Needs to Comply with HCDPA

A. Material Scope

The HCDPA applies to the persons who conduct business in Hawaii or produce products or services that target Hawaii residents and who meet at least one of the following criteria:

Control or process the personal data of at least 100,000 consumers per year; or
Control or process the personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data per year.

B. Exemptions

The HCDPA exempts certain entities from the application of its provisions, including the following:

Any government entity;
Any nonprofit organization;
Any institution of higher education;
The National Insurance Crime Bureau.

In addition, the following information and data are exempt from the application of the HCDPA:

Protected health information;
Nonpublic personal information;
Confidential records;
Identifiable private information;
Information and documents created for purposes of the Healthcare Quality Improvement Act;
Patient safety work product for purposes of the Patient Safety and Quality Improvement Act;
Personal data obtained from healthcare-related information, when de-identified according to Health Insurance Portability and Accountability Act's de-identification standards;
Personal information similar to or treated similarly with the data exempted from the scope of this Act, maintained by covered entities or business associates as defined in the Health Insurance Portability and Accountability Act, or by programs or qualified service organizations as defined in Title 42 Code of Federal Regulations;
Personal data used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act;
Personal data related to a consumer's creditworthiness, credit standing, reputation, or other characteristics by consumer reporting agencies, furnishers, and users of consumer reports, as authorized under the Fair Credit Reporting Act (FCRA);
Personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act;
Personal data regulated by the Family Educational Rights and Privacy Act;
Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act;
Personal data of individuals applying to, employed by, or acting as agents or independent contractors of a controller, processor, or third party, the data of their emergency contact, and the data necessary to retain to administer benefits for another individual relating to them; and
Personal data of children when verifiable parental consent is acquired pursuant to the Children's Online Privacy Protection Act.

III. Definitions of Key Terms

A. Biometric Data

Data generated by automatic measurements of an individual's biological characteristics, including fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. It does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the HIPAA.

B. Child

Any natural person younger than thirteen years of age.

A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. It includes a written statement, a statement written by electronic means, or any other unambiguous affirmative action.

D. Personal Data

Any information that is linked or could be reasonably linkable to an identified or identifiable natural person. "Personal data" does not include de-identified data or publicly available information.

E. Sensitive Data

A category of personal data, it includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sexual history, sexual orientation, or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying a natural person, personal data collected from a known child, or precise geolocation data.

IV. Obligations for Organizations Under HCDPA

Organizations must not process a consumer's personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes for which the personal data is processed, as disclosed to the consumer unless the consumer provides consent. Consent must be freely given, specific, informed, and unambiguous.

Additionally, the data controller must not process a consumer's personal data for targeted advertising or sell it without the consumer's consent if the controller knows that the consumer is at least thirteen but younger than sixteen years old.

Controllers are prohibited from processing a consumer's sensitive data without their explicit consent. Additionally, when processing sensitive data pertaining to a known child, controllers must comply with the Children's Online Privacy Protection Act (COPPA).

B. Data Minimization Requirements

Controllers should only collect personal data that is adequate, relevant, and reasonably necessary for the disclosed purpose(s) of processing. Unless the controller receives the consumer’s consent, they must not process personal data for purposes that are neither consistent with nor reasonably required to achieve the specified purposes for which the personal data is processed.

C. Privacy Notice Requirements

Controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:

The categories of personal data processed by the controller;
The purpose for processing personal data;
The ways in which consumers can exercise their rights, such as the procedure for appealing the controller's decision on the customer's request;
The categories of personal data that the controller shares with third parties, if any;
The categories of third parties, if any, with whom the controller shares personal data; and
A working email address or other online method by which the consumer may communicate with the controller.

D. Security Requirements

To safeguard sensitive data and personal data’s integrity and accessibility, organizations must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. The procedures must be suitable for the volume and category of personal data in question.

E. Data Protection Impact Assessment

Organizations are required to conduct data protection impact assessments (DPIA) for each of the following processing activities involving personal data:

The processing of personal data for targeted advertising purposes;
The sale of personal data;
Processing personal information for profiling where there is a reasonably foreseeable risk that the profiling may lead to:
- Unlawful discriminatory effect on consumers, or unfair or misleading treatment of them;
- Financial, physical, or reputational injury to consumers;
- A physical or other interference that would be considered objectionable to a reasonable person upon a consumer's privacy, solitude, or private affairs; or
- Other substantial injury to consumers;
The processing of sensitive data; and
Any processing operations involving personal data that put customers at heightened risk of harm.

Processing activities created or generated after January 1, 2026, will be subject to the DPIA requirements.

V. Obligations of Data Processors

The HCDPA imposes obligations on data processors where processors must assist the controller, including:

Taking into account the processing and the data that the processor has access to, using the necessary organizational and technological safeguards to the extent that it is practically possible to assist the controller's duty to respond to consumer rights requests.
Taking into account the type of processing and the data that the processor has access to in order to assist the controller in fulfilling its responsibilities for the security of processing personal data and notifying third parties of security breaches, and
Giving the controller the information they need to conduct and record data protection assessments.

The processor's data processing practices with regard to processing carried out on behalf of the controller must be governed by a contract between the controller and the processor. The contract must include the processing instructions, the nature and goal of the processing, the categories of data that will be processed, how long the processing will take, and each party's rights and responsibilities.

VI. Data Subject Rights

A. Right to Access

Consumers have the right to confirm whether or not a controller is processing the consumer's personal data and to access such data.

B. Right to Correct Inaccuracies

Consumers have the right to correct inaccuracies in their personal data.

C. Right to Delete

Consumers have the right to delete their personal data being processed by the controller.

D. Right to Obtain a Copy

Consumers have the right to request a copy of their personal data that they have previously given to the controller in a format that is portable and readily usable. If the processing is carried out by automated means, it enables consumers to transfer the data to another controller without issues.

E. Right to Opt-Out

Consumers have the right to opt-out of the processing of personal data for targeted advertising, to be sold, or to be used for profiling in support of decisions made by the controller that affect their ability to access or receive financial and lending services, housing, insurance, education, criminal justice, employment opportunities, health care services, or basic necessities like food and water.

Appointment of an Authorized Agent

Consumers have the option to designate an individual to serve as their authorized agent, act on their behalf, or opt-out of the processing of their personal data.

If a controller is able to independently confirm the identity of the consumer and the authorized agent's legal capacity to act on the consumer's behalf, it must comply with the opt-out request received from the authorized agent.

Processing of Minors

When a known child's personal data is processed, the child's parent or legal guardian may use their right to exercise consumer rights on the child's behalf. The guardian or conservator of the consumer may exercise the consumer's rights in the event that processing personal data pertaining to the consumer is subject to a conservatorship, guardianship, or other protective arrangement.

Response Period of Consumer Rights

Upon receipt of the consumer request, a controller is required to provide a prompt response to the customer, ideally within 45 days. When it is deemed reasonably necessary, taking into account the complexity and volume of the consumer's requests, the response period may be extended once by an additional 45 days. However, the controller must notify the consumer of the extension within the first 45-day response period, along with the reason for the extension.

When a controller decides not to act on a consumer's request, they must notify the consumer in writing of their decision, the reason they chose not to act, and how to appeal the decision. This notification must be sent to the consumer as soon as possible but no later than 45 days after the request is received.

A controller should provide information at no cost to a consumer up to two times a year in response to the consumer's request. The controller may refuse to act upon a consumer request or impose a reasonable price to offset the administrative expenses of complying with the request if it is clearly excessive, repeated, or manifestly unfounded. It will be the controller's responsibility to prove that the request is obviously excessive, repeated, or manifestly unfounded.

Appeal Process

Every controller must set up an appeals procedure that enables a consumer to challenge a controller's decision not to act on a request within a fair amount of time after the consumer receives the decision. The appeals procedure must resemble the procedure for submitting requests to take action.

A controller must notify the consumer in writing of its decision, together with a documented justification for the decision, within sixty (60) days of receiving an appeal. In addition, if the consumer's appeal is rejected, the controller is required to provide them access to an online complaint portal or another means of contacting the department.

VII. Regulatory Authority

The Department of the Attorney General has the exclusive authority to enforce the HCDPA. The Department must provide a controller or processor with a 30-day written notice outlining the precise provisions that have been violated.

No action will be taken against the controller or processor if, during the 30-day period, the controller or processor resolves the alleged violation and submits to the department a clear written statement that the alleged violation has been resolved and that there won't be any more violations.

VIII. Penalties for Non-Compliance

The Department of the Attorney General may bring an action in the name of the State, request an injunction to stop any HCDPA violations and seek to impose civil penalties of no more than $7,500 for each violation if a controller or processor continues to violate the HCDPA after the cure period has passed or violates the express written statement that was initially provided to the Department.

IX. How an Organization Can Operationalize HCDPA

Organizations can operationalize Hawaii's Consumer Data Protection Act (HCDPA) by:

Establishing clearly defined policies and procedures for processing data in compliance with HCDPA’s provisions;
Developing clear and accessible understandable privacy notices that comply with HCDPA’s requirements;
Obtaining explicit consent from users before processing their personal data;
Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
Train employees who handle the consumers’ data on the organization's policies and procedures and the requirements of the HCDPA.

X. How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with Hawaii's Consumer Data Protection Act (HCDPA) by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.