Hawaii Revised Statutes
487J. Personal Information Protection
487J-6 Unlawful use of identification card or driver's license.

§487J-6 Unlawful use of identification card or driver's license. (a) No business may scan the machine-readable zone of an individual's identification card or driver's license, except for the following purposes:
(1) To verify authenticity of the identification card or driver's license or to verify the identity of the individual if the individual pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
(2) To verify the individual's age when providing age-restricted goods or services to the individual if there is a reasonable doubt of the individual having reached the minimum age required for purchasing the age-restricted goods or services;
(3) To prevent fraud or other criminal activity if the individual returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system. Information collected by scanning an individual's identification card or driver's license pursuant to this subsection shall be limited to the following information from the individual:
(A) Name;
(B) Address;
(C) Date of birth; and
(D) Driver's license number or identification card number;
(4) To establish or maintain a contractual relationship. Information collected by scanning the individual's identification card or driver's license pursuant to this subsection shall be limited to the following information from the individual:
(A) Name;
(B) Address;
(C) Date of birth; and
(D) Driver's license number or identification card number;
(5) To record, retain, or transmit information as required by state or federal law;
(6) To transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the federal Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or the Fair Debt Collection Practices Act; and
(7) To record, retain, or transmit information by a covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, parts 160 and 164 of title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996.
(b) No business shall retain any information obtained pursuant to subsection (a), except as permitted in subsections (a)(3) through (7).
(c) No business shall sell or disseminate to a third party any information obtained under this section for any purpose, including marketing, advertising, or promotional activities, except as permitted in subsections (a)(3) through (7).
(d) A business covered under this section shall make reasonable efforts, through systems testing and other means, to ensure that the requirements of this chapter are met.
(e) Any waiver of a provision of this section is contrary to public policy and is void and unenforceable.
(f) For purposes of this section:
"Consumer reporting agency" shall have the same meaning as in the federal Fair Credit Reporting Act, title 15 United States Code section 1681a(f).
"Covered entity" shall have the same meaning as in the security rules issued by the federal Department of Health and Human Services, parts 160 and 164 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and [Accountability] Act of 1996.
"Debt collector" shall have the same meaning as in the federal Fair Debt Collection Practices Act, title 15 United States Code section 1692a.
"Financial institution" shall have the same meaning as in the federal Gramm-Leach-Bliley Act, title 15 United States Code section 6809. [L 2012, c 191, §1; am L 2013, c 195, § §1, 3; am L 2014, c 67, § §1, 2]