Hawaii 2022 Regular Session

Hawaii Senate Bill SB1009 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	THE SENATE S.B. NO. 1009 THIRTY-FIRST LEGISLATURE, 2021 STATE OF HAWAII A BILL FOR AN ACT RELATING TO PRIVACY. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
2	2
3	3	THE SENATE S.B. NO. 1009
4	4	THIRTY-FIRST LEGISLATURE, 2021
5	5	STATE OF HAWAII
6	6
7	7	THE SENATE
8	8
9	9	S.B. NO.
10	10
11	11	1009
12	12
13	13	THIRTY-FIRST LEGISLATURE, 2021
14	14
15	15
16	16
17	17	STATE OF HAWAII
18	18
19	19
20	20
21	21
22	22
23	23
24	24
25	25
26	26
27	27
28	28
29	29
30	30
31	31	A BILL FOR AN ACT
32	32
33	33
34	34
35	35
36	36
37	37	RELATING TO PRIVACY.
38	38
39	39
40	40
41	41
42	42
43	43	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
44	44
45	45
46	46
47	47	PART I SECTION 1. The legislature finds that House Concurrent Resolution No. 225, Senate Draft 1, Regular Session of 2019, established the twenty-first century privacy law task force, whose membership consisted of individuals in government and the private sector having an interest or expertise in privacy law in the digital era. The resolution found that public use of the internet and related technologies has significantly expanded in recent years and that a lack of meaningful government regulation has resulted in personal privacy being compromised. Accordingly, the legislature requested that the task force examine and make recommendations regarding existing privacy laws and regulations to protect the privacy interests of the people of Hawaii. The legislature further finds that the task force considered a spectrum of related privacy issues that have been raised in Hawaii and other states in recent years. Numerous states have begun to address the heightened and unique privacy risks that threaten individuals in the digital era of the twenty-first century. Dozens of states have already adopted components of privacy law contained in this Act. California has enacted a comprehensive privacy act, and states such as Minnesota, New York, Virginia, and Washington have considered comprehensive privacy legislation in recent legislative sessions. The legislature finds that, following significant inquiry and discussion, the task force made the following various recommendations. The task force recommended that the definition of "personal information" in chapter 487N, Hawaii Revised Statutes, should be updated and expanded, as the current definition of "personal information" is outdated. Individuals face too many identifying data elements that, when exposed to the public in a data breach, place an individual at risk of identity theft or may compromise the individual's personal safety. Chapter 487N, which requires the public to be notified of data breaches, is not, it its current form, comprehensive enough to cover the additional identifiers. Accordingly, that chapter's definition of "personal information" should be updated and expanded to include various personal identifiers and data elements that are found in more comprehensive laws. The task force recommended that explicit consent be required before an individual's geolocation data may be shared or sold to a third party. Numerous reports have been raise in which a person's real time location is identified, allowing the person to be tracked without that person's knowledge or consent by third parties, who in turn share or sell the real time location. This scenario creates serious privacy and safety concerns. The task force also recommended that explicit consent be required before an individual's internet browser history and content accessed may be shared or sold to a third party. The task force further recommended that, in order to align state law with the holding by the Supreme Court of the United States in Carpenter v. United States, 138 S. Ct. 2206 (2018), and current law enforcement practice, the Hawaii Revised Statutes should be amended to: (1) Require law enforcement entities to obtain a search warrant before accessing a person's electronic communications in non-exigent or non-consensual circumstances; and (2) Authorize governmental entities to request, and authorize courts to approve, the delay of notification of law enforcement access to electronic communications up to the deadline to provide discovery in criminal cases. Lastly, the task force recommended that the State protect the privacy of a person's likeness by adopting laws that prohibit the unauthorized use of deep fake technology, which is improving rapidly, and easily sharable on social media. Accordingly, the purpose of this Act is to implement the recommendations of the twenty-first century privacy law task force. PART II SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended as follows: 1. By adding two new definitions to be appropriately inserted and to read: ""Identifier" means a common piece of information related specifically to an individual, that is commonly used to identify that individual across technology platforms, including a first name or initial, and last name; a user name for an online account; a phone number; or an email address. "Specified data element" means any of the following: (1) An individual's social security number, either in its entirety or the last four or more digits; (2) Driver's license number, federal or state identification card number, or passport number; (3) A federal individual taxpayer identification number; (4) An individual's financial account number or credit or debit card number; (5) A security code, access code, personal identification number, or password that would allow access to an individual's account; (6) Health insurance policy number, subscriber identification number, or any other unique number used by a health insurer to identify a person; (7) Medical history, medical treatment by a health care professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile; (8) Unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data; and (9) A private key that is unique to an individual and that is used to authenticate or sign an electronic record." 2. By amending the definition of "personal information" to read: ""Personal information" means an [individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.] identifier in combination with one or more specified data elements. "Personal information" [does] shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records." SECTION 3. Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (g) to read as follows: "(g) The following businesses shall be deemed to be in compliance with this section: (1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published in the Federal Register on March 29, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, or subject to 12 C.F.R. Part 748, and any revisions, additions, or substitutions relating to the interagency guidance; and (2) Any health plan or healthcare provider and its business associates that [is] are subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996." PART III SECTION 4. Chapter 481B, Hawaii Revised Statutes, is amended by adding two new sections to part I to be appropriately designated and to read as follows: "§481B- Sale of geolocation information without consent is prohibited. (a) No person, in any manner, or by any means, shall sell or offer for sale geolocation information that is recorded or collected through any means by a mobile device or location-based application without the explicit consent of the individual who is the primary user of the device or application. (b) As used in this section: "Consent" means prior express opt-in authorization that may be revoked by the user at any time. "Emergency" means the imminent or actual occurrence of an event that is likely to cause extensive injury, death, or property damage. "Geolocation information" means information that is: (1) Not the contents of a communication; (2) Generated by or derived, in whole or in part, from the operation of a mobile device, including, but not limited to, a smart phone, tablet, fitness tracker, e‑reader, or laptop computer; and (3) Sufficient to determine or infer the precise location of the user of the device. "Location-based application" means a software application that is downloaded or installed onto a device or accessed via a web browser and that collects, uses, or stores geolocation information. "Precise location" means any data that locates a user within a geographic area that is equal to or less than the area of a circle having a radius of one mile. "Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a user's geolocation information to another business or a third party for monetary or other valuable consideration. "Sale" shall not include the releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a user's geolocation information for the purpose of responding to an emergency. "User" means a person who purchases or leases a device or installs or uses an application on a mobile device. §481B- Sale of internet browser information without consent is prohibited. (a) No person, in any manner, or by any means, shall sell or offer for sale internet browser information without the explicit consent of the subscriber of the internet service. (b) As used in this section: "Consent" means prior express opt-in authorization that may be revoked by the subscriber at any time. "Internet browser information" means information from a person's use of the Internet, including: (1) Web browsing history; (2) Application usage history; (3) The origin and destination internet protocol addresses; (4) A device identifier, such as a media access control address, international mobile equipment identity, or internet protocol addresses; and (5) The content of the communications comprising the internet activity. "Internet service" means a retail service that provides the capability to transmit data to and receive data through the Internet using a dial-up service, a digital subscriber line, cable modem, fiber optics, wireless radio, satellite, powerline, or other technology used for a similar purpose. "Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, internet browser information to another business or a third party for monetary or other valuable consideration. "Subscriber" means an applicant for or a current or former customer of an internet service." PART IV SECTION 5. Section 803-41, Hawaii Revised Statutes, is amended by adding a new definition to be appropriately inserted and to read as follows: ""Electronically stored data" means any information that is recorded, stored, or maintained in electronic form by an electronic communication service or a remote computing service. "Electronically stored data" includes the contents of communications, transactional records about communications, and records and information that relate to a subscriber, customer, or user of an electronic communication service or a remote computing service." SECTION 6. Section 803-47.6, Hawaii Revised Statutes, is amended to read as follows: "§803-47.6 Requirements for governmental access. (a) [A] Except as otherwise provided by law, a governmental entity may require [the disclosure by] a provider of an electronic communication service [of the contents of an electronic communication] and a provider of a remote computing service to disclose electronically stored data pursuant to a search warrant [only.] or written consent from the customer, subscriber, or user of the service. [(b) A governmental entity may require a provider of remote computing services to disclose the contents of any electronic communication pursuant to a search warrant only. (c) Subsection (b) of this section is applicable to any electronic communication held or maintained on a remote computing service: (1) On behalf of, and received by electronic transmission from (or created by computer processing of communications received by electronic transmission from), a subscriber or customer of the remote computing service; and (2) Solely for the purpose of providing storage or computer processing services to the subscriber or customer, if the provider is not authorized to access the contents of those communications for any purpose other than storage or computer processing. (d)(1) A provider of electronic communication service or remote computing service may disclose a record or other information pertaining to a subscriber to, or customer of, the service (other than the contents of any electronic communication) to any person other than a governmental entity. (2) A provider of electronic communication service or remote computing service shall disclose a record or other information pertaining to a subscriber to, or customer of, the service (other than the contents of an electronic communication) to a governmental entity only when: (A) Presented with a search warrant; (B) Presented with a court order, which seeks the disclosure of transactional records, other than real-time transactional records; (C) The consent of the subscriber or customer to the disclosure has been obtained; or (D) Presented with an administrative subpoena authorized by statute, an attorney general subpoena, or a grand jury or trial subpoena, which seeks the disclosure of information concerning electronic communication, including but not limited to the name, address, local and long distance telephone billing records, telephone number or other subscriber number or identity, and length of service of a subscriber to or customer of the service, and the types of services the subscriber or customer utilized. (3) A governmental entity receiving records or information under this subsection is not required to provide notice to a subscriber or customer. (e) A court order for disclosure under subsection (d) shall issue only if the governmental entity demonstrates probable cause that the records or other information sought, constitute or relate to the fruits, implements, or existence of a crime or are relevant to a legitimate law enforcement inquiry. An order may be quashed or modified if, upon a motion promptly made, the service provider shows that compliance would be unduly burdensome because of the voluminous nature of the information or records requested, or some other stated reason establishing such a hardship.] (b) Unless otherwise authorized by the court, a governmental entity receiving records or information under this section shall provide notice to the subscriber, customer, or user of the service. [(f)] (c) No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, warrant, or subpoena. [(g)] (d) A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a [court order or other process.] search warrant. Records shall be retained for a period of ninety days, which shall be extended for an additional ninety-day period upon a renewed request by the governmental entity." SECTION 7. Section 803-47.7, Hawaii Revised Statutes, is amended as follows: 1. By amending subsection (a) to read: "(a) A governmental entity may include in its [court order] search warrant a requirement that the service provider create a backup copy of the contents of the electronic communication without notifying the subscriber or customer. The service provider shall create the backup copy as soon as practicable, consistent with its regular business practices, and shall confirm to the governmental entity that the backup copy has been made. The backup copy shall be created within two business days after receipt by the service provider of the [subpoena or court order.] warrant." 2. By amending subsection (e) to read: "(e) Within fourteen days after notice by the governmental entity to the subscriber or customer under subsection (b) of this section, the subscriber or customer may file a motion to vacate the [court order,] search warrant, with written notice and a copy of the motion being served on both the governmental entity and the service provider. The motion to vacate a [court order] search warrant shall be filed with the designated judge who issued the [order.] warrant. The motion or application shall contain an affidavit or sworn statement: (1) Stating that the applicant is a customer or subscriber to the service from which the contents of electronic communications are sought; and (2) Setting forth the applicant's reasons for believing that the records sought does not constitute probable cause or there has not been substantial compliance with some aspect of the provisions of this part." 3. By amending subsection (g) to read: "(g) If the court finds that the applicant is not the subscriber or customer whose communications are sought, or that there is reason to believe that the law enforcement inquiry is legitimate and the justification for the communications sought is supported by probable cause, the application or motion shall be denied, and the court shall order the release of the backup copy to the government entity. A court order denying a motion or application shall not be deemed a final order, and no interlocutory appeal may be taken therefrom by the customer. If the court finds that the applicant is a proper subscriber or customer and the justification for the communication sought is not supported by probable cause or that there has not been substantial compliance with the provisions of this part, it shall order vacation of the [order] warrant previously issued." SECTION 8. Section 803-47.8, Hawaii Revised Statutes, is amended as follows: 1. By amending subsection (a) to read: "(a) A governmental entity may as part of a request for a [court order] search warrant to include a provision that notification be delayed for a period not exceeding ninety days or, at the discretion of the court, no later than the deadline to provide discovery in a criminal case, if the court determines that notification of the existence of the court order may have an adverse result." 2. By amending subsection (c) to read: "(c) Extensions of delays in notification may be granted up to ninety days per application to a court[.] or, at the discretion of the court, up to the deadline to provide discovery in a criminal case. Each application for an extension must comply with subsection (e) of this section." 3. By amending subsection (e) to read: "(e) A governmental entity may apply to the designated judge or any other circuit judge or district court judge, if a circuit court judge has not yet been designated by the chief justice of the Hawaii supreme court, or is otherwise unavailable, for an order commanding a provider of an electronic communication service or remote computing service to whom a search warrant, or court order is directed, not to notify any other person of the existence of the search warrant[, or court order] for such period as the court deems appropriate not to exceed ninety days[.] or, at the discretion of the court, no later than the deadline to provide discovery in a criminal case. The court shall enter the order if it determines that there is reason to believe that notification of the existence of the search warrant[, or court order] will result in: (1) Endangering the life or physical safety of an individual; (2) Flight from prosecution; (3) Destruction of or tampering with evidence; (4) Intimidation of potential witnesses; or (5) Otherwise seriously jeopardizing an investigation or unduly delaying a trial." PART V SECTION 9. Section 711-1110.9, Hawaii Revised Statutes, is amended to read as follows: "§711-1110.9 Violation of privacy in the first degree. (1) A person commits the offense of violation of privacy in the first degree if, except in the execution of a public duty or as authorized by law: (a) The person intentionally or knowingly installs or uses, or both, in any private place, without consent of the person or persons entitled to privacy therein, any device for observing, recording, amplifying, or broadcasting another person in a stage of undress or sexual activity in that place; [or] (b) The person knowingly discloses or threatens to disclose an image or video of another identifiable person either in the nude, as defined in section 712‑1210, or engaging in sexual conduct, as defined in section 712-1210, without the consent of the depicted person, with intent to harm substantially the depicted person with respect to that person's health, safety, business, calling, career, education, financial condition, reputation, or personal relationships or as an act of revenge or retribution; [provided that:] or (c) The person intentionally creates or discloses, or threatens to disclose, an image or video of a fictitious person depicted in the nude, as defined in section 712-1210, or engaged in sexual conduct, as defined in section 712-1210, that includes the recognizable physical characteristics of a known person so that the image or video appears to depict the known person and not a fictitious person, with intent to harm substantially the depicted person with respect to that person's health, safety, business, calling, career, education, financial condition, reputation, or personal relationships, or as an act or revenge or retribution. [(i)] (2) This [paragraph] section shall not apply to images or videos of the depicted person made: [(A)] (a) When the person was voluntarily nude in public or voluntarily engaging in sexual conduct in public; or [(B)] (b) Pursuant to a voluntary commercial transaction[; and]. [(ii)] (3) Nothing in this [paragraph] section shall be construed to impose liability on a provider of "electronic communication service" or "remote computing service" as those terms are defined in section 803-41, for an image or video disclosed through the electronic communication service or remote computing service by another person. [(2)] (4) Violation of privacy in the first degree is a class C felony. In addition to any penalties the court may impose, the court may order the destruction of any recording made in violation of this section. [(3)] (5) Any recording or image made or disclosed in violation of this section and not destroyed pursuant to subsection [(2)] (4) shall be sealed and remain confidential." PART VI SECTION 10. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date. SECTION 11. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored. SECTION 12. This Act shall take effect upon its approval. INTRODUCED BY: _____________________________
48	48
49	49	PART I
50	50
51	51	SECTION 1. The legislature finds that House Concurrent Resolution No. 225, Senate Draft 1, Regular Session of 2019, established the twenty-first century privacy law task force, whose membership consisted of individuals in government and the private sector having an interest or expertise in privacy law in the digital era. The resolution found that public use of the internet and related technologies has significantly expanded in recent years and that a lack of meaningful government regulation has resulted in personal privacy being compromised. Accordingly, the legislature requested that the task force examine and make recommendations regarding existing privacy laws and regulations to protect the privacy interests of the people of Hawaii.
52	52
53	53	The legislature further finds that the task force considered a spectrum of related privacy issues that have been raised in Hawaii and other states in recent years. Numerous states have begun to address the heightened and unique privacy risks that threaten individuals in the digital era of the twenty-first century. Dozens of states have already adopted components of privacy law contained in this Act. California has enacted a comprehensive privacy act, and states such as Minnesota, New York, Virginia, and Washington have considered comprehensive privacy legislation in recent legislative sessions.
54	54
55	55	The legislature finds that, following significant inquiry and discussion, the task force made the following various recommendations.
56	56
57	57	The task force recommended that the definition of "personal information" in chapter 487N, Hawaii Revised Statutes, should be updated and expanded, as the current definition of "personal information" is outdated. Individuals face too many identifying data elements that, when exposed to the public in a data breach, place an individual at risk of identity theft or may compromise the individual's personal safety. Chapter 487N, which requires the public to be notified of data breaches, is not, it its current form, comprehensive enough to cover the additional identifiers. Accordingly, that chapter's definition of "personal information" should be updated and expanded to include various personal identifiers and data elements that are found in more comprehensive laws.
58	58
59	59	The task force recommended that explicit consent be required before an individual's geolocation data may be shared or sold to a third party. Numerous reports have been raise in which a person's real time location is identified, allowing the person to be tracked without that person's knowledge or consent by third parties, who in turn share or sell the real time location. This scenario creates serious privacy and safety concerns.
60	60
61	61	The task force also recommended that explicit consent be required before an individual's internet browser history and content accessed may be shared or sold to a third party.
62	62
63	63	The task force further recommended that, in order to align state law with the holding by the Supreme Court of the United States in Carpenter v. United States, 138 S. Ct. 2206 (2018), and current law enforcement practice, the Hawaii Revised Statutes should be amended to:
64	64
65	65	(1) Require law enforcement entities to obtain a search warrant before accessing a person's electronic communications in non-exigent or non-consensual circumstances; and
66	66
67	67	(2) Authorize governmental entities to request, and authorize courts to approve, the delay of notification of law enforcement access to electronic communications up to the deadline to provide discovery in criminal cases.
68	68
69	69	Lastly, the task force recommended that the State protect the privacy of a person's likeness by adopting laws that prohibit the unauthorized use of deep fake technology, which is improving rapidly, and easily sharable on social media.
70	70
71	71	Accordingly, the purpose of this Act is to implement the recommendations of the twenty-first century privacy law task force.
72	72
73	73	PART II
74	74
75	75	SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended as follows:
76	76
77	77	1. By adding two new definitions to be appropriately inserted and to read:
78	78
79	79	""Identifier" means a common piece of information related specifically to an individual, that is commonly used to identify that individual across technology platforms, including a first name or initial, and last name; a user name for an online account; a phone number; or an email address.
80	80
81	81	"Specified data element" means any of the following:
82	82
83	83	(1) An individual's social security number, either in its entirety or the last four or more digits;
84	84
85	85	(2) Driver's license number, federal or state identification card number, or passport number;
86	86
87	87	(3) A federal individual taxpayer identification number;
88	88
89	89	(4) An individual's financial account number or credit or debit card number;
90	90
91	91	(5) A security code, access code, personal identification number, or password that would allow access to an individual's account;
92	92
93	93	(6) Health insurance policy number, subscriber identification number, or any other unique number used by a health insurer to identify a person;
94	94
95	95	(7) Medical history, medical treatment by a health care professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile;
96	96
97	97	(8) Unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data; and
98	98
99	99	(9) A private key that is unique to an individual and that is used to authenticate or sign an electronic record."
100	100
101	101	2. By amending the definition of "personal information" to read:
102	102
103	103	""Personal information" means an [individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
104	104
105	105	(1) Social security number;
106	106
107	107	(2) Driver's license number or Hawaii identification card number; or
108	108
109	109	(3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.]
110	110
111	111	identifier in combination with one or more specified data elements. "Personal information" [does] shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records."
112	112
113	113	SECTION 3. Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (g) to read as follows:
114	114
115	115	"(g) The following businesses shall be deemed to be in compliance with this section:
116	116
117	117	(1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published in the Federal Register on March 29, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, or subject to 12 C.F.R. Part 748, and any revisions, additions, or substitutions relating to the interagency guidance; and
118	118
119	119	(2) Any health plan or healthcare provider and its business associates that [is] are subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996."
120	120
121	121	PART III
122	122
123	123	SECTION 4. Chapter 481B, Hawaii Revised Statutes, is amended by adding two new sections to part I to be appropriately designated and to read as follows:
124	124
125	125	"§481B- Sale of geolocation information without consent is prohibited. (a) No person, in any manner, or by any means, shall sell or offer for sale geolocation information that is recorded or collected through any means by a mobile device or location-based application without the explicit consent of the individual who is the primary user of the device or application.
126	126
127	127	(b) As used in this section:
128	128
129	129	"Consent" means prior express opt-in authorization that may be revoked by the user at any time.
130	130
131	131	"Emergency" means the imminent or actual occurrence of an event that is likely to cause extensive injury, death, or property damage.
132	132
133	133	"Geolocation information" means information that is:
134	134
135	135	(1) Not the contents of a communication;
136	136
137	137	(2) Generated by or derived, in whole or in part, from the operation of a mobile device, including, but not limited to, a smart phone, tablet, fitness tracker, e‑reader, or laptop computer; and
138	138
139	139	(3) Sufficient to determine or infer the precise location of the user of the device.
140	140
141	141	"Location-based application" means a software application that is downloaded or installed onto a device or accessed via a web browser and that collects, uses, or stores geolocation information.
142	142
143	143	"Precise location" means any data that locates a user within a geographic area that is equal to or less than the area of a circle having a radius of one mile.
144	144
145	145	"Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a user's geolocation information to another business or a third party for monetary or other valuable consideration. "Sale" shall not include the releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a user's geolocation information for the purpose of responding to an emergency.
146	146
147	147	"User" means a person who purchases or leases a device or installs or uses an application on a mobile device.
148	148
149	149	§481B- Sale of internet browser information without consent is prohibited. (a) No person, in any manner, or by any means, shall sell or offer for sale internet browser information without the explicit consent of the subscriber of the internet service.
150	150
151	151	(b) As used in this section:
152	152
153	153	"Consent" means prior express opt-in authorization that may be revoked by the subscriber at any time.
154	154
155	155	"Internet browser information" means information from a person's use of the Internet, including:
156	156
157	157	(1) Web browsing history;
158	158
159	159	(2) Application usage history;
160	160
161	161	(3) The origin and destination internet protocol addresses;
162	162
163	163	(4) A device identifier, such as a media access control address, international mobile equipment identity, or internet protocol addresses; and
164	164
165	165	(5) The content of the communications comprising the internet activity.
166	166
167	167	"Internet service" means a retail service that provides the capability to transmit data to and receive data through the Internet using a dial-up service, a digital subscriber line, cable modem, fiber optics, wireless radio, satellite, powerline, or other technology used for a similar purpose.
168	168
169	169	"Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, internet browser information to another business or a third party for monetary or other valuable consideration.
170	170
171	171	"Subscriber" means an applicant for or a current or former customer of an internet service."
172	172
173	173	PART IV
174	174
175	175	SECTION 5. Section 803-41, Hawaii Revised Statutes, is amended by adding a new definition to be appropriately inserted and to read as follows:
176	176
177	177	""Electronically stored data" means any information that is recorded, stored, or maintained in electronic form by an electronic communication service or a remote computing service. "Electronically stored data" includes the contents of communications, transactional records about communications, and records and information that relate to a subscriber, customer, or user of an electronic communication service or a remote computing service."
178	178
179	179	SECTION 6. Section 803-47.6, Hawaii Revised Statutes, is amended to read as follows:
180	180
181	181	"§803-47.6 Requirements for governmental access. (a) [A] Except as otherwise provided by law, a governmental entity may require [the disclosure by] a provider of an electronic communication service [of the contents of an electronic communication] and a provider of a remote computing service to disclose electronically stored data pursuant to a search warrant [only.] or written consent from the customer, subscriber, or user of the service.
182	182
183	183	[(b) A governmental entity may require a provider of remote computing services to disclose the contents of any electronic communication pursuant to a search warrant only.
184	184
185	185	(c) Subsection (b) of this section is applicable to any electronic communication held or maintained on a remote computing service:
186	186
187	187	(1) On behalf of, and received by electronic transmission from (or created by computer processing of communications received by electronic transmission from), a subscriber or customer of the remote computing service; and
188	188
189	189	(2) Solely for the purpose of providing storage or computer processing services to the subscriber or customer, if the provider is not authorized to access the contents of those communications for any purpose other than storage or computer processing.
190	190
191	191	(d)(1) A provider of electronic communication service or remote computing service may disclose a record or other information pertaining to a subscriber to, or customer of, the service (other than the contents of any electronic communication) to any person other than a governmental entity.
192	192
193	193	(2) A provider of electronic communication service or remote computing service shall disclose a record or other information pertaining to a subscriber to, or customer of, the service (other than the contents of an electronic communication) to a governmental entity only when:
194	194
195	195	(A) Presented with a search warrant;
196	196
197	197	(B) Presented with a court order, which seeks the disclosure of transactional records, other than real-time transactional records;
198	198
199	199	(C) The consent of the subscriber or customer to the disclosure has been obtained; or
200	200
201	201	(D) Presented with an administrative subpoena authorized by statute, an attorney general subpoena, or a grand jury or trial subpoena, which seeks the disclosure of information concerning electronic communication, including but not limited to the name, address, local and long distance telephone billing records, telephone number or other subscriber number or identity, and length of service of a subscriber to or customer of the service, and the types of services the subscriber or customer utilized.
202	202
203	203	(3) A governmental entity receiving records or information under this subsection is not required to provide notice to a subscriber or customer.
204	204
205	205	(e) A court order for disclosure under subsection (d) shall issue only if the governmental entity demonstrates probable cause that the records or other information sought, constitute or relate to the fruits, implements, or existence of a crime or are relevant to a legitimate law enforcement inquiry. An order may be quashed or modified if, upon a motion promptly made, the service provider shows that compliance would be unduly burdensome because of the voluminous nature of the information or records requested, or some other stated reason establishing such a hardship.]
206	206
207	207	(b) Unless otherwise authorized by the court, a governmental entity receiving records or information under this section shall provide notice to the subscriber, customer, or user of the service.
208	208
209	209	[(f)] (c) No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, warrant, or subpoena.
210	210
211	211	[(g)] (d) A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a [court order or other process.] search warrant. Records shall be retained for a period of ninety days, which shall be extended for an additional ninety-day period upon a renewed request by the governmental entity."
212	212
213	213	SECTION 7. Section 803-47.7, Hawaii Revised Statutes, is amended as follows:
214	214
215	215	1. By amending subsection (a) to read:
216	216
217	217	"(a) A governmental entity may include in its [court order] search warrant a requirement that the service provider create a backup copy of the contents of the electronic communication without notifying the subscriber or customer. The service provider shall create the backup copy as soon as practicable, consistent with its regular business practices, and shall confirm to the governmental entity that the backup copy has been made. The backup copy shall be created within two business days after receipt by the service provider of the [subpoena or court order.] warrant."
218	218
219	219	2. By amending subsection (e) to read:
220	220
221	221	"(e) Within fourteen days after notice by the governmental entity to the subscriber or customer under subsection (b) of this section, the subscriber or customer may file a motion to vacate the [court order,] search warrant, with written notice and a copy of the motion being served on both the governmental entity and the service provider. The motion to vacate a [court order] search warrant shall be filed with the designated judge who issued the [order.] warrant. The motion or application shall contain an affidavit or sworn statement:
222	222
223	223	(1) Stating that the applicant is a customer or subscriber to the service from which the contents of electronic communications are sought; and
224	224
225	225	(2) Setting forth the applicant's reasons for believing that the records sought does not constitute probable cause or there has not been substantial compliance with some aspect of the provisions of this part."
226	226
227	227	3. By amending subsection (g) to read:
228	228
229	229	"(g) If the court finds that the applicant is not the subscriber or customer whose communications are sought, or that there is reason to believe that the law enforcement inquiry is legitimate and the justification for the communications sought is supported by probable cause, the application or motion shall be denied, and the court shall order the release of the backup copy to the government entity. A court order denying a motion or application shall not be deemed a final order, and no interlocutory appeal may be taken therefrom by the customer. If the court finds that the applicant is a proper subscriber or customer and the justification for the communication sought is not supported by probable cause or that there has not been substantial compliance with the provisions of this part, it shall order vacation of the [order] warrant previously issued."
230	230
231	231	SECTION 8. Section 803-47.8, Hawaii Revised Statutes, is amended as follows:
232	232
233	233	1. By amending subsection (a) to read:
234	234
235	235	"(a) A governmental entity may as part of a request for a [court order] search warrant to include a provision that notification be delayed for a period not exceeding ninety days or, at the discretion of the court, no later than the deadline to provide discovery in a criminal case, if the court determines that notification of the existence of the court order may have an adverse result."
236	236
237	237	2. By amending subsection (c) to read:
238	238
239	239	"(c) Extensions of delays in notification may be granted up to ninety days per application to a court[.] or, at the discretion of the court, up to the deadline to provide discovery in a criminal case. Each application for an extension must comply with subsection (e) of this section."
240	240
241	241	3. By amending subsection (e) to read:
242	242
243	243	"(e) A governmental entity may apply to the designated judge or any other circuit judge or district court judge, if a circuit court judge has not yet been designated by the chief justice of the Hawaii supreme court, or is otherwise unavailable, for an order commanding a provider of an electronic communication service or remote computing service to whom a search warrant, or court order is directed, not to notify any other person of the existence of the search warrant[, or court order] for such period as the court deems appropriate not to exceed ninety days[.] or, at the discretion of the court, no later than the deadline to provide discovery in a criminal case. The court shall enter the order if it determines that there is reason to believe that notification of the existence of the search warrant[, or court order] will result in:
244	244
245	245	(1) Endangering the life or physical safety of an individual;
246	246
247	247	(2) Flight from prosecution;
248	248
249	249	(3) Destruction of or tampering with evidence;
250	250
251	251	(4) Intimidation of potential witnesses; or
252	252
253	253	(5) Otherwise seriously jeopardizing an investigation or unduly delaying a trial."
254	254
255	255	PART V
256	256
257	257	SECTION 9. Section 711-1110.9, Hawaii Revised Statutes, is amended to read as follows:
258	258
259	259	"§711-1110.9 Violation of privacy in the first degree. (1) A person commits the offense of violation of privacy in the first degree if, except in the execution of a public duty or as authorized by law:
260	260
261	261	(a) The person intentionally or knowingly installs or uses, or both, in any private place, without consent of the person or persons entitled to privacy therein, any device for observing, recording, amplifying, or broadcasting another person in a stage of undress or sexual activity in that place; [or]
262	262
263	263	(b) The person knowingly discloses or threatens to disclose an image or video of another identifiable person either in the nude, as defined in section 712‑1210, or engaging in sexual conduct, as defined in section 712-1210, without the consent of the depicted person, with intent to harm substantially the depicted person with respect to that person's health, safety, business, calling, career, education, financial condition, reputation, or personal relationships or as an act of revenge or retribution; [provided that:] or
264	264
265	265	(c) The person intentionally creates or discloses, or threatens to disclose, an image or video of a fictitious person depicted in the nude, as defined in section 712-1210, or engaged in sexual conduct, as defined in section 712-1210, that includes the recognizable physical characteristics of a known person so that the image or video appears to depict the known person and not a fictitious person, with intent to harm substantially the depicted person with respect to that person's health, safety, business, calling, career, education, financial condition, reputation, or personal relationships, or as an act or revenge or retribution.
266	266
267	267	[(i)] (2) This [paragraph] section shall not apply to images or videos of the depicted person made:
268	268
269	269	[(A)] (a) When the person was voluntarily nude in public or voluntarily engaging in sexual conduct in public; or
270	270
271	271	[(B)] (b) Pursuant to a voluntary commercial transaction[; and].
272	272
273	273	[(ii)] (3) Nothing in this [paragraph] section shall be construed to impose liability on a provider of "electronic communication service" or "remote computing service" as those terms are defined in section 803-41, for an image or video disclosed through the electronic communication service or remote computing service by another person.
274	274
275	275	[(2)] (4) Violation of privacy in the first degree is a class C felony. In addition to any penalties the court may impose, the court may order the destruction of any recording made in violation of this section.
276	276
277	277	[(3)] (5) Any recording or image made or disclosed in violation of this section and not destroyed pursuant to subsection [(2)] (4) shall be sealed and remain confidential."
278	278
279	279	PART VI
280	280
281	281	SECTION 10. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
282	282
283	283	SECTION 11. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
284	284
285	285	SECTION 12. This Act shall take effect upon its approval.
286	286
287	287
288	288
289	289	INTRODUCED BY: _____________________________
290	290
291	291	INTRODUCED BY:
292	292
293	293	_____________________________
294	294
295	295
296	296
297	297
298	298
299	299	Report Title: Privacy; Attorney General; Personal Information; Geolocation Information; Search Warrants; Notice; Deep Fakes Description: Amends the definition of "personal information" for the purpose of applying modern security breach of personal information law. Prohibits the sale of geolocation information and internet browser information without consent. Amends provisions relating to electronic eavesdropping law. Prohibits certain manipulated images of individuals. The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.
300	300
301	301
302	302
303	303
304	304
305	305	Report Title:
306	306
307	307	Privacy; Attorney General; Personal Information; Geolocation Information; Search Warrants; Notice; Deep Fakes
308	308
309	309
310	310
311	311	Description:
312	312
313	313	Amends the definition of "personal information" for the purpose of applying modern security breach of personal information law. Prohibits the sale of geolocation information and internet browser information without consent. Amends provisions relating to electronic eavesdropping law. Prohibits certain manipulated images of individuals.
314	314
315	315
316	316
317	317
318	318
319	319
320	320
321	321	The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.