HOUSE OF REPRESENTATIVES H.B. NO. 566 THIRTY-THIRD LEGISLATURE, 2025 STATE OF HAWAII A BILL FOR AN ACT RELATING TO PROTECTION OF MINORS. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
HOUSE OF REPRESENTATIVES H.B. NO. 566
THIRTY-THIRD LEGISLATURE, 2025
STATE OF HAWAII
HOUSE OF REPRESENTATIVES
H.B. NO.
566
THIRTY-THIRD LEGISLATURE, 2025
STATE OF HAWAII
A BILL FOR AN ACT
RELATING TO PROTECTION OF MINORS.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows: "Chapter "§ -A Definitions. For the purpose of this chapter: "Addictive feed" means a website, online service, online application, or mobile application, or a portion thereof, in which multiple pieces of media generated or shared by users of a website, online services, online application, or mobile application, either concurrently or sequentially, are recommended, selected, or prioritized for display to a user based, in whole or in part, on information associated with the user or the user's device, unless any of the following conditions are met, alone or in combination with one another: (1) The recommendation, prioritization, or selection is based on information that is not persistently associated with the user or the user's device, and does not concern the user's previous interactions with media generated or shared by other users; (2) The recommendation, prioritization, or selection is based on user-selected privacy or accessibility settings, or technical information concerning the user's device; (3) The user expressly and unambiguously requested the specific media, media by the author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible under this subdivision; (4) The user expressly and unambiguously requested that specific media, media by a specified author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to pursuant to paragraph (3) of this subdivision, be blocked, prioritized or deprioritized for display, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible under this subdivision; (5) The media are direct and private communications; (6) The media are recommended, selected, or prioritized only in response to a specific search inquiry by the user; (7) The media recommended, selected, or prioritized for display is exclusively next in a pre-existing sequence from the same author, creator, poster, or source; or (8) The recommendation, prioritization, or selection is necessary to comply with the provisions of this chapter and any regulations promulgated pursuant to this chapter. "Addictive social media platform" means a website, online service, online application, or mobile application, that offers or provides users an addictive feed as a significant part of the services provided by such website, online service, online application, or mobile application. "Covered minor" means a user of a website, online service, online application, or mobile application in the State when the operator has actual knowledge the user is a minor. "Covered operator" means any person, business, or other legal entity, who operates or provides an addictive social media platform. "Covered user" means a user of a website, online service, online application, or mobile application in the State, not acting as an operator, or agent or affiliate of the operator, of such website, online service, online application, or mobile application, or any portion thereof. "Media" means text, an image, or a video. "Minor" means an individual under the age of eighteen. "Parent" means parent or legal guardian. § -B Prohibition of addictive feeds. (a) It shall be unlawful for a covered operator to provide an addictive feed to a covered user unless: (1) The covered operator has used commercially reasonable and technically feasible methods to determine that the covered user is not a covered minor; or (2) The covered operator has obtained verifiable parental consent to provide an addictive feed to a covered minor. (b) The attorney general shall promulgate regulations identifying commercially reasonable and technically feasible methods for covered operators to determine if a covered user is a covered minor required pursuant to this section, and any exceptions thereto. (1) In promulgating such regulations, the attorney general shall consider the size, financial resources, and technical capabilities of the addictive social media platform, the costs and effectiveness of available age determination techniques for users of the addictive social media platform, the audience of the addictive social media platform, prevalent practices of the industry of the covered operator, and the impact of the age determination techniques on the covered user's safety, utility, and experience. (2) Such regulations shall also identify the appropriate levels of accuracy that would be commercially reasonable and technically feasible for covered operators to achieve in determining whether a covered user is a covered minor. Such regulations shall set forth multiple commercially reasonable and technically feasible methods for a covered operator to determine if a covered user is a covered minor, including at least one method that either does not rely solely on government issued identification or that allows a covered user to maintain anonymity as to covered operator of the addictive social media platform. (3) Where a covered operator has used commercially reasonable and technically feasible age determination methods in compliance with such regulations and has not determined that a covered user is a covered minor, the covered operator shall operate under the presumption that the covered user is not a covered minor for the purposes of this chapter, unless it obtains actual knowledge that the covered user is a covered minor. (c) Information collected for the purpose of determining a covered user's age under paragraph (b) shall not be used for any purpose other than age determination and shall be deleted immediately after an attempt to determine a covered user's age, except where necessary for compliance with any applicable provisions of state or federal law or regulation. (d) The attorney general shall promulgate regulations identifying methods of obtaining verifiable parental consent pursuant to paragraph (a)(2) of section -B of this chapter. (e) Information collected for the purpose of obtain such verifiable parental consent shall not be used for any other purpose other than obtaining verifiable parental consent and shall be deleted immediately after an attempt to obtain verifiable parental consent, except where necessary for compliance with any applicable provision of state or federal law or regulation. (f) Nothing in this section shall be construed as requiring any operator to give a parent who grants verifiable parental consent any additional or special access to or control over the data or accounts of their child. (g) Nothing in this section shall be construed as preventing any action taken in good faith to restrict access to or availability of media that the covered operator considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected. § -C Overnight notifications. It shall be unlawful for the covered operator of an addictive social media platform to, between the hours of 12 AM and 6 AM Hawaii Standard Time, send notifications concerning an addictive feed to a covered minor unless the operator has obtained verifiable parental consent to send such nighttime notifications. § -D Parental control. Nothing in this chapter shall be construed as requiring the operator of an addictive social media platform to give a parent any additional or special access to or control over the data or accounts of their child. § -E Nondiscrimination. A covered operator shall not withhold, degrade, lower the quality, or increase the price of any product, service, or feature, other than as necessary for compliance with the provisions of this chapter or any rules or regulations promulgated pursuant to this chapter, to a covered user due to the covered operator not being permitted to provide an addictive feed to such covered user under this chapter. § -F Rulemaking authority. The attorney general shall promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this chapter. § -G Scope. (a) This chapter shall apply to conduct that occurs in whole or in part in Hawaii. For purposes of this chapter, conduct takes place wholly outside of Hawaii if the addictive social media platform is accessed by a user who is physically located outside of Hawaii. (b) Nothing in this chapter shall be construed to impose liability for commercial activities or actions by operators subject to 15 U.S.C. §6501 that is inconsistent with the treatment of such activities or actions under 15 U.S.C. §6502. § -H Remedies. (a) No earlier than one hundred eighty days after the effective date of this chapter, whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the State, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this chapter, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of Hawaii to enjoin any violation of this chapter, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief. (b) The attorney general shall maintain a website to receive complaints, information, or referrals from members of the public concerning a covered operator's or social media platform's alleged compliance or non-compliance with the provisions of this chapter." SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows: "Chapter § -A Definitions. For the purpose of this chapter: "Covered user" means a user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the State who is: (1) Actually known by the operator of such website, online service, online application, mobile application, or connected device to be a minor; or (2) Using a website, online service, online application, mobile application, or connected device primarily directed to minors. "Minor" means an individual under the age of eighteen. "Operator" means any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data. A person that acts as both am operator and processor shall comply with the applicable obligations of an operator and the obligations of a processor, depending on its role with respect to each specific processing of personal data. "Personal data" means any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person or device. "Process" or "processing" means an operation or set of operations performed on personal data, including but not limited to the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, or deidentification of personal data. "Primarily directed to minors" means a website, online service, online application, mobile application, or connected device, or a portion thereof, that is targeted to minors. A website, online service, online application, mobile application, or connected device, or portion thereof, shall not be deemed directed primarily to minors solely because such website, online service, online application, mobile application, or connected device, or portion thereof refers or links to any other website, online service, online application, mobile application, or connected device directed to minors by using information location tools, including a directory, index, reference, pointer, or hypertext link. A website, online service, online application, mobile application, or connected device, or portion thereof, shall be deemed directed to minors when it has actual knowledge that it is collecting personal data of users directly from users of another website, online service, online application, mobile application, or connected device primarily directed to minors. "Sell" means to share personal data for monetary or other valuable consideration. "Selling" shall not include the sharing of personal data for monetary or other valuable consideration to another person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which that person assumes control of all or part of the operator's assets or the sharing of personal data with a processor. "Processor" means any person who processes data on behalf of the operator. A person that acts as both an operator and processor shall comply with the applicable obligations of an operator and the obligations of a processor, depending on its role with respect to each specific processing of personal data. "Third-party operator" means an operator who is not the operator: (1) With whom the user intentionally and directly interacts; or (2) That collects personal data from the directed and current interactions with the user. § -B Privacy protection by default. (a) Except as provided for in paragraph (f) of this section and section -F of this chapter, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator's website, online service, online application, mobile application, or connected device unless and to the extent: (1) The covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or (2) The covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in paragraph (b) of this section, or informed consent has been obtained as set forth in paragraph (c) of this section. (b) The process of personal data of a covered user is permissible where it is strictly necessary for the following permissible purposes: (1) Providing or maintaining a specific product or service requested by the covered user; (2) Conducting the operator's internal business operations. For purposes of this paragraph, such internal business operations shall not include any activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the website, online service, online application, mobile application, or connected device when it is not in use; (3) Identifying and repairing technical errors that impair existing or intended functionality; (4) Protecting against malicious, fraudulent, or illegal activity; (5) Investigating, establishing, exercising, preparing for, or defending legal claims; (6) Complying with federal, state, or local laws, rules, or regulations; (7) Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; (8) Detecting, responding to, or preventing security incidents or threats; or (9) Protecting the vital interests of a natural person. (c) To process personal data of a covered user where such processing is not strictly necessary under paragraph (b) of this section, informed consent must be obtained from the covered user either through a device communication or signal pursuant to the provisions of section -E of this chapter or through a request. (1) Requests for such informed consent shall: (i) Be made separately from any other transaction or part of a transaction; (ii) Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing; (iii) Clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and (iv) Clearly present an option to refuse to provide consent as the most prominent option. (2) Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide. (3) If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent. (4) If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of section -E of this chapter, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent. (d) Except where processing is strictly necessary to provide a product, service, or feature, an operator may not withhold, degrade, lower the quality, or increase the price of any product, service, or feature to a covered user due to the operator not obtaining verifiable parental consent under 15 U.S.C. § 6502 and its implementing regulations or informed consent under paragraph (c) of this section. (e) Except as provided for in section -F of this chapter, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user. (f) Within thirty days of determining or being informed that a user is a covered user, an operator shall: (1) Dispose of, destroy, or delete and direct all of its processors to dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary for an activity listed in paragraph (b) of this section, or informed consent is obtained as set forth in paragraph (c) of this section; and (2) Notify any third-party operators to whom it knows it disclosed personal data of that covered user, and any third-party operators it knows it allowed to process the personal data that may include the personal data of that user, that the user is a covered user. (g) Except as provided for in section -F of this chapter, prior to disclosing personal data to a third-party operator, or permitting a third-party operator to collect personal data from the operator's website, online service, online application, mobile application, connected device, or portion thereof, the operator shall disclose to the third-party operator: (1) When their website, online service, online application, mobile application, connected device, or portion thereof, is primarily directed to minors; or (2) When the personal data concerns a covered user. § -C. Processors. (a) Except as provided for in section -F of this chapter, no operator or processor shall disclose the personal data of a covered user to a third party or allow the processing of the personal data of a covered user by a third party, without a written, binding agreement governing such disclosure or processing. Such agreement shall clearly set forth instructions for the nature and purpose of the processor's processing of the personal data, instructions for using or further disclosing the personal data, and the rights and obligations of both parties. (b) Processors shall process the personal data of covered users only when permitted by the terms of the agreement pursuant to paragraph (a) of this section, unless otherwise required by federal, state, or local laws, rules, or regulations. (c) A processor shall, at the direction of the operator, dispose of, destroy, or delete personal data, and notify any other processor to which it disclosed the personal data of the operator's direction, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request. (d) A processor shall delete or return to the operator all personal data of covered users at the end of its provision of services, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request. (e) An agreement pursuant to paragraph (a) of this section shall require that the processor: (1) Process the personal data of covered users only pursuant to the instructions of the operator, unless otherwise required by federal, state, or local laws, rules, or regulations; (2) Assist the operator in meeting the operator's obligations under this chapter. The processor shall, taking into account the nature of processing and the information available to them, assist the operator by taking appropriate technical and organizational measures, to the extent practicable, for the fulfillment of the operator's obligation to delete personal data pursuant to section -B of this chapter; (3) Upon reasonable request of the operator, make available to the operator all information in its possession necessary to demonstrate the processor's compliance with the obligations in this section; (4) Allow, and cooperate with, reasonable assessments by the operator or the operator's designated assessor for purposes of evaluating compliance with the obligations of this chapter. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the operator upon request; and (5) Notify the operator a reasonable time in advance before disclosing or transferring the personal data of covered users to any further processors, which may be in the form of a regularly updated list of further processors that may access personal data of covered users. § -D Ongoing coverage. (a) Upon learning that a user is no longer a covered user, an operator: (1) Shall not process the personal data of the covered user that would otherwise be subject to the provisions of this chapter until it receives informed consent pursuant to paragraph (c) of section -B of this chapter, and (2) Shall provide notice to such user that they may no longer be entitled to all of the protections and rights provided under this chapter. (b) Upon learning that a user is no longer a covered user, an operator shall provide notice to such user that such user is no longer covered by the protections and rights provided under this chapter. § -E Respecting user-provided age flags. (a) For the purposes of this chapter, an operator shall treat a user as a covered user if the user's device communicates or signals that the user is or shall be treated as a minor, including through a browser plug-in or privacy setting, device setting, or other mechanism that complies with regulations promulgated by the attorney general. (b) For the purposes of paragraph (c) of section -B of this chapter, an operator shall adhere to any clear and unambiguous communications or signals from a covered user's device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing that the covered user consents to or declines to consent to. An operator shall not adhere to unclear or ambiguous communications or signals from a covered user's device and shall instead request informed consent pursuant to the provisions of section -B of this chapter. § -F Protections for third-party operators. (a) Sections -B and -C of this chapter shall not apply where a third-party operator is processing the personal data of a covered user of another website, online service, online application, mobile application, or connected device, or portion thereof, provided that the third-party operator received reasonable written representations that the covered user provided informed consent for such processing, or: (1) The operator does not have actual knowledge that the covered user is a minor; and (2) The operator does not have actual knowledge that the other website, online service, online application, mobile application, or connected device, or portion thereof, is primarily directed to minors. § -G Rulemaking authority. The attorney general may promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this chapter. § -H Scope. (a) This chapter shall apply to conduct that occurs in whole or in part in the state of Hawaii. For purposes of this chapter, commercial conduct takes place wholly outside of the state of Hawaii if the business collected such information while the covered user was outside of the state of Hawaii, no part of the use of the covered user's personal data occurred in the state of Hawaii, and no personal data collected while the covered user was in the state of Hawaii is used. (b) Nothing in this chapter shall be construed to prohibit an operator from storing a covered user's personal data that was collected pursuant to section -B of this chapter when such covered user is in the state. (c) Nothing in this chapter shall be construed to impose liability for commercial activities or actions by operators subject to 15 U.S.C. § 6501 that is inconsistent with the treatment of such activities or actions under 15 U.S.C. § 6502. § -I Remedies. Whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the state, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this chapter, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of Hawaii to enjoin any violation of this chapter, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief. SECTION 3. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable. SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date. SECTION 5. In codifying the new chapters added by section 1 and 2 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new section in this Act. SECTION 6. This Act shall take effect on July 1, 2025. INTRODUCED BY: _____________________________
SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
"Chapter
"§ -A Definitions. For the purpose of this chapter:
"Addictive feed" means a website, online service, online application, or mobile application, or a portion thereof, in which multiple pieces of media generated or shared by users of a website, online services, online application, or mobile application, either concurrently or sequentially, are recommended, selected, or prioritized for display to a user based, in whole or in part, on information associated with the user or the user's device, unless any of the following conditions are met, alone or in combination with one another:
(1) The recommendation, prioritization, or selection is based on information that is not persistently associated with the user or the user's device, and does not concern the user's previous interactions with media generated or shared by other users;
(2) The recommendation, prioritization, or selection is based on user-selected privacy or accessibility settings, or technical information concerning the user's device;
(3) The user expressly and unambiguously requested the specific media, media by the author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible under this subdivision;
(4) The user expressly and unambiguously requested that specific media, media by a specified author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to pursuant to paragraph (3) of this subdivision, be blocked, prioritized or deprioritized for display, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible under this subdivision;
(5) The media are direct and private communications;
(6) The media are recommended, selected, or prioritized only in response to a specific search inquiry by the user;
(7) The media recommended, selected, or prioritized for display is exclusively next in a pre-existing sequence from the same author, creator, poster, or source; or
(8) The recommendation, prioritization, or selection is necessary to comply with the provisions of this chapter and any regulations promulgated pursuant to this chapter.
"Addictive social media platform" means a website, online service, online application, or mobile application, that offers or provides users an addictive feed as a significant part of the services provided by such website, online service, online application, or mobile application.
"Covered minor" means a user of a website, online service, online application, or mobile application in the State when the operator has actual knowledge the user is a minor.
"Covered operator" means any person, business, or other legal entity, who operates or provides an addictive social media platform.
"Covered user" means a user of a website, online service, online application, or mobile application in the State, not acting as an operator, or agent or affiliate of the operator, of such website, online service, online application, or mobile application, or any portion thereof.
"Media" means text, an image, or a video.
"Minor" means an individual under the age of eighteen.
"Parent" means parent or legal guardian.
§ -B Prohibition of addictive feeds. (a) It shall be unlawful for a covered operator to provide an addictive feed to a covered user unless:
(1) The covered operator has used commercially reasonable and technically feasible methods to determine that the covered user is not a covered minor; or
(2) The covered operator has obtained verifiable parental consent to provide an addictive feed to a covered minor.
(b) The attorney general shall promulgate regulations identifying commercially reasonable and technically feasible methods for covered operators to determine if a covered user is a covered minor required pursuant to this section, and any exceptions thereto.
(1) In promulgating such regulations, the attorney general shall consider the size, financial resources, and technical capabilities of the addictive social media platform, the costs and effectiveness of available age determination techniques for users of the addictive social media platform, the audience of the addictive social media platform, prevalent practices of the industry of the covered operator, and the impact of the age determination techniques on the covered user's safety, utility, and experience.
(2) Such regulations shall also identify the appropriate levels of accuracy that would be commercially reasonable and technically feasible for covered operators to achieve in determining whether a covered user is a covered minor. Such regulations shall set forth multiple commercially reasonable and technically feasible methods for a covered operator to determine if a covered user is a covered minor, including at least one method that either does not rely solely on government issued identification or that allows a covered user to maintain anonymity as to covered operator of the addictive social media platform.
(3) Where a covered operator has used commercially reasonable and technically feasible age determination methods in compliance with such regulations and has not determined that a covered user is a covered minor, the covered operator shall operate under the presumption that the covered user is not a covered minor for the purposes of this chapter, unless it obtains actual knowledge that the covered user is a covered minor.
(c) Information collected for the purpose of determining a covered user's age under paragraph (b) shall not be used for any purpose other than age determination and shall be deleted immediately after an attempt to determine a covered user's age, except where necessary for compliance with any applicable provisions of state or federal law or regulation.
(d) The attorney general shall promulgate regulations identifying methods of obtaining verifiable parental consent pursuant to paragraph (a)(2) of section -B of this chapter.
(e) Information collected for the purpose of obtain such verifiable parental consent shall not be used for any other purpose other than obtaining verifiable parental consent and shall be deleted immediately after an attempt to obtain verifiable parental consent, except where necessary for compliance with any applicable provision of state or federal law or regulation.
(f) Nothing in this section shall be construed as requiring any operator to give a parent who grants verifiable parental consent any additional or special access to or control over the data or accounts of their child.
(g) Nothing in this section shall be construed as preventing any action taken in good faith to restrict access to or availability of media that the covered operator considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.
§ -C Overnight notifications. It shall be unlawful for the covered operator of an addictive social media platform to, between the hours of 12 AM and 6 AM Hawaii Standard Time, send notifications concerning an addictive feed to a covered minor unless the operator has obtained verifiable parental consent to send such nighttime notifications.
§ -D Parental control. Nothing in this chapter shall be construed as requiring the operator of an addictive social media platform to give a parent any additional or special access to or control over the data or accounts of their child.
§ -E Nondiscrimination. A covered operator shall not withhold, degrade, lower the quality, or increase the price of any product, service, or feature, other than as necessary for compliance with the provisions of this chapter or any rules or regulations promulgated pursuant to this chapter, to a covered user due to the covered operator not being permitted to provide an addictive feed to such covered user under this chapter.
§ -F Rulemaking authority. The attorney general shall promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this chapter.
§ -G Scope. (a) This chapter shall apply to conduct that occurs in whole or in part in Hawaii. For purposes of this chapter, conduct takes place wholly outside of Hawaii if the addictive social media platform is accessed by a user who is physically located outside of Hawaii.
(b) Nothing in this chapter shall be construed to impose liability for commercial activities or actions by operators subject to 15 U.S.C. §6501 that is inconsistent with the treatment of such activities or actions under 15 U.S.C. §6502.
§ -H Remedies. (a) No earlier than one hundred eighty days after the effective date of this chapter, whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the State, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this chapter, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of Hawaii to enjoin any violation of this chapter, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief.
(b) The attorney general shall maintain a website to receive complaints, information, or referrals from members of the public concerning a covered operator's or social media platform's alleged compliance or non-compliance with the provisions of this chapter."
SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
"Chapter
§ -A Definitions. For the purpose of this chapter:
"Covered user" means a user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the State who is:
(1) Actually known by the operator of such website, online service, online application, mobile application, or connected device to be a minor; or
(2) Using a website, online service, online application, mobile application, or connected device primarily directed to minors.
"Minor" means an individual under the age of eighteen.
"Operator" means any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data. A person that acts as both am operator and processor shall comply with the applicable obligations of an operator and the obligations of a processor, depending on its role with respect to each specific processing of personal data.
"Personal data" means any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person or device.
"Process" or "processing" means an operation or set of operations performed on personal data, including but not limited to the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, or deidentification of personal data.
"Primarily directed to minors" means a website, online service, online application, mobile application, or connected device, or a portion thereof, that is targeted to minors. A website, online service, online application, mobile application, or connected device, or portion thereof, shall not be deemed directed primarily to minors solely because such website, online service, online application, mobile application, or connected device, or portion thereof refers or links to any other website, online service, online application, mobile application, or connected device directed to minors by using information location tools, including a directory, index, reference, pointer, or hypertext link. A website, online service, online application, mobile application, or connected device, or portion thereof, shall be deemed directed to minors when it has actual knowledge that it is collecting personal data of users directly from users of another website, online service, online application, mobile application, or connected device primarily directed to minors.
"Sell" means to share personal data for monetary or other valuable consideration. "Selling" shall not include the sharing of personal data for monetary or other valuable consideration to another person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which that person assumes control of all or part of the operator's assets or the sharing of personal data with a processor.
"Processor" means any person who processes data on behalf of the operator. A person that acts as both an operator and processor shall comply with the applicable obligations of an operator and the obligations of a processor, depending on its role with respect to each specific processing of personal data.
"Third-party operator" means an operator who is not the operator:
(1) With whom the user intentionally and directly interacts; or
(2) That collects personal data from the directed and current interactions with the user.
§ -B Privacy protection by default. (a) Except as provided for in paragraph (f) of this section and section -F of this chapter, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator's website, online service, online application, mobile application, or connected device unless and to the extent:
(1) The covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or
(2) The covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in paragraph (b) of this section, or informed consent has been obtained as set forth in paragraph (c) of this section.
(b) The process of personal data of a covered user is permissible where it is strictly necessary for the following permissible purposes:
(1) Providing or maintaining a specific product or service requested by the covered user;
(2) Conducting the operator's internal business operations. For purposes of this paragraph, such internal business operations shall not include any activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the website, online service, online application, mobile application, or connected device when it is not in use;
(3) Identifying and repairing technical errors that impair existing or intended functionality;
(4) Protecting against malicious, fraudulent, or illegal activity;
(5) Investigating, establishing, exercising, preparing for, or defending legal claims;
(6) Complying with federal, state, or local laws, rules, or regulations;
(7) Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
(8) Detecting, responding to, or preventing security incidents or threats; or
(9) Protecting the vital interests of a natural person.
(c) To process personal data of a covered user where such processing is not strictly necessary under paragraph (b) of this section, informed consent must be obtained from the covered user either through a device communication or signal pursuant to the provisions of section -E of this chapter or through a request.
(1) Requests for such informed consent shall:
(i) Be made separately from any other transaction or part of a transaction;
(ii) Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing;
(iii) Clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and
(iv) Clearly present an option to refuse to provide consent as the most prominent option.
(2) Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide.
(3) If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.
(4) If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of section -E of this chapter, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.
(d) Except where processing is strictly necessary to provide a product, service, or feature, an operator may not withhold, degrade, lower the quality, or increase the price of any product, service, or feature to a covered user due to the operator not obtaining verifiable parental consent under 15 U.S.C. § 6502 and its implementing regulations or informed consent under paragraph (c) of this section.
(e) Except as provided for in section -F of this chapter, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user.
(f) Within thirty days of determining or being informed that a user is a covered user, an operator shall:
(1) Dispose of, destroy, or delete and direct all of its processors to dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary for an activity listed in paragraph (b) of this section, or informed consent is obtained as set forth in paragraph (c) of this section; and
(2) Notify any third-party operators to whom it knows it disclosed personal data of that covered user, and any third-party operators it knows it allowed to process the personal data that may include the personal data of that user, that the user is a covered user.
(g) Except as provided for in section -F of this chapter, prior to disclosing personal data to a third-party operator, or permitting a third-party operator to collect personal data from the operator's website, online service, online application, mobile application, connected device, or portion thereof, the operator shall disclose to the third-party operator:
(1) When their website, online service, online application, mobile application, connected device, or portion thereof, is primarily directed to minors; or
(2) When the personal data concerns a covered user.
§ -C. Processors. (a) Except as provided for in section -F of this chapter, no operator or processor shall disclose the personal data of a covered user to a third party or allow the processing of the personal data of a covered user by a third party, without a written, binding agreement governing such disclosure or processing. Such agreement shall clearly set forth instructions for the nature and purpose of the processor's processing of the personal data, instructions for using or further disclosing the personal data, and the rights and obligations of both parties.
(b) Processors shall process the personal data of covered users only when permitted by the terms of the agreement pursuant to paragraph (a) of this section, unless otherwise required by federal, state, or local laws, rules, or regulations.
(c) A processor shall, at the direction of the operator, dispose of, destroy, or delete personal data, and notify any other processor to which it disclosed the personal data of the operator's direction, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request.
(d) A processor shall delete or return to the operator all personal data of covered users at the end of its provision of services, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request.
(e) An agreement pursuant to paragraph (a) of this section shall require that the processor:
(1) Process the personal data of covered users only pursuant to the instructions of the operator, unless otherwise required by federal, state, or local laws, rules, or regulations;
(2) Assist the operator in meeting the operator's obligations under this chapter. The processor shall, taking into account the nature of processing and the information available to them, assist the operator by taking appropriate technical and organizational measures, to the extent practicable, for the fulfillment of the operator's obligation to delete personal data pursuant to section -B of this chapter;
(3) Upon reasonable request of the operator, make available to the operator all information in its possession necessary to demonstrate the processor's compliance with the obligations in this section;
(4) Allow, and cooperate with, reasonable assessments by the operator or the operator's designated assessor for purposes of evaluating compliance with the obligations of this chapter. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the operator upon request; and
(5) Notify the operator a reasonable time in advance before disclosing or transferring the personal data of covered users to any further processors, which may be in the form of a regularly updated list of further processors that may access personal data of covered users.
§ -D Ongoing coverage. (a) Upon learning that a user is no longer a covered user, an operator:
(1) Shall not process the personal data of the covered user that would otherwise be subject to the provisions of this chapter until it receives informed consent pursuant to paragraph (c) of section -B of this chapter, and
(2) Shall provide notice to such user that they may no longer be entitled to all of the protections and rights provided under this chapter.
(b) Upon learning that a user is no longer a covered user, an operator shall provide notice to such user that such user is no longer covered by the protections and rights provided under this chapter.
§ -E Respecting user-provided age flags. (a) For the purposes of this chapter, an operator shall treat a user as a covered user if the user's device communicates or signals that the user is or shall be treated as a minor, including through a browser plug-in or privacy setting, device setting, or other mechanism that complies with regulations promulgated by the attorney general.
(b) For the purposes of paragraph (c) of section -B of this chapter, an operator shall adhere to any clear and unambiguous communications or signals from a covered user's device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing that the covered user consents to or declines to consent to. An operator shall not adhere to unclear or ambiguous communications or signals from a covered user's device and shall instead request informed consent pursuant to the provisions of section -B of this chapter.
§ -F Protections for third-party operators. (a) Sections -B and -C of this chapter shall not apply where a third-party operator is processing the personal data of a covered user of another website, online service, online application, mobile application, or connected device, or portion thereof, provided that the third-party operator received reasonable written representations that the covered user provided informed consent for such processing, or:
(1) The operator does not have actual knowledge that the covered user is a minor; and
(2) The operator does not have actual knowledge that the other website, online service, online application, mobile application, or connected device, or portion thereof, is primarily directed to minors.
§ -G Rulemaking authority. The attorney general may promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this chapter.
§ -H Scope. (a) This chapter shall apply to conduct that occurs in whole or in part in the state of Hawaii. For purposes of this chapter, commercial conduct takes place wholly outside of the state of Hawaii if the business collected such information while the covered user was outside of the state of Hawaii, no part of the use of the covered user's personal data occurred in the state of Hawaii, and no personal data collected while the covered user was in the state of Hawaii is used.
(b) Nothing in this chapter shall be construed to prohibit an operator from storing a covered user's personal data that was collected pursuant to section -B of this chapter when such covered user is in the state.
(c) Nothing in this chapter shall be construed to impose liability for commercial activities or actions by operators subject to 15 U.S.C. § 6501 that is inconsistent with the treatment of such activities or actions under 15 U.S.C. § 6502.
§ -I Remedies. Whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the state, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this chapter, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of Hawaii to enjoin any violation of this chapter, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief.
SECTION 3. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.
SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
SECTION 5. In codifying the new chapters added by section 1 and 2 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new section in this Act.
SECTION 6. This Act shall take effect on July 1, 2025.
INTRODUCED BY: _____________________________
INTRODUCED BY:
_____________________________
Report Title: Minors; Social Media; Addictive Content; Privacy; Data; Protection Description: Protects minors from addictive content by imposing special requirements for operators regarding consent, notifications, and age verification. Protects minors from having their online personal data processed without parental consent. The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.
Report Title:
Minors; Social Media; Addictive Content; Privacy; Data; Protection
Description:
Protects minors from addictive content by imposing special requirements for operators regarding consent, notifications, and age verification. Protects minors from having their online personal data processed without parental consent.
The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.