Privacy Laws in Hawaii: What You Need to Know

Hawaii occupies a unique position in American privacy law. It is one of only a handful of states whose constitution explicitly guarantees the right to privacy, yet it still lacks a comprehensive consumer data protection statute. That constitutional foundation, combined with targeted laws on data breaches, data brokers, and sensitive data sales, gives Hawaii residents a patchwork of meaningful protections — but also significant gaps. Here is what you need to know in 2026.

Hawaii's Constitutional Right to Privacy

In 1978, Hawaii voters approved an amendment adding a right to privacy to Article I, Section 6 of the state constitution. The provision is direct: "The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest. The legislature shall take affirmative steps to implement this right."

This matters because it provides a stronger baseline than the federal Constitution, which has no explicit privacy right. The Hawaii Supreme Court has interpreted this provision broadly, applying it to informational privacy, personal autonomy, and government surveillance. While the constitutional right primarily constrains government action rather than private companies, it has shaped the way Hawaii legislators approach privacy bills and has given courts a clear mandate to protect individual privacy interests.

Data Breach Notification Law (HRS Chapter 487N)

Hawaii's data breach notification statute, codified in HRS Chapter 487N, requires any business or government agency that experiences a breach of personal information to notify affected Hawaii residents. The key requirements include:

• Timing: Notification must occur "without unreasonable delay," consistent with law enforcement needs and the time required to determine the scope of the breach.
• Content: Notices must describe the breach, the types of personal information involved, and steps consumers can take to protect themselves.
• Methods: Businesses may notify residents by written notice, telephone, or electronic notice. Substitute notice (such as a website posting plus media notification) is permitted when the cost of direct notice exceeds $100,000, the affected group exceeds 200,000 individuals, or the business lacks sufficient contact information.
• Large-scale breaches: If more than 1,000 individuals are affected, the business must also notify Hawaii's Office of Consumer Protection and all nationwide consumer reporting agencies.
• Penalties: Violations carry penalties of up to $2,500 per violation, enforced by the Attorney General or the Office of Consumer Protection.

Personal Information Protection Act (HRS Chapter 487J)

HRS Chapter 487J addresses several aspects of personal data handling in Hawaii:

• Social Security number protections: Businesses are restricted in how they can display, transmit, and use Social Security numbers. They cannot print SSNs on cards, require SSNs to be transmitted over unsecured connections, or publicly post or display them.
• Reasonable security safeguards: Businesses that maintain personal information of Hawaii residents must implement and maintain reasonable security measures to protect that data from unauthorized access.
• Data broker registration: Data brokers operating in Hawaii must register annually with the Office of Consumer Protection and disclose their opt-out, consent, and breach policies. If a broker permits consumers to opt out, it must disclose this fact along with whether a third party can submit opt-out requests on the consumer's behalf.
• Deletion rights: When a consumer submits a deletion request to a data broker, the broker must delete all of the consumer's personal information at least once every 45 days.

Restrictions on Sensitive Data Sales

Hawaii has taken a notably stricter approach to certain categories of sensitive data. Under existing law, no company may sell geolocation data, audio data, or internet browser data collected from a Hawaii resident unless it has obtained prior express opt-in authorization from that individual.

This is an important distinction. Most state privacy laws use an opt-out model for data sales, meaning companies can sell your information unless you proactively object. Hawaii flips this standard for location, audio, and browsing data, requiring affirmative consent before any sale can occur. In 2026, the legislature is advancing SB 1163 to strengthen these protections further by prohibiting the sale of geolocation and browser data entirely without consent and extending restrictions to data collected through background microphone access on mobile devices.

How Hawaii Compares to Other States

Hawaii's privacy framework differs from states with comprehensive privacy laws in several important ways:

• No broad consumer rights framework: States like California, Virginia, and Colorado give residents the right to access, correct, delete, and port their data from most businesses above a certain size. Hawaii provides these rights only in narrow contexts, such as data broker deletion requests.
• Stronger on sensitive data: Hawaii's opt-in requirement for selling geolocation, audio, and browser data is stricter than most state laws, which typically only require opt-in consent for a broader but differently defined category of "sensitive data."
• Constitutional backing: Very few states have an explicit constitutional right to privacy. This gives Hawaii courts and legislators a stronger foundation to build upon, even if the statutory framework is still developing.
• Data broker registration: Hawaii's requirement that data brokers register with the state and disclose their opt-out policies is a meaningful transparency mechanism that many states lack.

What Hawaii Residents Can Do Now

You do not need to wait for a comprehensive privacy law to protect your personal information. Here are practical steps you can take today:

1. Opt out of data brokers: Sites like Spokeo, Whitepages, BeenVerified, and dozens of others publish Hawaii residents' home addresses, phone numbers, relatives, and more. Each site has its own opt-out process, and they frequently re-list your information after removal.
2. Exercise your deletion rights: Under HRS 487J, you can submit deletion requests directly to data brokers. They must honor your request within 45 days.
3. Check for breach notifications: Visit the Hawaii DCCA Office of Consumer Protection website to review recent security breach notices and see if any of your accounts may have been affected.
4. Freeze your credit: Contact Equifax, Experian, and TransUnion to place a free credit freeze, preventing anyone from opening new accounts in your name.
5. Use strong, unique passwords: Especially important given the expanded breach notification definitions taking effect in 2026, which now include email-plus-password combinations.
6. Review app permissions: Given Hawaii's protections around geolocation and microphone data, review which apps on your phone have access to your location and microphone and revoke access for any you do not actively use.

How PrivacyOn Helps Hawaii Residents

Opting out of data brokers one at a time is tedious and temporary — most brokers re-scrape public records and re-list your information within weeks. PrivacyOn automates the entire process for Hawaii residents. We submit opt-out and deletion requests to over 100 data broker sites, continuously monitor for reappearances, and re-file removals whenever your data resurfaces. Combined with dark web monitoring and family plan options, PrivacyOn gives you ongoing protection that keeps pace with the data broker ecosystem.

Looking Ahead

Hawaii's legislature continues to push for stronger privacy protections. SB 1163, which passed the state Senate in March 2026, would further restrict the sale of geolocation and browser data. Advocates and lawmakers have also signaled continued interest in a comprehensive consumer privacy bill in future sessions. With its constitutional privacy guarantee as a foundation, Hawaii is well positioned to eventually join the growing list of states with full consumer data protection laws.

In the meantime, the most effective strategy for Hawaii residents is to combine the targeted rights you already have — data broker deletion, breach notification, and sensitive data sale restrictions — with proactive steps like opting out of data brokers and monitoring your digital footprint. The tools exist today to take control of your personal information, even while the law catches up.