Hawaii Data Privacy Laws: Constitutional Privacy & Consumer Rights (2026)

Hawaii takes a unique approach to data privacy among U.S. states. While the state has not enacted a comprehensive consumer data protection law, it offers something most states do not: an explicit constitutional right to privacy. This constitutional foundation, combined with targeted statutes covering data breach notification, Social Security number protection, and records disposal, creates a framework that businesses operating in Hawaii must navigate carefully.

This guide covers every major Hawaii data privacy protection, the obligations businesses must meet, your rights as a consumer, and the legislative changes taking effect in 2026.

Hawaii's Constitutional Right to Privacy

Hawaii stands apart from nearly every other state in the country by explicitly recognizing a right to privacy in its state constitution. This is not implied or inferred from other provisions. It is stated directly.

Article I, Section 6: Right to Privacy

Article I, Section 6 of the Hawaii State Constitution states:

"The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest. The legislature shall take affirmative steps to implement this right."

This provision was added in 1978 when the Hawaii State Constitutional Convention proposed it and the electorate approved it. Hawaii was among the first states to adopt such an explicit privacy guarantee.

The significance of this language cannot be overstated. The government cannot infringe on your privacy unless it demonstrates a compelling state interest, which is the highest standard of judicial review. The constitution also places an affirmative duty on the legislature to pass laws that protect privacy, rather than simply prohibiting government overreach.

Article I, Section 7: Searches, Seizures, and Invasion of Privacy

Article I, Section 7 provides additional privacy protection:

"The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches, seizures and invasions of privacy shall not be violated; and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized or the communications sought to be intercepted."

This provision mirrors the federal Fourth Amendment but goes further by explicitly including "invasions of privacy" in its protections. It also specifically addresses the interception of communications, providing a textual basis for protecting digital privacy that many other state constitutions lack.

Together, Sections 6 and 7 give Hawaii residents stronger constitutional privacy protections than residents of most other states.

Data Breach Notification Law (HRS Chapter 487N)

Hawaii's primary data privacy statute is the Security Breach of Personal Information Act, codified as HRS Chapter 487N. This law establishes requirements for how businesses and government agencies must respond when personal information is compromised.

Who Must Comply

The law applies to three categories of entities:

• Any business that owns or licenses personal information of Hawaii residents
• Any business that conducts business in Hawaii and owns or licenses personal information in any form, whether computerized, paper, or otherwise
• Any government agency that collects personal information for specific government purposes

The law does not set a minimum size threshold. A small business with even one Hawaii customer whose personal information is breached must comply.

What Triggers a Notification

A security breach is defined as any unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur, and where such unauthorized access and acquisition creates a risk of harm to a person.

The law does not apply to information that is encrypted or redacted, as long as the encryption key itself was not also accessed or acquired during the breach.

Definition of Personal Information (Current Law)

Under the current statute, personal information means an individual's first name or first initial and last name combined with one or more of the following data elements when either the name or the data elements are not encrypted or redacted:

• Social Security number
• Driver's license number or Hawaii identification card number
• Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account

Notification Requirements

Once a breach is discovered, the affected business or agency must notify affected individuals without unreasonable delay. The law allows reasonable time for the business to:

• Determine sufficient contact information for affected individuals
• Determine the scope of the breach
• Restore the reasonable integrity, security, and confidentiality of the data system
• Accommodate the legitimate needs of law enforcement

Hawaii does not set a specific number of days for notification, unlike states such as Texas (60 days) or Florida (30 days). The standard is "without unreasonable delay," which gives businesses some flexibility but also creates uncertainty about compliance.

Notice to Government Agencies

When a business notifies more than 1,000 persons at one time, it must also provide written notice without unreasonable delay to:

• The Hawaii Office of Consumer Protection (OCP)
• All consumer reporting agencies that compile and maintain files on consumers on a nationwide basis

The OCP maintains a public database of reported security breaches dating back to 2007, including the entity name, breach type, number of Hawaii residents affected, and copies of notification letters.

Substitute Notice

If the cost of providing direct notice would exceed $100,000, the affected class exceeds 200,000 persons, or the business does not have sufficient contact information, the business may provide substitute notice through:

• Email notice if email addresses are available
• Conspicuous posting on the business's website
• Notification to major statewide media

Penalties

Any business that violates any provision of HRS Chapter 487N is subject to penalties of not more than $2,500 for each violation. The Attorney General or the executive director of the Office of Consumer Protection may bring an enforcement action.

Hawaii residents who are adversely affected by a data breach may also bring a civil action seeking actual damages and attorney fees.

2026 Amendments: Expanded Breach Notification (SB 3016)

The Hawaii Legislature passed SB 3016 during the 2026 session, which significantly expands the scope of Hawaii's breach notification law. The amendments take effect on July 1, 2026.

New Definition: Identifier

The amended law introduces the concept of an "identifier," which encompasses common pieces of information used to identify an individual. This includes:

• An individual's name, including the combination of first name and any initials
• User names for online accounts
• Mobile or home telephone numbers
• Email addresses specific to the individual

New Definition: Specified Data Element

The law also adds a new category of "specified data element" that includes nine types of sensitive information:

• Social Security numbers, including the last four or more digits
• Driver's license or state identification card numbers
• Taxpayer identification numbers
• Military identification numbers
• Passport numbers
• Financial account numbers, credit card numbers, or debit card numbers (unless truncated)
• Security codes, access codes, personal identification numbers, or passwords that would allow access to financial accounts
• Biometric data, including fingerprints, voice prints, and iris images
• Health insurance identification numbers
• Private authentication keys

How the Definition Changes

Under the amended law, "personal information" means an identifier combined with one or more specified data elements, when either the identifier or the data elements are not encrypted, redacted, or otherwise rendered unreadable or unusable.

This is a substantial expansion. The previous law only covered three categories of data elements. The 2026 amendments add biometric data, health insurance identifiers, taxpayer identification numbers, military IDs, passport numbers, and private authentication keys.

Insurance Data Security Law Compliance

SB 3016 also adds licensees subject to the Insurance Data Security Law (HRS Chapter 431, Article 3B) to the list of businesses automatically deemed compliant with Hawaii's breach notification requirements. This recognizes that insurance companies already face stringent data security obligations under their own regulatory framework.

Social Security Number Protection (HRS Chapter 487J)

HRS Chapter 487J provides specific protections for Social Security numbers. The law restricts how businesses and government agencies may use, display, and transmit Social Security numbers.

Key Prohibitions

Businesses and government agencies in Hawaii may not:

• Intentionally communicate or make available to the general public an individual's Social Security number
• Print an individual's Social Security number on any card required for the individual to access products or services
• Require an individual to transmit a Social Security number over the internet unless the connection is secure or the number is encrypted
• Require an individual to use a Social Security number to access a website unless a password or unique personal identification number is also required
• Print an individual's Social Security number on any materials mailed to the individual unless required by law

Government Agency Oversight

Each government agency must designate an employee to have policy and oversight responsibilities for the protection of personal information. This designated employee is responsible for ensuring compliance with the chapter's requirements.

Reporting Requirements

Government agencies must submit a written report to the legislature within 20 days after discovering a material occurrence of a Social Security number disclosure prohibited by the chapter. The report must include:

• The nature of the incident
• The number of individuals affected
• Any procedures implemented to prevent recurrence

Penalties

Violations of HRS Chapter 487J carry penalties of not more than $2,500 for each violation. The Attorney General or the executive director of the Office of Consumer Protection may bring enforcement actions.

Exemptions

The law exempts Social Security numbers that have been redacted and documents or records that are required to be open to the public under the constitution or laws of the State, court rules, or court orders.

Destruction of Personal Information Records (HRS Chapter 487R)

Hawaii's records disposal law (HRS Chapter 487R) requires businesses and government agencies to take reasonable measures when disposing of records that contain personal information.

Requirements

Any business or government agency that conducts business in Hawaii and maintains or possesses personal information of a Hawaii resident must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.

Businesses must describe their procedures for adequate destruction or proper disposal of personal records as official policy in their written documents.

Third-Party Disposal

A business or government agency may satisfy its obligations by entering into a written contract with another party engaged in the business of records destruction. The contract must require the third party to destroy personal information in a manner consistent with the statute.

Disposal Business Requirements

Companies in the business of disposing records containing personal information must implement and monitor compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after collection, transportation, and disposing of such information.

Government Reporting

Government agencies must submit a written report to the legislature within 20 days after discovering a material occurrence of unauthorized access to personal information records in connection with or after their disposal.

Unfair and Deceptive Trade Practices (HRS Section 480-2)

While not a data privacy statute in the traditional sense, Hawaii's unfair and deceptive acts or practices law (HRS Section 480-2) plays a significant role in data privacy enforcement.

Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are unlawful in Hawaii. This means businesses that make misleading privacy promises, fail to follow their own privacy policies, or engage in deceptive data practices can face enforcement action.

The Office of Consumer Protection is the primary agency responsible for reviewing, investigating, and prosecuting allegations of unfair or deceptive trade practices. The Attorney General may also bring enforcement actions.

Penalties

Violations of HRS Section 480-2 carry fines of not less than $500 and not more than $10,000 for each violation. This makes UDAP enforcement potentially more costly than violations of the breach notification law.

Uniform Information Practices Act (HRS Chapter 92F)

The Uniform Information Practices Act (UIPA), codified as HRS Chapter 92F, governs how government agencies handle personal information. The Office of Information Practices (OIP) administers this law.

Public Records and Privacy Balance

The UIPA establishes that all government records are open to public inspection unless access is restricted or closed by law. However, the law explicitly recognizes that this policy of openness must be balanced against the constitutional right to privacy in Article I, Sections 6 and 7.

Privacy Protections

Section 92F-13 permits agencies to withhold records that would constitute a clearly unwarranted invasion of personal privacy. Protected categories include:

• Medical, psychiatric, or psychological records
• Criminal investigation details and informant identities
• Social Security numbers
• Financial information and creditworthiness data
• Personnel files and employment misconduct details
• Information creating a substantial and demonstrable risk of physical harm

Section 92F-14 establishes the balancing test: disclosure is permissible when the public interest in disclosure outweighs the privacy interests of the individual. The section lists ten categories where people have a significant privacy interest, including medical history, criminal investigation records, welfare eligibility, and financial information.

Individuals' Rights

Under the UIPA, individuals have the right to access government records containing their personal information and request corrections to inaccurate records. Agencies must respond to requests during regular business hours.

Insurance Data Security Law (HRS Chapter 431, Article 3B)

Hawaii adopted the Insurance Data Security Law based on the National Association of Insurance Commissioners model law. This statute applies specifically to insurance licensees operating in the state.

Key Requirements

Each licensee must develop, implement, and maintain a comprehensive written information security program based on a risk assessment. The program must contain administrative, technical, and physical safeguards for the protection of nonpublic information, proportionate to the size and complexity of the licensee.

Cybersecurity Event Notification

Licensees must notify the Insurance Commissioner as promptly as possible, but no later than three business days, after determining that a cybersecurity event impacting 250 or more consumers has occurred.

Annual Certification

Insurance licensees must file annual certifications of compliance with the Commissioner, with filings due starting March 31, 2023.

Employee and Student Online Privacy Protection (Act 2021)

In 2021, Hawaii enacted the Uniform Employee and Student Online Privacy Protection Act through HB 125. This law prohibits employers and educational institutions from accessing the personal online accounts of employees, job applicants, students, and prospective students.

What Employers Cannot Do

Under this law, employers in Hawaii cannot:

• Require employees or job applicants to provide passwords or access to personal online accounts, including social media
• Demand that employees or applicants log into personal accounts in the employer's presence
• Require employees to add the employer or an agent to their contacts or connections on personal accounts
• Retaliate against employees who refuse to provide access to personal accounts

What Schools Cannot Do

Educational institutions cannot access students' personal online accounts, including social media or non-school email accounts. The same prohibitions that apply to employers apply to schools regarding students and prospective students.

Enforcement

The Attorney General may bring a civil action for violations, with penalties of up to $1,000 per violation and a cap of $100,000 for all violations caused by the same event. Employees and students may also bring their own civil actions.

2026 Legislative Developments

Hawaii's legislature continues to consider additional privacy protections beyond the SB 3016 amendments to the breach notification law.

SB 1163: Geolocation and Browser Data Protection

SB 1163 passed the Hawaii Senate in March 2026 and would prohibit the sale of geolocation information and internet browser information without consumer consent. The bill also prohibits the sale of data collected through eavesdropping or through applications operating in the background that use a device's microphone.

The legislature found that the unregulated sale of mobile device users' geolocation information, particularly data pertaining to sensitive locations like reproductive health clinics, poses significant implications for the civil rights and liberties of Hawaii residents and visitors.

The bill establishes exemptions for lawful investigations by law enforcement agencies, customer proprietary network information, and certain telecommunications carriers.

Comprehensive Privacy Law Efforts

Hawaii has considered comprehensive consumer data privacy legislation in multiple sessions. The Consumer Data Protection Act (SB 3018) was introduced in the 2024 session, proposing consumer rights to access, correct, delete, and opt out of the sale of personal data. A similar bill, SB 1037, was introduced in 2025.

Neither bill has been enacted. Hawaii remains among the states that have not passed a comprehensive consumer data privacy law. As of March 2026, twenty states have enacted comprehensive privacy laws.

Federal Privacy Laws That Apply in Hawaii

Because Hawaii lacks a comprehensive state privacy law, federal statutes play an important role in protecting consumer data for Hawaii residents.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects health information held by covered entities, including health care providers, health plans, and health care clearinghouses. Hawaii residents' medical records are protected under HIPAA's Privacy Rule and Security Rule, regardless of the absence of a state health data privacy law.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. Banks, credit unions, insurance companies, and other financial institutions serving Hawaii customers must comply with GLBA's privacy and safeguarding provisions.

Children's Online Privacy Protection Act (COPPA)

COPPA protects the online privacy of children under 13. Websites and online services directed at children or that knowingly collect information from children under 13 must obtain verifiable parental consent and meet other requirements.

Fair Credit Reporting Act (FCRA)

The FCRA regulates how consumer reporting agencies collect, disseminate, and use consumer information, including credit reports. Hawaii residents have the right to dispute inaccurate information and to place fraud alerts or credit freezes under this law.

FTC Act Section 5

The Federal Trade Commission enforces Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. The FTC has used this authority to bring enforcement actions against companies with inadequate data security practices or deceptive privacy policies, protecting consumers in all states including Hawaii.

More Hawaii Laws

• Hawaii Recording Laws
• Hawaii Hit and Run Laws
• Hawaii Car Seat Laws
• Hawaii Statute of Limitations
• Hawaii Lemon Laws
• Hawaii Whistleblower Laws
• Hawaii Child Support Laws
• Hawaii Dog Bite Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Hawaii for advice about your specific situation. Last reviewed: March 2026.