THIRTY-SECOND LEGISLATURE, 2023
STATE OF HAWAII
A BILL FOR AN ACT
relating to biometric information privacy.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The legislature finds that the use of biometric identifiers and biometric information is growing in the business and security screening sectors. Biometric data can be used to facilitate financial transactions, airport screenings, criminal investigations, building access, and for other tasks where identity verification is important.
However, the legislature recognizes that the full ramifications of biometric information are not fully known and that biometric information is at heightened risk for identity theft. Biometric data is unique to the individual and cannot be changed, so if a person's information is compromised, the person may have little recourse.
The legislature believes that it is in the best interest of public safety to ensure that biometric identifiers and biometric information are properly safeguarded.
Accordingly, the purpose of this Act is to establish standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities.
SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
biometric information privacy
§ -1 Short title. This chapter shall be known and may be cited as the Hawaii Biometric Information Privacy Act.
§ -2 Definitions. As used in this chapter, unless the context otherwise requires:
"Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of the hand or face geometry. Biometric identifiers do not include:
(1) Writing samples;
(2) Written signatures;
(4) Human biological samples used for valid scientific testing or screening;
(5) Demographic data;
(6) Tattoo descriptions;
(7) Physical descriptions, including height, weight, hair color, or eye color;
(8) Donated organs, tissues, or other anatomical body parts stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency;
(9) Blood or serum;
(10) Biological materials regulated under the federal Genetic Information Privacy Act;
(11) Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996; and
(12) Mammography, or other images or film of the human anatomy, used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
"Biometric information" means any information, regardless of how it is captured, converted, stored or shared, that is based on an individual's biometric identifier and used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
"Confidential and sensitive information" means personal information that can be used to uniquely identify an individual, or an individual's account or property. Confidential and sensitive information includes:
(1) Genetic markers;
(2) Genetic testing information;
(3) A unique identifier number used to locate an account or property;
(4) An account number;
(5) A personal identification number;
(6) A pass code;
(7) A driver's license number; or
(8) A social security number.
"Private entity" means an individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include:
(1) A state or county agency; or
(2) A clerk, judge, or justice of any state or federal court.
"Written release" means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.
§ -3 Retention; collection; disclosure; destruction. (a) Each private entity in possession of biometric identifiers or biometric information shall develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied, or within three years of the person's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information shall comply with its established retention schedule and destruction guidelines.
(b) No private entity shall collect, capture, purchase, receive through trade, or otherwise obtain a person's biometric identifier or biometric information, unless the private entity first:
(1) Informs the subject or the subject's legally authorized representative, in writing, that a biometric identifier or biometric information is being collected or stored;
(2) Informs the subject or the subject's legally authorized representative, in writing, of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) Receives a written release executed by the subject of the biometric identifier or biometric information, or the subject's legally authorized representative.
(c) No private entity in possession of a biometric identifier or biometric information shall sell, lease, trade, or otherwise profit from a person's biometric identifier or biometric information.
(d) No private entity in possession of a biometric identifier or biometric information shall disclose, redisclose, or otherwise disseminate a person's biometric identifier or biometric information, unless:
(1) The subject of the biometric identifier or biometric information, or the subject's legally authorized representative, provides a written release;
(2) The disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or biometric information, or the subject matter's legally authorized representative;
(3) The disclosure or redisclosure is required by state or federal law or county ordinance; or
(4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
(e) Each private entity in possession of a biometric identifier or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information:
(1) Using the reasonable standard of care within the private entity's industry; and
(2) In a manner that is at least as protective as the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
§ -4 Right of action. (a) Any person aggrieved by a violation of this Act shall have a right of action in a state circuit court or as a supplemental claim in federal district court against the offending party.
(b) A prevailing party may recover for each violation:
(1) Against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000, or actual damages, whichever is greater;
(2) Against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000, or actual damages, whichever is greater;
(3) Reasonable attorneys' fees and cost, including expert witness fees and other litigation expenses; and
(4) Other relief, including injunctive relief, as the court deems appropriate.
§ -5 Construction. Nothing in this chapter shall be construed to:
(1) Impact the admission or discovery of biometric identifiers or biometric information in any court action, or before any tribunal, board, agency, or person;
(2) Conflict with the federal Health Insurance Portability Act of 1996 or any rules promulgated thereunder;
(3) Apply to a financial institution or affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder;
(4) Conflict with any state laws or rules requiring data retention; or
(5) Apply to a contractor, subcontractor, or agent of a state or county agency when working on behalf of the State or county."
SECTION 3. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
SECTION 4. This Act shall take effect upon its approval.
Biometric Identifiers; Biometric Information; Privacy
Establishes standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities.
The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.