Hawaii Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Hawaii does not have a standalone biometric privacy law like the Illinois Biometric Information Privacy Act (BIPA) or the Texas Capture or Use of Biometric Identifier Act. Instead, the state protects biometric information through its data breach notification statute, its constitutional right to privacy, and its consumer protection framework.

If you collect fingerprints, facial scans, or other biometric identifiers from Hawaii residents, you need to understand how these overlapping protections apply to your organization. This guide breaks down every relevant Hawaii law, recent legislative changes, and what businesses and individuals should expect going forward.

For the full picture of Hawaii's broader privacy framework, see our parent guide on [Hawaii Data Privacy Laws](/us-laws/data-privacy-laws/hawaii-data-privacy-laws).

How HRS Chapter 487N Covers Biometric Data

Hawaii's primary biometric protection comes from the Security Breach of Personal Information Act (HRS Chapter 487N). This is a breach notification law, not a consent or collection law. It does not regulate how businesses collect or use biometric data. It requires businesses to notify affected individuals when biometric data is compromised in a security breach.

What Biometric Data Is Covered

Under HRS 487N-1, a "specified data element" includes data generated from a measurement or analysis of human body characteristics used for authentication purposes. The statute specifically lists:

• Fingerprints
• Voice prints
• Retina or iris images
• Other unique physical or digital representations of biometric data

The key phrase is "used for authentication purposes." Biometric data collected purely for research, general identification, or non-authentication functions may fall outside this definition. If your business uses fingerprint scans to unlock doors or verify employee identity at time clocks, that data qualifies.

When Breach Notification Is Required

A business must notify affected Hawaii residents when there has been unauthorized access to and acquisition of unencrypted records containing personal information, and that access creates a risk of harm. Under the statute, "personal information" includes an individual's name combined with one or more specified data elements, including biometric data.

Notification must happen "without unreasonable delay." Hawaii does not set a specific day count, unlike states such as Florida (30 days) or Texas (60 days). This flexibility standard means businesses should act promptly once they understand the scope of the breach.

Who Must Comply

Three categories of entities fall under the law:

• Any business that owns or licenses personal information of Hawaii residents
• Any business conducting business in Hawaii that owns or licenses personal information in any form
• Any government agency that collects personal information

There is no minimum company size or revenue threshold. A small employer with a single Hawaii-based employee whose fingerprint scan data is breached must comply.

Hawaii's Constitutional Privacy Protections

Hawaii offers something most states do not: an explicit constitutional right to privacy that can strengthen biometric privacy claims.

Article I, Section 6

Article I, Section 6 of the Hawaii State Constitution states:

"The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest. The legislature shall take affirmative steps to implement this right."

Added by voters in 1978, this provision applies the highest standard of judicial review (compelling state interest) to government intrusions on privacy. It also places an affirmative duty on the legislature to pass laws protecting privacy.

How This Affects Biometric Data

The constitutional right to privacy primarily restricts government action. A state agency that collects employee fingerprints or uses facial recognition technology in public spaces must demonstrate a compelling interest to justify that collection.

For private businesses, the constitutional provision has indirect effects. Courts may interpret statutes more broadly in favor of privacy protections, and the legislature's constitutional duty to protect privacy drives ongoing efforts to pass stronger biometric data laws.

Article I, Section 7

Section 7 provides additional protection by prohibiting unreasonable "invasions of privacy," going beyond the federal Fourth Amendment. This provision gives Hawaii courts an independent constitutional basis for challenging biometric surveillance or data collection by government agencies.

SB 3016: Expanded Biometric Breach Protections (2026)

The Hawaii Legislature passed SB 3016 in 2026, which strengthens biometric data protections within the breach notification framework. The bill passed the Senate 25-0 and is moving through the House with strong bipartisan support.

What Changes for Biometric Data

SB 3016 updates the definition of "personal information" under HRS Chapter 487N and formally codifies "specified data element" as a category. Biometric data is listed explicitly among nine types of specified data elements:

• Social Security numbers (including last four or more digits)
• Driver's license or state ID numbers
• Taxpayer identification numbers
• Military identification numbers
• Passport numbers
• Financial account numbers
• Security codes, PINs, or passwords for financial accounts
• Biometric data (fingerprints, voice prints, iris images)
• Health insurance identification numbers
• Private authentication keys

The bill also introduces a new "identifier" definition that broadens what counts as identifying information, including names, usernames, phone numbers, and email addresses.

Effective Date

SB 3016 takes effect July 1, 2026. Businesses collecting or storing biometric data from Hawaii residents should prepare for expanded notification obligations by that date.

Failed Biometric Privacy Legislation: SB 1085

Hawaii lawmakers have attempted to pass a dedicated biometric privacy statute. SB 1085, modeled after Illinois BIPA, was introduced in the 2023 legislative session. The bill would have required:

• Written consent before collecting biometric identifiers
• Published retention and destruction policies
• A prohibition on selling or profiting from biometric data
• A three-year maximum retention period after an individual's last interaction with the collecting entity
• A private right of action allowing individuals to sue for violations

The Senate Committee on Labor and Technology deferred SB 1085 in February 2023, and the bill died without advancing. It was reintroduced in the 2024 session but again did not advance.

This means Hawaii still lacks the consent, purpose limitation, and private right of action provisions found in states like Illinois and Washington. Without SB 1085 or similar legislation, businesses in Hawaii are not required to obtain consent before collecting biometric data from residents.

Consumer Protection as a Biometric Safeguard

Hawaii's Unfair and Deceptive Acts or Practices (UDAP) law (HRS Section 480-2) provides a secondary layer of protection for biometric data. If a business makes promises in its privacy policy about how it handles biometric information and then breaks those promises, it could face enforcement action under this statute.

The Office of Consumer Protection and the Attorney General can bring actions under HRS 480-2. Penalties range from $500 to $10,000 per violation, which is significantly higher than the $2,500 per violation ceiling under the breach notification law.

This matters for employers and businesses that publish privacy policies covering biometric data. If your policy states you will not share fingerprint data with third parties, violating that promise could trigger UDAP liability.

Employer Use of Biometric Data in Hawaii

Hawaii does not have a law specifically governing employer use of biometric data for time tracking, building access, or identity verification. No state statute requires employers to obtain consent before scanning an employee's fingerprint for a biometric time clock.

However, employers should consider these factors:

Breach notification obligations. If an employer stores employee fingerprint or facial scan data and that data is breached, the employer must notify affected employees under HRS Chapter 487N.

Constitutional privacy (government employers). State and county government employers in Hawaii must consider Article I, Sections 6 and 7 before implementing biometric collection programs. A government agency that requires employee fingerprint scans may need to demonstrate a compelling interest.

UDAP exposure. Employers that describe biometric data handling practices in employee handbooks or privacy notices create enforceable expectations. Failing to follow through could constitute a deceptive practice.

Federal considerations. Employers subject to federal regulations, such as those in financial services or healthcare, may have additional obligations under HIPAA, GLBA, or other federal frameworks.

Penalties and Enforcement

Breach Notification Violations

Under HRS Chapter 487N, any business that violates the breach notification requirements faces penalties of up to $2,500 per violation. The Attorney General or the executive director of the Office of Consumer Protection may bring enforcement actions.

Individual Hawaii residents who are adversely affected by a breach may also bring a civil action seeking actual damages and attorney fees.

UDAP Violations

Violations of HRS Section 480-2 carry fines between $500 and $10,000 per violation. Both government enforcement and private lawsuits are available.

No Private Right of Action for Biometric Collection

Because Hawaii does not have a dedicated biometric privacy statute, there is no private right of action for unauthorized biometric data collection itself. Residents cannot sue a business simply for collecting their fingerprints without consent, as they can in Illinois. Legal recourse is limited to breach notification failures and deceptive practices claims.

What to Watch: Future Biometric Legislation

Hawaii's legislative trend suggests stronger biometric protections are coming. Key developments to monitor:

SB 3016 implementation. Once effective on July 1, 2026, businesses must treat biometric data breaches with the same urgency as Social Security number breaches.

Dedicated biometric privacy bills. The repeated introduction of SB 1085 signals ongoing legislative interest in an Illinois-style biometric consent law. Future sessions may see a version that advances further.

Comprehensive privacy law. Hawaii has introduced consumer data protection acts in 2024 and 2025 sessions. If a comprehensive privacy law passes, it would likely include biometric data provisions alongside broader consumer rights.

Geolocation and surveillance data. SB 1163 (2026), which restricts the sale of geolocation and browser data, signals expanding legislative attention to all forms of personal data, including biometrics.

More Hawaii Laws

• Hawaii Recording Laws
• Hawaii Data Privacy Laws
• Hawaii Recording Laws
• Hawaii Dog Bite Laws
• Hawaii Whistleblower Laws
• Hawaii Data Privacy Laws
• Hawaii Recording Laws
• Hawaii Recording Laws

This article is for informational purposes only and does not constitute legal advice. Biometric privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Hawaii for advice about your specific situation. Last reviewed: March 2026.