Relating To Consumer Data Protection.
The bill is set to amend the Hawaii Revised Statutes by introducing a new chapter that establishes important definitions and guidelines for handling consumer data. This includes the establishment of a 'Consumer Privacy Special Fund' funded by civil penalties, which will support the enforcement of the provisions of this bill. With an effective date of July 1, 2025, it directs state resources towards ensuring compliance, which could significantly change how businesses operate in Hawaii. It aims to enhance consumer trust and align local laws with modern data privacy standards.
SB1037, known as the Consumer Data Protection Act, is a legislative proposal under the State of Hawaii aimed at regulating the processing of personal data by businesses. The bill seeks to establish a comprehensive framework that outlines the rights of consumers regarding their personal data and the responsibilities of 'controllers' and 'processors' who handle such information. Specific emphasis is placed on the need for consent before processing personal data, and the bill delineates several consumer rights, including the right to access and delete their data as well as opt-out of data sales.
Despite its potential benefits, SB1037 has faced criticism. Proponents argue that the bill protects consumer privacy rights, thus increasing accountability among businesses dealing with personal data. However, opponents, including some business groups, have expressed concerns that the bill could impose significant compliance costs and operational challenges, particularly for small businesses. The bill's exclusions of certain entities such as governmental bodies and nonprofits have also raised questions about its breadth and applicability.
The act defines 'consumer' as a natural person acting in a private capacity and explicitly excludes data pertaining to public entities and organizations. It also outlines the penalties that the governing body may impose for breaches of the act, with a civil penalty ceiling of $7,500 for each violation. Moreover, it includes clauses about the use and processing of 'sensitive data' and mandates a data protection assessment for specified data handling practices, thereby enforcing a higher level of scrutiny in consumer data management.