Hawaii 2024 Regular Session

Hawaii Senate Bill SB1085 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	THE SENATE S.B. NO. 1085 THIRTY-SECOND LEGISLATURE, 2023 STATE OF HAWAII A BILL FOR AN ACT relating to biometric information privacy. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
2	2
3	3	THE SENATE S.B. NO. 1085
4	4	THIRTY-SECOND LEGISLATURE, 2023
5	5	STATE OF HAWAII
6	6
7	7	THE SENATE
8	8
9	9	S.B. NO.
10	10
11	11	1085
12	12
13	13	THIRTY-SECOND LEGISLATURE, 2023
14	14
15	15
16	16
17	17	STATE OF HAWAII
18	18
19	19
20	20
21	21
22	22
23	23
24	24
25	25
26	26
27	27
28	28
29	29
30	30
31	31	A BILL FOR AN ACT
32	32
33	33
34	34
35	35
36	36
37	37	relating to biometric information privacy.
38	38
39	39
40	40
41	41
42	42
43	43	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
44	44
45	45
46	46
47	47	SECTION 1. The legislature finds that the use of biometric identifiers and biometric information is growing in the business and security screening sectors. Biometric data can be used to facilitate financial transactions, airport screenings, criminal investigations, building access, and for other tasks where identity verification is important. However, the legislature recognizes that the full ramifications of biometric information are not fully known and that biometric information is at heightened risk for identity theft. Biometric data is unique to the individual and cannot be changed, so if a person's information is compromised, the person may have little recourse. The legislature believes that it is in the best interest of public safety to ensure that biometric identifiers and biometric information are properly safeguarded. Accordingly, the purpose of this Act is to establish standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities. SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows: "Chapter biometric information privacy § -1 Short title. This chapter shall be known and may be cited as the Hawaii Biometric Information Privacy Act. § -2 Definitions. As used in this chapter, unless the context otherwise requires: "Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of the hand or face geometry. Biometric identifiers do not include: (1) Writing samples; (2) Written signatures; (3) Photographs; (4) Human biological samples used for valid scientific testing or screening; (5) Demographic data; (6) Tattoo descriptions; (7) Physical descriptions, including height, weight, hair color, or eye color; (8) Donated organs, tissues, or other anatomical body parts stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency; (9) Blood or serum; (10) Biological materials regulated under the federal Genetic Information Privacy Act; (11) Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996; and (12) Mammography, or other images or film of the human anatomy, used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening. "Biometric information" means any information, regardless of how it is captured, converted, stored or shared, that is based on an individual's biometric identifier and used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers. "Confidential and sensitive information" means personal information that can be used to uniquely identify an individual, or an individual's account or property. Confidential and sensitive information includes: (1) Genetic markers; (2) Genetic testing information; (3) A unique identifier number used to locate an account or property; (4) An account number; (5) A personal identification number; (6) A pass code; (7) A driver's license number; or (8) A social security number. "Private entity" means an individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include: (1) A state or county agency; or (2) A clerk, judge, or justice of any state or federal court. "Written release" means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment. § -3 Retention; collection; disclosure; destruction. (a) Each private entity in possession of biometric identifiers or biometric information shall develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied, or within three years of the person's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information shall comply with its established retention schedule and destruction guidelines. (b) No private entity shall collect, capture, purchase, receive through trade, or otherwise obtain a person's biometric identifier or biometric information, unless the private entity first: (1) Informs the subject or the subject's legally authorized representative, in writing, that a biometric identifier or biometric information is being collected or stored; (2) Informs the subject or the subject's legally authorized representative, in writing, of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the subject of the biometric identifier or biometric information, or the subject's legally authorized representative. (c) No private entity in possession of a biometric identifier or biometric information shall sell, lease, trade, or otherwise profit from a person's biometric identifier or biometric information. (d) No private entity in possession of a biometric identifier or biometric information shall disclose, redisclose, or otherwise disseminate a person's biometric identifier or biometric information, unless: (1) The subject of the biometric identifier or biometric information, or the subject's legally authorized representative, provides a written release; (2) The disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or biometric information, or the subject matter's legally authorized representative; (3) The disclosure or redisclosure is required by state or federal law or county ordinance; or (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction. (e) Each private entity in possession of a biometric identifier or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information: (1) Using the reasonable standard of care within the private entity's industry; and (2) In a manner that is at least as protective as the manner in which the private entity stores, transmits, and protects other confidential and sensitive information. § -4 Right of action. (a) Any person aggrieved by a violation of this Act shall have a right of action in a state circuit court or as a supplemental claim in federal district court against the offending party. (b) A prevailing party may recover for each violation: (1) Against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000, or actual damages, whichever is greater; (2) Against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000, or actual damages, whichever is greater; (3) Reasonable attorneys' fees and cost, including expert witness fees and other litigation expenses; and (4) Other relief, including injunctive relief, as the court deems appropriate. § -5 Construction. Nothing in this chapter shall be construed to: (1) Impact the admission or discovery of biometric identifiers or biometric information in any court action, or before any tribunal, board, agency, or person; (2) Conflict with the federal Health Insurance Portability Act of 1996 or any rules promulgated thereunder; (3) Apply to a financial institution or affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder; (4) Conflict with any state laws or rules requiring data retention; or (5) Apply to a contractor, subcontractor, or agent of a state or county agency when working on behalf of the State or county." SECTION 3. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date. SECTION 4. This Act shall take effect upon its approval. INTRODUCED BY: _____________________________
48	48
49	49	SECTION 1. The legislature finds that the use of biometric identifiers and biometric information is growing in the business and security screening sectors. Biometric data can be used to facilitate financial transactions, airport screenings, criminal investigations, building access, and for other tasks where identity verification is important.
50	50
51	51	However, the legislature recognizes that the full ramifications of biometric information are not fully known and that biometric information is at heightened risk for identity theft. Biometric data is unique to the individual and cannot be changed, so if a person's information is compromised, the person may have little recourse.
52	52
53	53	The legislature believes that it is in the best interest of public safety to ensure that biometric identifiers and biometric information are properly safeguarded.
54	54
55	55	Accordingly, the purpose of this Act is to establish standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities.
56	56
57	57	SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
58	58
59	59	"Chapter
60	60
61	61	biometric information privacy
62	62
63	63	§ -1 Short title. This chapter shall be known and may be cited as the Hawaii Biometric Information Privacy Act.
64	64
65	65	§ -2 Definitions. As used in this chapter, unless the context otherwise requires:
66	66
67	67	"Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of the hand or face geometry. Biometric identifiers do not include:
68	68
69	69	(1) Writing samples;
70	70
71	71	(2) Written signatures;
72	72
73	73	(3) Photographs;
74	74
75	75	(4) Human biological samples used for valid scientific testing or screening;
76	76
77	77	(5) Demographic data;
78	78
79	79	(6) Tattoo descriptions;
80	80
81	81	(7) Physical descriptions, including height, weight, hair color, or eye color;
82	82
83	83	(8) Donated organs, tissues, or other anatomical body parts stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency;
84	84
85	85	(9) Blood or serum;
86	86
87	87	(10) Biological materials regulated under the federal Genetic Information Privacy Act;
88	88
89	89	(11) Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996; and
90	90
91	91	(12) Mammography, or other images or film of the human anatomy, used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
92	92
93	93	"Biometric information" means any information, regardless of how it is captured, converted, stored or shared, that is based on an individual's biometric identifier and used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
94	94
95	95	"Confidential and sensitive information" means personal information that can be used to uniquely identify an individual, or an individual's account or property. Confidential and sensitive information includes:
96	96
97	97	(1) Genetic markers;
98	98
99	99	(2) Genetic testing information;
100	100
101	101	(3) A unique identifier number used to locate an account or property;
102	102
103	103	(4) An account number;
104	104
105	105	(5) A personal identification number;
106	106
107	107	(6) A pass code;
108	108
109	109	(7) A driver's license number; or
110	110
111	111	(8) A social security number.
112	112
113	113	"Private entity" means an individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include:
114	114
115	115	(1) A state or county agency; or
116	116
117	117	(2) A clerk, judge, or justice of any state or federal court.
118	118
119	119	"Written release" means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.
120	120
121	121	§ -3 Retention; collection; disclosure; destruction. (a) Each private entity in possession of biometric identifiers or biometric information shall develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied, or within three years of the person's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information shall comply with its established retention schedule and destruction guidelines.
122	122
123	123	(b) No private entity shall collect, capture, purchase, receive through trade, or otherwise obtain a person's biometric identifier or biometric information, unless the private entity first:
124	124
125	125	(1) Informs the subject or the subject's legally authorized representative, in writing, that a biometric identifier or biometric information is being collected or stored;
126	126
127	127	(2) Informs the subject or the subject's legally authorized representative, in writing, of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
128	128
129	129	(3) Receives a written release executed by the subject of the biometric identifier or biometric information, or the subject's legally authorized representative.
130	130
131	131	(c) No private entity in possession of a biometric identifier or biometric information shall sell, lease, trade, or otherwise profit from a person's biometric identifier or biometric information.
132	132
133	133	(d) No private entity in possession of a biometric identifier or biometric information shall disclose, redisclose, or otherwise disseminate a person's biometric identifier or biometric information, unless:
134	134
135	135	(1) The subject of the biometric identifier or biometric information, or the subject's legally authorized representative, provides a written release;
136	136
137	137	(2) The disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or biometric information, or the subject matter's legally authorized representative;
138	138
139	139	(3) The disclosure or redisclosure is required by state or federal law or county ordinance; or
140	140
141	141	(4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
142	142
143	143	(e) Each private entity in possession of a biometric identifier or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information:
144	144
145	145	(1) Using the reasonable standard of care within the private entity's industry; and
146	146
147	147	(2) In a manner that is at least as protective as the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
148	148
149	149	§ -4 Right of action. (a) Any person aggrieved by a violation of this Act shall have a right of action in a state circuit court or as a supplemental claim in federal district court against the offending party.
150	150
151	151	(b) A prevailing party may recover for each violation:
152	152
153	153	(1) Against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000, or actual damages, whichever is greater;
154	154
155	155	(2) Against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000, or actual damages, whichever is greater;
156	156
157	157	(3) Reasonable attorneys' fees and cost, including expert witness fees and other litigation expenses; and
158	158
159	159	(4) Other relief, including injunctive relief, as the court deems appropriate.
160	160
161	161	§ -5 Construction. Nothing in this chapter shall be construed to:
162	162
163	163	(1) Impact the admission or discovery of biometric identifiers or biometric information in any court action, or before any tribunal, board, agency, or person;
164	164
165	165	(2) Conflict with the federal Health Insurance Portability Act of 1996 or any rules promulgated thereunder;
166	166
167	167	(3) Apply to a financial institution or affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder;
168	168
169	169	(4) Conflict with any state laws or rules requiring data retention; or
170	170
171	171	(5) Apply to a contractor, subcontractor, or agent of a state or county agency when working on behalf of the State or county."
172	172
173	173	SECTION 3. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
174	174
175	175	SECTION 4. This Act shall take effect upon its approval.
176	176
177	177
178	178
179	179	INTRODUCED BY: _____________________________
180	180
181	181	INTRODUCED BY:
182	182
183	183	_____________________________
184	184
185	185
186	186
187	187
188	188
189	189	Report Title: Biometric Identifiers; Biometric Information; Privacy Description: Establishes standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities. The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.
190	190
191	191
192	192
193	193
194	194
195	195	Report Title:
196	196
197	197	Biometric Identifiers; Biometric Information; Privacy
198	198
199	199
200	200
201	201	Description:
202	202
203	203	Establishes standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities.
204	204
205	205
206	206
207	207
208	208
209	209
210	210
211	211	The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.