Hawaii 2025 Regular Session

Hawaii House Bill HB566 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	HOUSE OF REPRESENTATIVES H.B. NO. 566 THIRTY-THIRD LEGISLATURE, 2025 STATE OF HAWAII A BILL FOR AN ACT RELATING TO PROTECTION OF MINORS. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
2	2
3	3	HOUSE OF REPRESENTATIVES H.B. NO. 566
4	4	THIRTY-THIRD LEGISLATURE, 2025
5	5	STATE OF HAWAII
6	6
7	7	HOUSE OF REPRESENTATIVES
8	8
9	9	H.B. NO.
10	10
11	11	566
12	12
13	13	THIRTY-THIRD LEGISLATURE, 2025
14	14
15	15
16	16
17	17	STATE OF HAWAII
18	18
19	19
20	20
21	21
22	22
23	23
24	24
25	25
26	26
27	27
28	28
29	29
30	30
31	31	A BILL FOR AN ACT
32	32
33	33
34	34
35	35
36	36
37	37	RELATING TO PROTECTION OF MINORS.
38	38
39	39
40	40
41	41
42	42
43	43	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
44	44
45	45
46	46
47	47	SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows: "Chapter "§ -A Definitions. For the purpose of this chapter: "Addictive feed" means a website, online service, online application, or mobile application, or a portion thereof, in which multiple pieces of media generated or shared by users of a website, online services, online application, or mobile application, either concurrently or sequentially, are recommended, selected, or prioritized for display to a user based, in whole or in part, on information associated with the user or the user's device, unless any of the following conditions are met, alone or in combination with one another: (1) The recommendation, prioritization, or selection is based on information that is not persistently associated with the user or the user's device, and does not concern the user's previous interactions with media generated or shared by other users; (2) The recommendation, prioritization, or selection is based on user-selected privacy or accessibility settings, or technical information concerning the user's device; (3) The user expressly and unambiguously requested the specific media, media by the author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible under this subdivision; (4) The user expressly and unambiguously requested that specific media, media by a specified author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to pursuant to paragraph (3) of this subdivision, be blocked, prioritized or deprioritized for display, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible under this subdivision; (5) The media are direct and private communications; (6) The media are recommended, selected, or prioritized only in response to a specific search inquiry by the user; (7) The media recommended, selected, or prioritized for display is exclusively next in a pre-existing sequence from the same author, creator, poster, or source; or (8) The recommendation, prioritization, or selection is necessary to comply with the provisions of this chapter and any regulations promulgated pursuant to this chapter. "Addictive social media platform" means a website, online service, online application, or mobile application, that offers or provides users an addictive feed as a significant part of the services provided by such website, online service, online application, or mobile application. "Covered minor" means a user of a website, online service, online application, or mobile application in the State when the operator has actual knowledge the user is a minor. "Covered operator" means any person, business, or other legal entity, who operates or provides an addictive social media platform. "Covered user" means a user of a website, online service, online application, or mobile application in the State, not acting as an operator, or agent or affiliate of the operator, of such website, online service, online application, or mobile application, or any portion thereof. "Media" means text, an image, or a video. "Minor" means an individual under the age of eighteen. "Parent" means parent or legal guardian. § -B Prohibition of addictive feeds. (a) It shall be unlawful for a covered operator to provide an addictive feed to a covered user unless: (1) The covered operator has used commercially reasonable and technically feasible methods to determine that the covered user is not a covered minor; or (2) The covered operator has obtained verifiable parental consent to provide an addictive feed to a covered minor. (b) The attorney general shall promulgate regulations identifying commercially reasonable and technically feasible methods for covered operators to determine if a covered user is a covered minor required pursuant to this section, and any exceptions thereto. (1) In promulgating such regulations, the attorney general shall consider the size, financial resources, and technical capabilities of the addictive social media platform, the costs and effectiveness of available age determination techniques for users of the addictive social media platform, the audience of the addictive social media platform, prevalent practices of the industry of the covered operator, and the impact of the age determination techniques on the covered user's safety, utility, and experience. (2) Such regulations shall also identify the appropriate levels of accuracy that would be commercially reasonable and technically feasible for covered operators to achieve in determining whether a covered user is a covered minor. Such regulations shall set forth multiple commercially reasonable and technically feasible methods for a covered operator to determine if a covered user is a covered minor, including at least one method that either does not rely solely on government issued identification or that allows a covered user to maintain anonymity as to covered operator of the addictive social media platform. (3) Where a covered operator has used commercially reasonable and technically feasible age determination methods in compliance with such regulations and has not determined that a covered user is a covered minor, the covered operator shall operate under the presumption that the covered user is not a covered minor for the purposes of this chapter, unless it obtains actual knowledge that the covered user is a covered minor. (c) Information collected for the purpose of determining a covered user's age under paragraph (b) shall not be used for any purpose other than age determination and shall be deleted immediately after an attempt to determine a covered user's age, except where necessary for compliance with any applicable provisions of state or federal law or regulation. (d) The attorney general shall promulgate regulations identifying methods of obtaining verifiable parental consent pursuant to paragraph (a)(2) of section -B of this chapter. (e) Information collected for the purpose of obtain such verifiable parental consent shall not be used for any other purpose other than obtaining verifiable parental consent and shall be deleted immediately after an attempt to obtain verifiable parental consent, except where necessary for compliance with any applicable provision of state or federal law or regulation. (f) Nothing in this section shall be construed as requiring any operator to give a parent who grants verifiable parental consent any additional or special access to or control over the data or accounts of their child. (g) Nothing in this section shall be construed as preventing any action taken in good faith to restrict access to or availability of media that the covered operator considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected. § -C Overnight notifications. It shall be unlawful for the covered operator of an addictive social media platform to, between the hours of 12 AM and 6 AM Hawaii Standard Time, send notifications concerning an addictive feed to a covered minor unless the operator has obtained verifiable parental consent to send such nighttime notifications. § -D Parental control. Nothing in this chapter shall be construed as requiring the operator of an addictive social media platform to give a parent any additional or special access to or control over the data or accounts of their child. § -E Nondiscrimination. A covered operator shall not withhold, degrade, lower the quality, or increase the price of any product, service, or feature, other than as necessary for compliance with the provisions of this chapter or any rules or regulations promulgated pursuant to this chapter, to a covered user due to the covered operator not being permitted to provide an addictive feed to such covered user under this chapter. § -F Rulemaking authority. The attorney general shall promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this chapter. § -G Scope. (a) This chapter shall apply to conduct that occurs in whole or in part in Hawaii. For purposes of this chapter, conduct takes place wholly outside of Hawaii if the addictive social media platform is accessed by a user who is physically located outside of Hawaii. (b) Nothing in this chapter shall be construed to impose liability for commercial activities or actions by operators subject to 15 U.S.C. §6501 that is inconsistent with the treatment of such activities or actions under 15 U.S.C. §6502. § -H Remedies. (a) No earlier than one hundred eighty days after the effective date of this chapter, whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the State, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this chapter, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of Hawaii to enjoin any violation of this chapter, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief. (b) The attorney general shall maintain a website to receive complaints, information, or referrals from members of the public concerning a covered operator's or social media platform's alleged compliance or non-compliance with the provisions of this chapter." SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows: "Chapter § -A Definitions. For the purpose of this chapter: "Covered user" means a user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the State who is: (1) Actually known by the operator of such website, online service, online application, mobile application, or connected device to be a minor; or (2) Using a website, online service, online application, mobile application, or connected device primarily directed to minors. "Minor" means an individual under the age of eighteen. "Operator" means any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data. A person that acts as both am operator and processor shall comply with the applicable obligations of an operator and the obligations of a processor, depending on its role with respect to each specific processing of personal data. "Personal data" means any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person or device. "Process" or "processing" means an operation or set of operations performed on personal data, including but not limited to the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, or deidentification of personal data. "Primarily directed to minors" means a website, online service, online application, mobile application, or connected device, or a portion thereof, that is targeted to minors. A website, online service, online application, mobile application, or connected device, or portion thereof, shall not be deemed directed primarily to minors solely because such website, online service, online application, mobile application, or connected device, or portion thereof refers or links to any other website, online service, online application, mobile application, or connected device directed to minors by using information location tools, including a directory, index, reference, pointer, or hypertext link. A website, online service, online application, mobile application, or connected device, or portion thereof, shall be deemed directed to minors when it has actual knowledge that it is collecting personal data of users directly from users of another website, online service, online application, mobile application, or connected device primarily directed to minors. "Sell" means to share personal data for monetary or other valuable consideration. "Selling" shall not include the sharing of personal data for monetary or other valuable consideration to another person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which that person assumes control of all or part of the operator's assets or the sharing of personal data with a processor. "Processor" means any person who processes data on behalf of the operator. A person that acts as both an operator and processor shall comply with the applicable obligations of an operator and the obligations of a processor, depending on its role with respect to each specific processing of personal data. "Third-party operator" means an operator who is not the operator: (1) With whom the user intentionally and directly interacts; or (2) That collects personal data from the directed and current interactions with the user. § -B Privacy protection by default. (a) Except as provided for in paragraph (f) of this section and section -F of this chapter, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator's website, online service, online application, mobile application, or connected device unless and to the extent: (1) The covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or (2) The covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in paragraph (b) of this section, or informed consent has been obtained as set forth in paragraph (c) of this section. (b) The process of personal data of a covered user is permissible where it is strictly necessary for the following permissible purposes: (1) Providing or maintaining a specific product or service requested by the covered user; (2) Conducting the operator's internal business operations. For purposes of this paragraph, such internal business operations shall not include any activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the website, online service, online application, mobile application, or connected device when it is not in use; (3) Identifying and repairing technical errors that impair existing or intended functionality; (4) Protecting against malicious, fraudulent, or illegal activity; (5) Investigating, establishing, exercising, preparing for, or defending legal claims; (6) Complying with federal, state, or local laws, rules, or regulations; (7) Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; (8) Detecting, responding to, or preventing security incidents or threats; or (9) Protecting the vital interests of a natural person. (c) To process personal data of a covered user where such processing is not strictly necessary under paragraph (b) of this section, informed consent must be obtained from the covered user either through a device communication or signal pursuant to the provisions of section -E of this chapter or through a request. (1) Requests for such informed consent shall: (i) Be made separately from any other transaction or part of a transaction; (ii) Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing; (iii) Clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and (iv) Clearly present an option to refuse to provide consent as the most prominent option. (2) Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide. (3) If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent. (4) If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of section -E of this chapter, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent. (d) Except where processing is strictly necessary to provide a product, service, or feature, an operator may not withhold, degrade, lower the quality, or increase the price of any product, service, or feature to a covered user due to the operator not obtaining verifiable parental consent under 15 U.S.C. § 6502 and its implementing regulations or informed consent under paragraph (c) of this section. (e) Except as provided for in section -F of this chapter, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user. (f) Within thirty days of determining or being informed that a user is a covered user, an operator shall: (1) Dispose of, destroy, or delete and direct all of its processors to dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary for an activity listed in paragraph (b) of this section, or informed consent is obtained as set forth in paragraph (c) of this section; and (2) Notify any third-party operators to whom it knows it disclosed personal data of that covered user, and any third-party operators it knows it allowed to process the personal data that may include the personal data of that user, that the user is a covered user. (g) Except as provided for in section -F of this chapter, prior to disclosing personal data to a third-party operator, or permitting a third-party operator to collect personal data from the operator's website, online service, online application, mobile application, connected device, or portion thereof, the operator shall disclose to the third-party operator: (1) When their website, online service, online application, mobile application, connected device, or portion thereof, is primarily directed to minors; or (2) When the personal data concerns a covered user. § -C. Processors. (a) Except as provided for in section -F of this chapter, no operator or processor shall disclose the personal data of a covered user to a third party or allow the processing of the personal data of a covered user by a third party, without a written, binding agreement governing such disclosure or processing. Such agreement shall clearly set forth instructions for the nature and purpose of the processor's processing of the personal data, instructions for using or further disclosing the personal data, and the rights and obligations of both parties. (b) Processors shall process the personal data of covered users only when permitted by the terms of the agreement pursuant to paragraph (a) of this section, unless otherwise required by federal, state, or local laws, rules, or regulations. (c) A processor shall, at the direction of the operator, dispose of, destroy, or delete personal data, and notify any other processor to which it disclosed the personal data of the operator's direction, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request. (d) A processor shall delete or return to the operator all personal data of covered users at the end of its provision of services, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request. (e) An agreement pursuant to paragraph (a) of this section shall require that the processor: (1) Process the personal data of covered users only pursuant to the instructions of the operator, unless otherwise required by federal, state, or local laws, rules, or regulations; (2) Assist the operator in meeting the operator's obligations under this chapter. The processor shall, taking into account the nature of processing and the information available to them, assist the operator by taking appropriate technical and organizational measures, to the extent practicable, for the fulfillment of the operator's obligation to delete personal data pursuant to section -B of this chapter; (3) Upon reasonable request of the operator, make available to the operator all information in its possession necessary to demonstrate the processor's compliance with the obligations in this section; (4) Allow, and cooperate with, reasonable assessments by the operator or the operator's designated assessor for purposes of evaluating compliance with the obligations of this chapter. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the operator upon request; and (5) Notify the operator a reasonable time in advance before disclosing or transferring the personal data of covered users to any further processors, which may be in the form of a regularly updated list of further processors that may access personal data of covered users. § -D Ongoing coverage. (a) Upon learning that a user is no longer a covered user, an operator: (1) Shall not process the personal data of the covered user that would otherwise be subject to the provisions of this chapter until it receives informed consent pursuant to paragraph (c) of section -B of this chapter, and (2) Shall provide notice to such user that they may no longer be entitled to all of the protections and rights provided under this chapter. (b) Upon learning that a user is no longer a covered user, an operator shall provide notice to such user that such user is no longer covered by the protections and rights provided under this chapter. § -E Respecting user-provided age flags. (a) For the purposes of this chapter, an operator shall treat a user as a covered user if the user's device communicates or signals that the user is or shall be treated as a minor, including through a browser plug-in or privacy setting, device setting, or other mechanism that complies with regulations promulgated by the attorney general. (b) For the purposes of paragraph (c) of section -B of this chapter, an operator shall adhere to any clear and unambiguous communications or signals from a covered user's device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing that the covered user consents to or declines to consent to. An operator shall not adhere to unclear or ambiguous communications or signals from a covered user's device and shall instead request informed consent pursuant to the provisions of section -B of this chapter. § -F Protections for third-party operators. (a) Sections -B and -C of this chapter shall not apply where a third-party operator is processing the personal data of a covered user of another website, online service, online application, mobile application, or connected device, or portion thereof, provided that the third-party operator received reasonable written representations that the covered user provided informed consent for such processing, or: (1) The operator does not have actual knowledge that the covered user is a minor; and (2) The operator does not have actual knowledge that the other website, online service, online application, mobile application, or connected device, or portion thereof, is primarily directed to minors. § -G Rulemaking authority. The attorney general may promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this chapter. § -H Scope. (a) This chapter shall apply to conduct that occurs in whole or in part in the state of Hawaii. For purposes of this chapter, commercial conduct takes place wholly outside of the state of Hawaii if the business collected such information while the covered user was outside of the state of Hawaii, no part of the use of the covered user's personal data occurred in the state of Hawaii, and no personal data collected while the covered user was in the state of Hawaii is used. (b) Nothing in this chapter shall be construed to prohibit an operator from storing a covered user's personal data that was collected pursuant to section -B of this chapter when such covered user is in the state. (c) Nothing in this chapter shall be construed to impose liability for commercial activities or actions by operators subject to 15 U.S.C. § 6501 that is inconsistent with the treatment of such activities or actions under 15 U.S.C. § 6502. § -I Remedies. Whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the state, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this chapter, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of Hawaii to enjoin any violation of this chapter, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief. SECTION 3. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable. SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date. SECTION 5. In codifying the new chapters added by section 1 and 2 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new section in this Act. SECTION 6. This Act shall take effect on July 1, 2025. INTRODUCED BY: _____________________________
48	48
49	49	SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
50	50
51	51	"Chapter
52	52
53	53	"§ -A Definitions. For the purpose of this chapter:
54	54
55	55	"Addictive feed" means a website, online service, online application, or mobile application, or a portion thereof, in which multiple pieces of media generated or shared by users of a website, online services, online application, or mobile application, either concurrently or sequentially, are recommended, selected, or prioritized for display to a user based, in whole or in part, on information associated with the user or the user's device, unless any of the following conditions are met, alone or in combination with one another:
56	56
57	57	(1) The recommendation, prioritization, or selection is based on information that is not persistently associated with the user or the user's device, and does not concern the user's previous interactions with media generated or shared by other users;
58	58
59	59	(2) The recommendation, prioritization, or selection is based on user-selected privacy or accessibility settings, or technical information concerning the user's device;
60	60
61	61	(3) The user expressly and unambiguously requested the specific media, media by the author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible under this subdivision;
62	62
63	63	(4) The user expressly and unambiguously requested that specific media, media by a specified author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to pursuant to paragraph (3) of this subdivision, be blocked, prioritized or deprioritized for display, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible under this subdivision;
64	64
65	65	(5) The media are direct and private communications;
66	66
67	67	(6) The media are recommended, selected, or prioritized only in response to a specific search inquiry by the user;
68	68
69	69	(7) The media recommended, selected, or prioritized for display is exclusively next in a pre-existing sequence from the same author, creator, poster, or source; or
70	70
71	71	(8) The recommendation, prioritization, or selection is necessary to comply with the provisions of this chapter and any regulations promulgated pursuant to this chapter.
72	72
73	73	"Addictive social media platform" means a website, online service, online application, or mobile application, that offers or provides users an addictive feed as a significant part of the services provided by such website, online service, online application, or mobile application.
74	74
75	75	"Covered minor" means a user of a website, online service, online application, or mobile application in the State when the operator has actual knowledge the user is a minor.
76	76
77	77	"Covered operator" means any person, business, or other legal entity, who operates or provides an addictive social media platform.
78	78
79	79	"Covered user" means a user of a website, online service, online application, or mobile application in the State, not acting as an operator, or agent or affiliate of the operator, of such website, online service, online application, or mobile application, or any portion thereof.
80	80
81	81	"Media" means text, an image, or a video.
82	82
83	83	"Minor" means an individual under the age of eighteen.
84	84
85	85	"Parent" means parent or legal guardian.
86	86
87	87	§ -B Prohibition of addictive feeds. (a) It shall be unlawful for a covered operator to provide an addictive feed to a covered user unless:
88	88
89	89	(1) The covered operator has used commercially reasonable and technically feasible methods to determine that the covered user is not a covered minor; or
90	90
91	91	(2) The covered operator has obtained verifiable parental consent to provide an addictive feed to a covered minor.
92	92
93	93	(b) The attorney general shall promulgate regulations identifying commercially reasonable and technically feasible methods for covered operators to determine if a covered user is a covered minor required pursuant to this section, and any exceptions thereto.
94	94
95	95	(1) In promulgating such regulations, the attorney general shall consider the size, financial resources, and technical capabilities of the addictive social media platform, the costs and effectiveness of available age determination techniques for users of the addictive social media platform, the audience of the addictive social media platform, prevalent practices of the industry of the covered operator, and the impact of the age determination techniques on the covered user's safety, utility, and experience.
96	96
97	97	(2) Such regulations shall also identify the appropriate levels of accuracy that would be commercially reasonable and technically feasible for covered operators to achieve in determining whether a covered user is a covered minor. Such regulations shall set forth multiple commercially reasonable and technically feasible methods for a covered operator to determine if a covered user is a covered minor, including at least one method that either does not rely solely on government issued identification or that allows a covered user to maintain anonymity as to covered operator of the addictive social media platform.
98	98
99	99	(3) Where a covered operator has used commercially reasonable and technically feasible age determination methods in compliance with such regulations and has not determined that a covered user is a covered minor, the covered operator shall operate under the presumption that the covered user is not a covered minor for the purposes of this chapter, unless it obtains actual knowledge that the covered user is a covered minor.
100	100
101	101	(c) Information collected for the purpose of determining a covered user's age under paragraph (b) shall not be used for any purpose other than age determination and shall be deleted immediately after an attempt to determine a covered user's age, except where necessary for compliance with any applicable provisions of state or federal law or regulation.
102	102
103	103	(d) The attorney general shall promulgate regulations identifying methods of obtaining verifiable parental consent pursuant to paragraph (a)(2) of section -B of this chapter.
104	104
105	105	(e) Information collected for the purpose of obtain such verifiable parental consent shall not be used for any other purpose other than obtaining verifiable parental consent and shall be deleted immediately after an attempt to obtain verifiable parental consent, except where necessary for compliance with any applicable provision of state or federal law or regulation.
106	106
107	107	(f) Nothing in this section shall be construed as requiring any operator to give a parent who grants verifiable parental consent any additional or special access to or control over the data or accounts of their child.
108	108
109	109	(g) Nothing in this section shall be construed as preventing any action taken in good faith to restrict access to or availability of media that the covered operator considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.
110	110
111	111	§ -C Overnight notifications. It shall be unlawful for the covered operator of an addictive social media platform to, between the hours of 12 AM and 6 AM Hawaii Standard Time, send notifications concerning an addictive feed to a covered minor unless the operator has obtained verifiable parental consent to send such nighttime notifications.
112	112
113	113	§ -D Parental control. Nothing in this chapter shall be construed as requiring the operator of an addictive social media platform to give a parent any additional or special access to or control over the data or accounts of their child.
114	114
115	115	§ -E Nondiscrimination. A covered operator shall not withhold, degrade, lower the quality, or increase the price of any product, service, or feature, other than as necessary for compliance with the provisions of this chapter or any rules or regulations promulgated pursuant to this chapter, to a covered user due to the covered operator not being permitted to provide an addictive feed to such covered user under this chapter.
116	116
117	117	§ -F Rulemaking authority. The attorney general shall promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this chapter.
118	118
119	119	§ -G Scope. (a) This chapter shall apply to conduct that occurs in whole or in part in Hawaii. For purposes of this chapter, conduct takes place wholly outside of Hawaii if the addictive social media platform is accessed by a user who is physically located outside of Hawaii.
120	120
121	121	(b) Nothing in this chapter shall be construed to impose liability for commercial activities or actions by operators subject to 15 U.S.C. §6501 that is inconsistent with the treatment of such activities or actions under 15 U.S.C. §6502.
122	122
123	123	§ -H Remedies. (a) No earlier than one hundred eighty days after the effective date of this chapter, whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the State, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this chapter, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of Hawaii to enjoin any violation of this chapter, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief.
124	124
125	125	(b) The attorney general shall maintain a website to receive complaints, information, or referrals from members of the public concerning a covered operator's or social media platform's alleged compliance or non-compliance with the provisions of this chapter."
126	126
127	127	SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
128	128
129	129	"Chapter
130	130
131	131	§ -A Definitions. For the purpose of this chapter:
132	132
133	133	"Covered user" means a user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the State who is:
134	134
135	135	(1) Actually known by the operator of such website, online service, online application, mobile application, or connected device to be a minor; or
136	136
137	137	(2) Using a website, online service, online application, mobile application, or connected device primarily directed to minors.
138	138
139	139	"Minor" means an individual under the age of eighteen.
140	140
141	141	"Operator" means any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data. A person that acts as both am operator and processor shall comply with the applicable obligations of an operator and the obligations of a processor, depending on its role with respect to each specific processing of personal data.
142	142
143	143	"Personal data" means any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person or device.
144	144
145	145	"Process" or "processing" means an operation or set of operations performed on personal data, including but not limited to the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, or deidentification of personal data.
146	146
147	147	"Primarily directed to minors" means a website, online service, online application, mobile application, or connected device, or a portion thereof, that is targeted to minors. A website, online service, online application, mobile application, or connected device, or portion thereof, shall not be deemed directed primarily to minors solely because such website, online service, online application, mobile application, or connected device, or portion thereof refers or links to any other website, online service, online application, mobile application, or connected device directed to minors by using information location tools, including a directory, index, reference, pointer, or hypertext link. A website, online service, online application, mobile application, or connected device, or portion thereof, shall be deemed directed to minors when it has actual knowledge that it is collecting personal data of users directly from users of another website, online service, online application, mobile application, or connected device primarily directed to minors.
148	148
149	149	"Sell" means to share personal data for monetary or other valuable consideration. "Selling" shall not include the sharing of personal data for monetary or other valuable consideration to another person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which that person assumes control of all or part of the operator's assets or the sharing of personal data with a processor.
150	150
151	151	"Processor" means any person who processes data on behalf of the operator. A person that acts as both an operator and processor shall comply with the applicable obligations of an operator and the obligations of a processor, depending on its role with respect to each specific processing of personal data.
152	152
153	153	"Third-party operator" means an operator who is not the operator:
154	154
155	155	(1) With whom the user intentionally and directly interacts; or
156	156
157	157	(2) That collects personal data from the directed and current interactions with the user.
158	158
159	159	§ -B Privacy protection by default. (a) Except as provided for in paragraph (f) of this section and section -F of this chapter, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator's website, online service, online application, mobile application, or connected device unless and to the extent:
160	160
161	161	(1) The covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or
162	162
163	163	(2) The covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in paragraph (b) of this section, or informed consent has been obtained as set forth in paragraph (c) of this section.
164	164
165	165	(b) The process of personal data of a covered user is permissible where it is strictly necessary for the following permissible purposes:
166	166
167	167	(1) Providing or maintaining a specific product or service requested by the covered user;
168	168
169	169	(2) Conducting the operator's internal business operations. For purposes of this paragraph, such internal business operations shall not include any activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the website, online service, online application, mobile application, or connected device when it is not in use;
170	170
171	171	(3) Identifying and repairing technical errors that impair existing or intended functionality;
172	172
173	173	(4) Protecting against malicious, fraudulent, or illegal activity;
174	174
175	175	(5) Investigating, establishing, exercising, preparing for, or defending legal claims;
176	176
177	177	(6) Complying with federal, state, or local laws, rules, or regulations;
178	178
179	179	(7) Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
180	180
181	181	(8) Detecting, responding to, or preventing security incidents or threats; or
182	182
183	183	(9) Protecting the vital interests of a natural person.
184	184
185	185	(c) To process personal data of a covered user where such processing is not strictly necessary under paragraph (b) of this section, informed consent must be obtained from the covered user either through a device communication or signal pursuant to the provisions of section -E of this chapter or through a request.
186	186
187	187	(1) Requests for such informed consent shall:
188	188
189	189	(i) Be made separately from any other transaction or part of a transaction;
190	190
191	191	(ii) Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing;
192	192
193	193	(iii) Clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and
194	194
195	195	(iv) Clearly present an option to refuse to provide consent as the most prominent option.
196	196
197	197	(2) Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide.
198	198
199	199	(3) If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.
200	200
201	201	(4) If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of section -E of this chapter, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.
202	202
203	203	(d) Except where processing is strictly necessary to provide a product, service, or feature, an operator may not withhold, degrade, lower the quality, or increase the price of any product, service, or feature to a covered user due to the operator not obtaining verifiable parental consent under 15 U.S.C. § 6502 and its implementing regulations or informed consent under paragraph (c) of this section.
204	204
205	205	(e) Except as provided for in section -F of this chapter, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user.
206	206
207	207	(f) Within thirty days of determining or being informed that a user is a covered user, an operator shall:
208	208
209	209	(1) Dispose of, destroy, or delete and direct all of its processors to dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary for an activity listed in paragraph (b) of this section, or informed consent is obtained as set forth in paragraph (c) of this section; and
210	210
211	211	(2) Notify any third-party operators to whom it knows it disclosed personal data of that covered user, and any third-party operators it knows it allowed to process the personal data that may include the personal data of that user, that the user is a covered user.
212	212
213	213	(g) Except as provided for in section -F of this chapter, prior to disclosing personal data to a third-party operator, or permitting a third-party operator to collect personal data from the operator's website, online service, online application, mobile application, connected device, or portion thereof, the operator shall disclose to the third-party operator:
214	214
215	215	(1) When their website, online service, online application, mobile application, connected device, or portion thereof, is primarily directed to minors; or
216	216
217	217	(2) When the personal data concerns a covered user.
218	218
219	219	§ -C. Processors. (a) Except as provided for in section -F of this chapter, no operator or processor shall disclose the personal data of a covered user to a third party or allow the processing of the personal data of a covered user by a third party, without a written, binding agreement governing such disclosure or processing. Such agreement shall clearly set forth instructions for the nature and purpose of the processor's processing of the personal data, instructions for using or further disclosing the personal data, and the rights and obligations of both parties.
220	220
221	221	(b) Processors shall process the personal data of covered users only when permitted by the terms of the agreement pursuant to paragraph (a) of this section, unless otherwise required by federal, state, or local laws, rules, or regulations.
222	222
223	223	(c) A processor shall, at the direction of the operator, dispose of, destroy, or delete personal data, and notify any other processor to which it disclosed the personal data of the operator's direction, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request.
224	224
225	225	(d) A processor shall delete or return to the operator all personal data of covered users at the end of its provision of services, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request.
226	226
227	227	(e) An agreement pursuant to paragraph (a) of this section shall require that the processor:
228	228
229	229	(1) Process the personal data of covered users only pursuant to the instructions of the operator, unless otherwise required by federal, state, or local laws, rules, or regulations;
230	230
231	231	(2) Assist the operator in meeting the operator's obligations under this chapter. The processor shall, taking into account the nature of processing and the information available to them, assist the operator by taking appropriate technical and organizational measures, to the extent practicable, for the fulfillment of the operator's obligation to delete personal data pursuant to section -B of this chapter;
232	232
233	233	(3) Upon reasonable request of the operator, make available to the operator all information in its possession necessary to demonstrate the processor's compliance with the obligations in this section;
234	234
235	235	(4) Allow, and cooperate with, reasonable assessments by the operator or the operator's designated assessor for purposes of evaluating compliance with the obligations of this chapter. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the operator upon request; and
236	236
237	237	(5) Notify the operator a reasonable time in advance before disclosing or transferring the personal data of covered users to any further processors, which may be in the form of a regularly updated list of further processors that may access personal data of covered users.
238	238
239	239	§ -D Ongoing coverage. (a) Upon learning that a user is no longer a covered user, an operator:
240	240
241	241	(1) Shall not process the personal data of the covered user that would otherwise be subject to the provisions of this chapter until it receives informed consent pursuant to paragraph (c) of section -B of this chapter, and
242	242
243	243	(2) Shall provide notice to such user that they may no longer be entitled to all of the protections and rights provided under this chapter.
244	244
245	245	(b) Upon learning that a user is no longer a covered user, an operator shall provide notice to such user that such user is no longer covered by the protections and rights provided under this chapter.
246	246
247	247	§ -E Respecting user-provided age flags. (a) For the purposes of this chapter, an operator shall treat a user as a covered user if the user's device communicates or signals that the user is or shall be treated as a minor, including through a browser plug-in or privacy setting, device setting, or other mechanism that complies with regulations promulgated by the attorney general.
248	248
249	249	(b) For the purposes of paragraph (c) of section -B of this chapter, an operator shall adhere to any clear and unambiguous communications or signals from a covered user's device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing that the covered user consents to or declines to consent to. An operator shall not adhere to unclear or ambiguous communications or signals from a covered user's device and shall instead request informed consent pursuant to the provisions of section -B of this chapter.
250	250
251	251	§ -F Protections for third-party operators. (a) Sections -B and -C of this chapter shall not apply where a third-party operator is processing the personal data of a covered user of another website, online service, online application, mobile application, or connected device, or portion thereof, provided that the third-party operator received reasonable written representations that the covered user provided informed consent for such processing, or:
252	252
253	253	(1) The operator does not have actual knowledge that the covered user is a minor; and
254	254
255	255	(2) The operator does not have actual knowledge that the other website, online service, online application, mobile application, or connected device, or portion thereof, is primarily directed to minors.
256	256
257	257	§ -G Rulemaking authority. The attorney general may promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this chapter.
258	258
259	259	§ -H Scope. (a) This chapter shall apply to conduct that occurs in whole or in part in the state of Hawaii. For purposes of this chapter, commercial conduct takes place wholly outside of the state of Hawaii if the business collected such information while the covered user was outside of the state of Hawaii, no part of the use of the covered user's personal data occurred in the state of Hawaii, and no personal data collected while the covered user was in the state of Hawaii is used.
260	260
261	261	(b) Nothing in this chapter shall be construed to prohibit an operator from storing a covered user's personal data that was collected pursuant to section -B of this chapter when such covered user is in the state.
262	262
263	263	(c) Nothing in this chapter shall be construed to impose liability for commercial activities or actions by operators subject to 15 U.S.C. § 6501 that is inconsistent with the treatment of such activities or actions under 15 U.S.C. § 6502.
264	264
265	265	§ -I Remedies. Whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the state, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this chapter, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of Hawaii to enjoin any violation of this chapter, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief.
266	266
267	267	SECTION 3. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.
268	268
269	269	SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
270	270
271	271	SECTION 5. In codifying the new chapters added by section 1 and 2 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new section in this Act.
272	272
273	273	SECTION 6. This Act shall take effect on July 1, 2025.
274	274
275	275
276	276
277	277	INTRODUCED BY: _____________________________
278	278
279	279	INTRODUCED BY:
280	280
281	281	_____________________________
282	282
283	283
284	284
285	285
286	286
287	287	Report Title: Minors; Social Media; Addictive Content; Privacy; Data; Protection Description: Protects minors from addictive content by imposing special requirements for operators regarding consent, notifications, and age verification. Protects minors from having their online personal data processed without parental consent. The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.
288	288
289	289
290	290
291	291
292	292
293	293	Report Title:
294	294
295	295	Minors; Social Media; Addictive Content; Privacy; Data; Protection
296	296
297	297
298	298
299	299	Description:
300	300
301	301	Protects minors from addictive content by imposing special requirements for operators regarding consent, notifications, and age verification. Protects minors from having their online personal data processed without parental consent.
302	302
303	303
304	304
305	305
306	306
307	307
308	308
309	309	The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.