Hawaii Data Privacy Laws: Constitutional Privacy & Consumer Rights (2026)

Hawaii has no comprehensive consumer data privacy law. Instead, the state relies on an explicit constitutional right to privacy under Article I, Section 6, sectoral statutes including the breach notification law under HRS Chapter 487N, and federal protections such as HIPAA and the GLBA to safeguard residents' personal information.

Hawaii takes a unique approach to data privacy among U.S. states. While the state has not enacted a comprehensive consumer data protection law, it offers something most states do not: an explicit constitutional right to privacy. This constitutional foundation, combined with targeted statutes covering data breach notification, Social Security number protection, and records disposal, creates a framework that businesses operating in Hawaii must navigate carefully.

This guide covers every major Hawaii data privacy protection, the obligations businesses must meet, your rights as a consumer, and what happened in the 2026 legislative session.

Hawaii's Constitutional Right to Privacy

Hawaii stands apart from nearly every other state in the country by explicitly recognizing a right to privacy in its state constitution. This is not implied or inferred from other provisions. It is stated directly.

Article I, Section 6: Right to Privacy

Article I, Section 6 of the Hawaii State Constitution states:

"The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest. The legislature shall take affirmative steps to implement this right."

This provision was added in 1978 when the Hawaii State Constitutional Convention proposed it and the electorate approved it. Hawaii was among the first states to adopt such an explicit privacy guarantee.

The significance of this language cannot be overstated. The government cannot infringe on your privacy unless it demonstrates a compelling state interest, which is the highest standard of judicial review. The constitution also places an affirmative duty on the legislature to pass laws that protect privacy, rather than simply prohibiting government overreach.

Article I, Section 7: Searches, Seizures, and Invasion of Privacy

Article I, Section 7 provides additional privacy protection:

"The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches, seizures and invasions of privacy shall not be violated; and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized or the communications sought to be intercepted."

This provision mirrors the federal Fourth Amendment but goes further by explicitly including "invasions of privacy" in its protections. It also specifically addresses the interception of communications, providing a textual basis for protecting digital privacy that many other state constitutions lack.

Together, Sections 6 and 7 give Hawaii residents stronger constitutional privacy protections than residents of most other states.

Data Breach Notification Law (HRS Chapter 487N)

Hawaii's primary data privacy statute is the Security Breach of Personal Information Act, codified as HRS Chapter 487N. This law establishes requirements for how businesses and government agencies must respond when personal information is compromised.

Who Must Comply

The law applies to three categories of entities:

• Any business that owns or licenses personal information of Hawaii residents
• Any business that conducts business in Hawaii and owns or licenses personal information in any form, whether computerized, paper, or otherwise
• Any government agency that collects personal information for specific government purposes

The law does not set a minimum size threshold. A small business with even one Hawaii customer whose personal information is breached must comply.

What Triggers a Notification

A security breach is defined as any unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur, and where such unauthorized access and acquisition creates a risk of harm to a person.

The law does not apply to information that is encrypted or redacted, as long as the encryption key itself was not also accessed or acquired during the breach.

Definition of Personal Information

Under HRS Chapter 487N, personal information means an individual's first name or first initial and last name combined with one or more of the following data elements when either the name or the data elements are not encrypted or redacted:

• Social Security number
• Driver's license number or Hawaii identification card number
• Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account

Notification Requirements

Once a breach is discovered, the affected business or agency must notify affected individuals without unreasonable delay. The law allows reasonable time for the business to:

• Determine sufficient contact information for affected individuals
• Determine the scope of the breach
• Restore the reasonable integrity, security, and confidentiality of the data system
• Accommodate the legitimate needs of law enforcement

Hawaii does not set a specific number of days for notification, unlike states such as Texas (60 days) or Florida (30 days). The standard is "without unreasonable delay," which gives businesses some flexibility but also creates uncertainty about compliance.

Notice to Government Agencies

When a business notifies more than 1,000 persons at one time, it must also provide written notice without unreasonable delay to:

• The Hawaii Office of Consumer Protection (OCP)
• All consumer reporting agencies that compile and maintain files on consumers on a nationwide basis

The OCP maintains a public database of reported security breaches dating back to 2007, including the entity name, breach type, number of Hawaii residents affected, and copies of notification letters.

Substitute Notice

If the cost of providing direct notice would exceed $100,000, the affected class exceeds 200,000 persons, or the business does not have sufficient contact information, the business may provide substitute notice through:

• Email notice if email addresses are available
• Conspicuous posting on the business's website
• Notification to major statewide media

Penalties

Any business that violates any provision of HRS Chapter 487N is subject to penalties of not more than $2,500 for each violation. The Attorney General or the executive director of the Office of Consumer Protection may bring an enforcement action.

Hawaii residents who are adversely affected by a data breach may also bring a civil action seeking actual damages and attorney fees.

2026 Legislative Session: Attempted Breach Notification Expansion

The Hawaii Legislature considered SB 3016 during the 2026 session, a bill that would have significantly expanded the scope of Hawaii's breach notification law. The bill passed the Senate unanimously (25-0) on March 10, 2026, and advanced through the House Consumer Protection Committee (49-0) on March 24, 2026. However, SB 3016 stalled in the House Judiciary and Hawaiian Affairs Committee and died when the legislature adjourned sine die on May 8, 2026 without enacting it.

As a result, HRS Chapter 487N remains unchanged from its current form. The expansions described in earlier versions of this page did not become law.

What SB 3016 Would Have Done

The bill would have introduced an "identifier" concept covering names, usernames, phone numbers, and email addresses, and a "specified data element" category adding nine types of sensitive information: Social Security numbers (including last four digits), driver's license numbers, taxpayer identification numbers, military identification numbers, passport numbers, financial account and card numbers, security codes and PINs, biometric data (fingerprints, voice prints, iris images), and health insurance identification numbers. It would also have explicitly deemed insurance licensees compliant with breach notification requirements if they already comply with the Insurance Data Security Law. None of these changes took effect.

Social Security Number Protection (HRS Chapter 487J)

HRS Chapter 487J provides specific protections for Social Security numbers. The law restricts how businesses and government agencies may use, display, and transmit Social Security numbers.

Key Prohibitions

Businesses and government agencies in Hawaii may not:

• Intentionally communicate or make available to the general public an individual's Social Security number
• Print an individual's Social Security number on any card required for the individual to access products or services
• Require an individual to transmit a Social Security number over the internet unless the connection is secure or the number is encrypted
• Require an individual to use a Social Security number to access a website unless a password or unique personal identification number is also required
• Print an individual's Social Security number on any materials mailed to the individual unless required by law

Government Agency Oversight

Each government agency must designate an employee to have policy and oversight responsibilities for the protection of personal information. This designated employee is responsible for ensuring compliance with the chapter's requirements.

Reporting Requirements

Government agencies must submit a written report to the legislature within 20 days after discovering a material occurrence of a Social Security number disclosure prohibited by the chapter. The report must include:

• The nature of the incident
• The number of individuals affected
• Any procedures implemented to prevent recurrence

Penalties

Violations of HRS Chapter 487J carry penalties of not more than $2,500 for each violation. The Attorney General or the executive director of the Office of Consumer Protection may bring enforcement actions.

Destruction of Personal Information Records (HRS Chapter 487R)

Hawaii's records disposal law (HRS Chapter 487R) requires businesses and government agencies to take reasonable measures when disposing of records that contain personal information.

Requirements

Any business or government agency that conducts business in Hawaii and maintains or possesses personal information of a Hawaii resident must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.

Businesses must describe their procedures for adequate destruction or proper disposal of personal records as official policy in their written documents.

Third-Party Disposal

A business or government agency may satisfy its obligations by entering into a written contract with another party engaged in the business of records destruction. The contract must require the third party to destroy personal information in a manner consistent with the statute.

Government Reporting

Government agencies must submit a written report to the legislature within 20 days after discovering a material occurrence of unauthorized access to personal information records in connection with or after their disposal.

Unfair and Deceptive Trade Practices (HRS Section 480-2)

While not a data privacy statute in the traditional sense, Hawaii's unfair and deceptive acts or practices law (HRS Section 480-2) plays a significant role in data privacy enforcement.

Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are unlawful in Hawaii. This means businesses that make misleading privacy promises, fail to follow their own privacy policies, or engage in deceptive data practices can face enforcement action.

The Office of Consumer Protection is the primary agency responsible for reviewing, investigating, and prosecuting allegations of unfair or deceptive trade practices. The Attorney General may also bring enforcement actions.

Penalties

Violations of HRS Section 480-2 carry fines of not less than $500 and not more than $10,000 for each violation. This makes UDAP enforcement potentially more costly than violations of the breach notification law.

Uniform Information Practices Act (HRS Chapter 92F)

The Uniform Information Practices Act (UIPA), codified as HRS Chapter 92F, governs how government agencies handle personal information. The Office of Information Practices (OIP) administers this law.

Public Records and Privacy Balance

The UIPA establishes that all government records are open to public inspection unless access is restricted or closed by law. However, the law explicitly recognizes that this policy of openness must be balanced against the constitutional right to privacy in Article I, Sections 6 and 7.

Privacy Protections

Section 92F-13 permits agencies to withhold records that would constitute a clearly unwarranted invasion of personal privacy. Protected categories include:

• Medical, psychiatric, or psychological records
• Criminal investigation details and informant identities
• Social Security numbers
• Financial information and creditworthiness data
• Personnel files and employment misconduct details
• Information creating a substantial and demonstrable risk of physical harm

Section 92F-14 establishes the balancing test: disclosure is permissible when the public interest in disclosure outweighs the privacy interests of the individual. The section lists ten categories where people have a significant privacy interest, including medical history, criminal investigation records, welfare eligibility, and financial information.

Individuals' Rights

Under the UIPA, individuals have the right to access government records containing their personal information and request corrections to inaccurate records. Agencies must respond to requests during regular business hours.

Insurance Data Security Law (HRS Chapter 431, Article 3B)

Hawaii adopted the Insurance Data Security Law based on the National Association of Insurance Commissioners model law. This statute applies specifically to insurance licensees operating in the state.

Key Requirements

Each licensee must develop, implement, and maintain a comprehensive written information security program based on a risk assessment. The program must contain administrative, technical, and physical safeguards for the protection of nonpublic information, proportionate to the size and complexity of the licensee.

Cybersecurity Event Notification

Licensees must notify the Insurance Commissioner as promptly as possible, but no later than three business days, after determining that a cybersecurity event impacting 250 or more consumers has occurred.

Annual Certification

Insurance licensees must file annual certifications of compliance with the Commissioner.

Employee and Student Online Privacy Protection (Act 2021)

In 2021, Hawaii enacted the Uniform Employee and Student Online Privacy Protection Act through HB 125. This law prohibits employers and educational institutions from accessing the personal online accounts of employees, job applicants, students, and prospective students.

What Employers Cannot Do

Under this law, employers in Hawaii cannot:

• Require employees or job applicants to provide passwords or access to personal online accounts, including social media
• Demand that employees or applicants log into personal accounts in the employer's presence
• Require employees to add the employer or an agent to their contacts or connections on personal accounts
• Retaliate against employees who refuse to provide access to personal accounts

What Schools Cannot Do

Educational institutions cannot access students' personal online accounts, including social media or non-school email accounts. The same prohibitions that apply to employers apply to schools regarding students and prospective students.

Enforcement

The Attorney General may bring a civil action for violations, with penalties of up to $1,000 per violation and a cap of $100,000 for all violations caused by the same event. Employees and students may also bring their own civil actions.

Genetic Information Nondiscrimination

Hawaii does not have a standalone consumer genetic data privacy law. Governor Ige vetoed SB 2032, the Hawaii Genetic Information Privacy Act, in July 2022. The bill would have required direct-to-consumer genetic testing companies to adhere to specific consent, use, and disclosure requirements for genetic data. No replacement law has been enacted.

Two narrower sectoral protections do exist. Under HRS Chapter 378, employers in Hawaii may not discriminate in hiring, discharge, or conditions of employment based on an individual's genetic information, including that of family members. Under HRS Section 431:10A-118, health insurers may not use genetic information to deny coverage, determine eligibility, or set premium rates.

For direct-to-consumer genetic testing, consumers in Hawaii must rely on the companies' own privacy policies and federal protections, including FTC Act Section 5 enforcement for deceptive practices.

Federal Privacy Laws That Apply in Hawaii

Because Hawaii lacks a comprehensive state privacy law, federal statutes play an important role in protecting consumer data for Hawaii residents.

TAKE IT DOWN Act (Pub. L. 119-12)

The TAKE IT DOWN Act was signed into law on May 19, 2025. It creates a federal criminal prohibition on publishing nonconsensual intimate visual depictions, including AI-generated deepfakes. The platform takedown obligations took effect on May 19, 2026: covered platforms (public websites and apps that primarily host user-generated content) must now maintain a public notice-and-removal process and act on valid takedown requests within 48 hours. The FTC enforces platform compliance as an unfair or deceptive act or practice under FTC Act Section 5.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects health information held by covered entities, including health care providers, health plans, and health care clearinghouses. Hawaii residents' medical records are protected under HIPAA's Privacy Rule and Security Rule regardless of the absence of a state health data privacy law.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. Banks, credit unions, insurance companies, and other financial institutions serving Hawaii customers must comply with GLBA's privacy and safeguarding provisions.

Children's Online Privacy Protection Act (COPPA)

COPPA protects the online privacy of children under 13. Websites and online services directed at children or that knowingly collect information from children under 13 must obtain verifiable parental consent and meet other requirements.

Fair Credit Reporting Act (FCRA)

The FCRA regulates how consumer reporting agencies collect, disseminate, and use consumer information, including credit reports. Hawaii residents have the right to dispute inaccurate information and to place fraud alerts or credit freezes under this law.

FTC Act Section 5

The Federal Trade Commission enforces Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. The FTC has used this authority to bring enforcement actions against companies with inadequate data security practices or deceptive privacy policies, protecting consumers in all states including Hawaii.

More Hawaii Laws

• Hawaii AI Meeting Recording Laws
• Hawaii Alimony Laws
• Hawaii At-Will Employment Laws
• Hawaii Car Accident Laws
• Hawaii Car Seat Laws
• Hawaii Child Custody Laws
• Hawaii Child Support Laws
• Hawaii Common Law Marriage Laws
• Hawaii Deepfake Laws
• Hawaii Divorce Laws
• Hawaii Dog Bite Laws
• Hawaii Emancipation Laws
• Hawaii Expungement Laws
• Hawaii Hit and Run Laws
• Hawaii Landlord-Tenant Laws
• Hawaii Lemon Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Hawaii for advice about your specific situation. Last reviewed: May 2026.