open-agreements 0.7.6 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/hawaii.md

@@ -0,0 +1,167 @@
+---
+jurisdiction: "Hawaii"
+slug: hawaii
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-12"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/hawaii
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/hawaii · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Hawaii Consumer Privacy Law[^about]
+
+Hawaii has no comprehensive consumer-privacy statute; the operative state framework is sectoral — breach notification under HRS chapter 487N (which carries a private right of action), social security number protection under chapter 487J, records-destruction duties under chapter 487R, and the chapter 480 unfair-or-deceptive-practices law — plus the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA).
+
+
+## At a glance
+
+| Question | Hawaii |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Hawaii has not enacted a comprehensive consumer-privacy law, so there are no general access, deletion, correction, or opt-out rights under state law. The operative state framework is sectoral — breach notification under HRS ch. 487N, social security number protections under ch. 487J, records-destruction duties under ch. 487R, and the ch. 480 unfair-or-deceptive-practices law. The standout exposure: § 487N-3(b) gives a person injured by a breach-notification violation a private damages action, and § 480-13 adds treble damages with a $1,000 floor for deceptive practices, so Hawaii's sectoral rules carry real private-suit risk even without an omnibus act. |
+| **Main law** | Hawaii Revised Statutes ch. 487N (security breach notification), ch. 487J (social security number protection), ch. 487R (destruction of personal information records), and ch. 480 (unfair or deceptive practices) — Hawaii has no comprehensive consumer-privacy statute |
+| **Privacy policy required?** | No Hawaii statute mandates a general consumer privacy policy or fixes its contents; a policy that misstates actual practices is reachable as a deceptive practice under FTC Act § 5 and HRS § 480-2, and GLBA, HIPAA, and COPPA supply the contents where those regimes apply |
+| **Who does it cover?** | Any business — a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized for profit — that owns, licenses, maintains, or disposes of personal information of Hawaii residents, plus government agencies; no revenue or consumer-volume thresholds |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Yes — HRS § 487N-3(b) makes a business that violates the breach-notification chapter liable to the injured party for actual damages plus possible attorneys' fees (chs. 487J and 487R carry the same clause), and HRS § 480-13 gives consumers treble damages with a $1,000 floor for unfair or deceptive practices |
+| **Who enforces it?** | Hawaii Attorney General and the Executive Director of the Office of Consumer Protection (Department of Commerce and Consumer Affairs) |
+
+## Which privacy laws apply to your business in Hawaii? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Hawaii consumer-privacy law. The state framework is sectoral, built on four statutes. The security breach act, HRS chapter 487N, requires any business that owns or licenses personal information of Hawaii residents — in any form, computerized, paper, or otherwise — and any government agency collecting personal information to notify affected persons of a security breach [^law-breach-duty]. Chapter 487J restricts how businesses and government agencies may use and disclose social security numbers [^law-ssn]. Chapter 487R requires reasonable measures to protect personal information when records are disposed of [^law-disposal]. And chapter 480 — Hawaii's unfair-and-deceptive-practices law — makes unfair or deceptive acts or practices in any trade or commerce unlawful, the hook that reaches broken privacy promises [^law-udap].
+
+These statutes sweep broadly on the entity side even though they are narrow on the subject-matter side: a covered *business* is a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit [^law-business-def], and none of the three 487-series chapters carries a revenue or consumer-volume threshold. What Hawaii does not have is an omnibus statute: residents hold no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of sale or targeted advertising, and businesses face no state notice-at-collection, consent, data-protection-assessment, or universal opt-out-signal duties. Comprehensive consumer-privacy proposals that would have created an omnibus rights-and-duties framework have not been enacted, so the sectoral statutes above remain the operative state law.
+
+The rest of a Hawaii-facing privacy program rides the federal overlay. Under Section 5 of the FTC Act, unfair or deceptive acts or practices in or affecting commerce are unlawful [^q1-ftc5]. The Gramm-Leach-Bliley Act bars a financial institution from disclosing nonpublic personal information to a nonaffiliated third party unless it has provided the consumer the required privacy notice [^q1-glba]; HIPAA gives individuals a right to adequate notice of the uses and disclosures of protected health information a covered entity may make [^q1-hipaa]; and the Children's Online Privacy Protection Act makes it unlawful for an operator of a website or online service directed to children to collect personal information from a child in a manner that violates the FTC's implementing regulations [^q1-coppa]. This note is written to stay durable: a program built to the breach act, the sectoral handling rules, and that overlay upgrades rather than restarts if Hawaii later enacts an omnibus law.
+
+## What must your Hawaii privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Hawaii statute requires a general consumer privacy policy or fixes what it must say. The binding rule is instead that whatever you publish has to be true: under Section 5 of the FTC Act, unfair or deceptive acts or practices in or affecting commerce are unlawful [^policy-ftc5], and HRS § 480-2 makes the same conduct unlawful as a matter of Hawaii law — with Hawaii courts and the Office of Consumer Protection directed to construe the state statute in line with FTC and federal-court interpretations of FTC Act § 5 [^policy-udap-ftc-guide]. A privacy policy that misstates how you collect, use, share, retain, or secure data is therefore exposed under both regimes at once.
+
+Where a sectoral regime applies, that regime supplies the contents. A HIPAA covered entity must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's legal duties [^policy-hipaa-notice]; a GLBA financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided the consumer a privacy notice that complies with the federal requirements [^policy-glba-notice]; and a COPPA operator must provide notice on its website of what information it collects from children, how it uses that information, and its disclosure practices [^policy-coppa-notice]. For everyone else, the drafting question in Hawaii is less *what must be included* and more *does the policy match actual practice*. Best practice: describe the categories of data collected, the purposes, the third parties you share with, retention and security practices at an honest level of generality, and how users exercise any choices you offer — then honor it, because the enforceable obligation is consistency between the statement and the conduct. There is no Hawaii-mandated checklist to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Hawaii has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general commercial contracts. But two Hawaii statutes do reach the vendor relationship directly. A business may satisfy its records-destruction duty by exercising due diligence and entering a written contract with a records-destruction vendor — and thereafter monitoring the vendor's compliance [^vendor-disposal-contract]. And a vendor that maintains or possesses Hawaii residents' personal information it does not own must notify the data's owner or licensee of any security breach *immediately* following discovery [^vendor-breach-notify] — a faster trigger than the without-unreasonable-delay clock that applies to resident notice.
+
+Build vendor terms around those two state hooks plus the sectoral overlay. The records-destruction chapter also regulates the vendor side directly: a disposal business operating in Hawaii must itself take reasonable measures — policies, procedures, and compliance monitoring — protecting personal information during and after collection, transportation, and disposal [^vendor-disposal-business]. On the federal side, the GLBA Safeguards Rule requires financial institutions to oversee service providers — selecting and retaining providers capable of maintaining appropriate safeguards, requiring them by contract to implement and maintain such safeguards, and periodically assessing them [^vendor-glba-safeguards] — and the HIPAA business-associate contract must establish the permitted and required uses and disclosures of protected health information and bind the business associate to appropriate safeguards, breach reporting back to the covered entity, and flow-down of the same restrictions to its subcontractors [^vendor-hipaa-baa]. Outside those verticals, carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, prompt breach notification back to your business, and return or destruction of data at the end of the engagement — because while no Hawaii statute compels a general DPA, the breach-notice and destruction duties above land on you regardless of what the vendor contract says.
+
+## Do Hawaii residents have rights to access, delete, or opt out? {#consumer-rights}
+
+**Short answer.** No. Hawaii law gives consumers no general rights to access, correct, delete, or port their personal data, no right to opt out of its sale or of targeted advertising, and no duty on businesses to honor universal opt-out signals such as Global Privacy Control. The disclosure Hawaii law does guarantee residents is breach notice: a business that owns or licenses a Hawaii resident's personal information must notify that person of a security breach [^rights-breach-notice]. The closest thing to a state-law handling restriction is the social security number chapter — for example, a business may not require an individual to transmit an entire social security number over the internet unless the connection is secure or the number is encrypted [^rights-ssn-internet].
+
+The data rights a Hawaii resident does hold come from federal sectoral law, where applicable. A GLBA financial institution must give consumers the opportunity to opt out before their nonpublic personal information is disclosed to nonaffiliated third parties [^rights-glba-optout]. Under COPPA, a parent can refuse to permit an operator's further use, maintenance, or future collection of a child's personal information [^rights-coppa-parental]. And a HIPAA covered entity must tell individuals, in its notice of privacy practices, about their rights to inspect and copy, to amend, and to receive an accounting of disclosures of their protected health information [^rights-hipaa-access]. Two practical notes round this out. First, a business serving customers in more than one state should assess the privacy laws of those other states separately — those laws operate on their own terms, and Hawaii law does not decide what they require. Second, if your published privacy policy promises access or deletion choices, honoring them stops being optional: a promise you do not keep is exposed as a deceptive practice under FTC Act § 5 and HRS § 480-2, covered in the privacy-policy section above.
+
+## When must you notify people of a data breach in Hawaii? {#breach-notification}
+
+**Short answer.** Without unreasonable delay. A business that owns or licenses Hawaii residents' personal information — in any form, computerized, paper, or otherwise — must notify each affected person after discovering a security breach, and the notification must be made without unreasonable delay, consistent with the legitimate needs of law enforcement and with measures necessary to determine contact information and the scope of the breach and to restore the data system's integrity [^breach-duty-timing]. The trigger has a harm screen built in: a *security breach* is unauthorized access to and acquisition of unencrypted or unredacted records where illegal use of the personal information has occurred or is reasonably likely to occur and creates a risk of harm — and encrypted data joins the definition only when the key is compromised too [^breach-def]. There is no fixed day-count deadline for private businesses.
+
+Three features of Hawaii's statute deserve particular attention. First, it reaches paper records, not just computerized data — the covered-information clause says *in any form (whether computerized, paper, or otherwise)*, so a misdirected box of files can trigger the same duty as a hacked database [^breach-duty-timing]. Second, the statute prescribes notice contents: the notice must be clear and conspicuous and must describe the incident in general terms, the type of personal information involved, what the business has done to prevent further unauthorized access, a phone number for further information if one exists, and advice to stay vigilant by reviewing account statements and monitoring free credit reports [^breach-content]. Third, compliance cannot be contracted away — any waiver of the section is void and unenforceable as contrary to public policy [^breach-waiver].
+
+*Personal information* means a name combined with an unencrypted social security number, driver's license or Hawaii ID number, or a financial-account or card number with its access code or password [^breach-personal-info] — the definition does not include medical, biometric, or online-credential elements. Notice may be written, by email where the person has agreed to electronic communications, or telephonic, with substitute notice (email, conspicuous website posting, and statewide media) available when notice would cost over $100,000, the affected class exceeds two hundred thousand, or contact information is insufficient [^breach-methods]. When a single notification round goes to more than one thousand persons, the business must also notify Hawaii's Office of Consumer Protection and the nationwide consumer reporting agencies in writing of the timing, distribution, and content of the notice [^breach-ocp-cra]. One off-ramp: financial institutions following the federal interagency breach guidance and HIPAA-compliant health plans and providers are deemed compliant with the section [^breach-deemed].
+
+## Can a consumer sue your business in Hawaii over privacy? {#consumer-lawsuit}
+
+**Short answer.** Yes — through more than one route. HRS § 487N-3(b) makes a business that violates any provision of the breach chapter liable to the injured party for the actual damages sustained as a result of the violation, with the court able to award reasonable attorneys' fees to the prevailing party [^suit-487n3-private]. On top of that, the chapter carries public enforcement: penalties of up to $2,500 for each violation, in actions brought by the attorney general or the executive director of the Office of Consumer Protection [^suit-487n3-penalty]. And Hawaii's UDAP law adds a second private track — a consumer injured by an unfair or deceptive practice may sue and recover not less than $1,000 or threefold the damages sustained, whichever is greater, plus reasonable attorney's fees and costs [^suit-480-13-treble].
+
+The same enforcement architecture repeats across Hawaii's sectoral privacy statutes. The social security number chapter and the records-destruction chapter each carry the identical pairing — a public penalty of up to $2,500 per violation, in actions by the attorney general or the executive director of the Office of Consumer Protection [^suit-487j3-penalty] [^suit-487r3-penalty], plus a private action for actual damages with possible fee awards [^suit-487j3-private] [^suit-487r3-private] — so mishandling SSNs or sloppy records disposal creates the same dual exposure as a botched breach response. All three chapters provide that no such action may be brought against a government agency [^suit-487n3-penalty] [^suit-487j3-penalty] [^suit-487r3-penalty].
+
+The UDAP track has its own contours. Standing on the deceptive-practices side is limited: only a consumer, the attorney general, or the director of the Office of Consumer Protection may sue over unfair or deceptive acts or practices [^suit-480-2-standing] — so business-to-business plaintiffs must frame claims differently. Public UDAP enforcement is backed by civil penalties of not less than $500 and not more than $10,000 per violation, collected in actions brought by the attorney general or the Office of Consumer Protection [^suit-480-3-1-penalty], and a violation directed at an elder — a consumer sixty-two or older — can draw an additional civil penalty of up to $10,000 per violation [^suit-480-13-5-elder]. The operational takeaway: even without an omnibus privacy act, a Hawaii privacy failure can produce a private damages suit under the breach chapter, a consumer treble-damages suit under chapter 480, and stacked public penalties — so breach-response discipline and accurate privacy statements are where Hawaii exposure is actually managed.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Hawaii. This article synthesizes Hawaii primary law and is not legal advice from a Hawaii-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^law-breach-duty]: **HRS § 487N-2** — "Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach." *Haw. Rev. Stat. § 487N-2(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^law-ssn]: **HRS § 487J-2** — "Except as otherwise provided in subsection (b), a business or government agency may not do any of the following: (1) Intentionally communicate or otherwise make available to the general public an individual's entire social security number;" *Haw. Rev. Stat. § 487J-2(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487J/HRS_0487J-0002.htm>
+
+[^law-disposal]: **HRS § 487R-2** — "Any business or government agency that conducts business in Hawaii and any business or government agency that maintains or otherwise possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal." *Haw. Rev. Stat. § 487R-2(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487R/HRS_0487R-0002.htm>
+
+[^law-udap]: **HRS § 480-2** — "Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are unlawful." *Haw. Rev. Stat. § 480-2(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0480/HRS_0480-0002.htm>
+
+[^law-business-def]: **HRS § 487N-1** — "‘Business’ means a sole proprietorship, partnership, corporation, association, or other group, however organized, and whether or not organized to operate at a profit." *Haw. Rev. Stat. § 487N-1.* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0001.htm>
+
+[^q1-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q1-glba]: **GLBA privacy-notice obligation** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+
+[^q1-hipaa]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^q1-coppa]: **COPPA prohibition** — "It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b)." *15 U.S.C. § 6502(a)(1).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=It%20is%20unlawful%20for%20an,regulations%20prescribed%20under%20subsection%20(b).>
+
+[^policy-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^policy-udap-ftc-guide]: **HRS § 480-2** — "In construing this section, the courts and the office of consumer protection shall give due consideration to the rules, regulations, and decisions of the Federal Trade Commission and the federal courts interpreting section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended." *Haw. Rev. Stat. § 480-2(b).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0480/HRS_0480-0002.htm>
+
+[^policy-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^policy-glba-notice]: **GLBA privacy-notice obligation** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+
+[^policy-coppa-notice]: **COPPA notice requirement** — "require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child— (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information" *15 U.S.C. § 6502(b)(1)(A)(i).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=require%20the%20operator%20of%20any,disclosure%20practices%20for%20such%20information>
+
+[^vendor-disposal-contract]: **HRS § 487R-2** — "A business or government agency may satisfy its obligation hereunder by exercising due diligence and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of records destruction to destroy personal information in a manner consistent with this section." *Haw. Rev. Stat. § 487R-2(c).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487R/HRS_0487R-0002.htm>
+
+[^vendor-breach-notify]: **HRS § 487N-2** — "Any business located in Hawaii or any business that conducts business in Hawaii that maintains or possesses records or data containing personal information of residents of Hawaii that the business does not own or license, or any government agency that maintains or possesses records or data containing personal information of residents of Hawaii shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c)." *Haw. Rev. Stat. § 487N-2(b).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^vendor-disposal-business]: **HRS § 487R-2** — "A disposal business that conducts business in Hawaii or disposes of personal information of residents of Hawaii shall take reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to, or use of, personal information during or after the collection, transportation, and disposing of such information." *Haw. Rev. Stat. § 487R-2(d).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487R/HRS_0487R-0002.htm>
+
+[^vendor-glba-safeguards]: **GLBA Safeguards Rule** — "Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Oversee%20service%20providers%2C%20by%3A%20(1),continued%20adequacy%20of%20their%20safeguards.>
+
+[^vendor-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information%3B>
+
+[^rights-breach-notice]: **HRS § 487N-2** — "Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach." *Haw. Rev. Stat. § 487N-2(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^rights-ssn-internet]: **HRS § 487J-2** — "Require an individual to transmit the individual's entire social security number over the Internet, unless the connection is secure or the social security number is encrypted." *Haw. Rev. Stat. § 487J-2(a)(3).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487J/HRS_0487J-0002.htm>
+
+[^rights-glba-optout]: **GLBA opt-out** — "A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless— (A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party; (B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and (C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option." *15 U.S.C. § 6802(b)(1).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=A%20financial%20institution%20may%20not%20disclose,can%20exercise%20that%20nondisclosure%20option.>
+
+[^rights-coppa-parental]: **COPPA parental rights** — "the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child" *15 U.S.C. § 6502(b)(1)(B)(ii).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=the%20opportunity%20at%20any%20time,personal%20information%20from%20that%20child>
+
+[^rights-hipaa-access]: **HIPAA individual rights in the privacy notice** — "The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: (A) The right to request restrictions on certain uses and disclosures of protected health information as provided by § 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under § 164.522(a)(1)(vi); (B) The right to receive confidential communications of protected health information as provided by § 164.522(b), as applicable; (C) The right to inspect and copy protected health information as provided by § 164.524; (D) The right to amend protected health information as provided by § 164.526; (E) The right to receive an accounting of disclosures of protected health information as provided by § 164.528;" *45 C.F.R. § 164.520(b)(1)(iv).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=The%20notice%20must%20contain%20a,as%20provided%20by%20%C2%A7%20164.528%3B>
+
+[^breach-duty-timing]: **HRS § 487N-2** — "Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system." *Haw. Rev. Stat. § 487N-2(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^breach-def]: **HRS § 487N-1** — "‘Security breach’ means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach." *Haw. Rev. Stat. § 487N-1.* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0001.htm>
+
+[^breach-content]: **HRS § 487N-2** — "The notice shall be clear and conspicuous. The notice shall include a description of the following: (1) The incident in general terms; (2) The type of personal information that was subject to the unauthorized access and acquisition; (3) The general acts of the business or government agency to protect the personal information from further unauthorized access; (4) A telephone number that the person may call for further information and assistance, if one exists; and (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports." *Haw. Rev. Stat. § 487N-2(d).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^breach-waiver]: **HRS § 487N-2** — "Any waiver of the provisions of this section is contrary to public policy and is void and unenforceable." *Haw. Rev. Stat. § 487N-2(h).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^breach-personal-info]: **HRS § 487N-1** — "‘Personal information’ means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account." *Haw. Rev. Stat. § 487N-1.* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0001.htm>
+
+[^breach-methods]: **HRS § 487N-2** — "For purposes of this section, notice to affected persons may be provided by one of the following methods: (1) Written notice to the last available address the business or government agency has on record; (2) Electronic mail notice, for those persons for whom a business or government agency has a valid electronic mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. section 7001; (3) Telephonic notice, provided that contact is made directly with the affected persons; and (4) Substitute notice, if the business or government agency demonstrates that the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds two hundred thousand, or if the business or government agency does not have sufficient contact information or consent to satisfy paragraph (1), (2), or (3), for only those affected persons without sufficient contact information or consent, or if the business or government agency is unable to identify particular affected persons, for only those unidentifiable affected persons." *Haw. Rev. Stat. § 487N-2(e).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^breach-ocp-cra]: **HRS § 487N-2** — "In the event a business provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify in writing, without unreasonable delay, the State of Hawaii's office of consumer protection and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. section 1681a(p), of the timing, distribution, and content of the notice." *Haw. Rev. Stat. § 487N-2(f).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^breach-deemed]: **HRS § 487N-2** — "The following businesses shall be deemed to be in compliance with this section: (1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published in the Federal Register on March 29, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, or subject to 12 C.F.R. Part 748, and any revisions, additions, or substitutions relating to the interagency guidance; and (2) Any health plan or healthcare provider that is subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996." *Haw. Rev. Stat. § 487N-2(g).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm>
+
+[^suit-487n3-private]: **HRS § 487N-3** — "In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party." *Haw. Rev. Stat. § 487N-3(b).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0003.htm>
+
+[^suit-487n3-penalty]: **HRS § 487N-3** — "Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency." *Haw. Rev. Stat. § 487N-3(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0003.htm>
+
+[^suit-480-13-treble]: **HRS § 480-13** — "Any consumer who is injured by any unfair or deceptive act or practice forbidden or declared unlawful by section 480-2: (1) May sue for damages sustained by the consumer, and, if the judgment is for the plaintiff, the plaintiff shall be awarded a sum not less than $1,000 or threefold damages by the plaintiff sustained, whichever sum is the greater, and reasonable attorney's fees together with the costs of suit;" *Haw. Rev. Stat. § 480-13(b)(1).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0480/HRS_0480-0013.htm>
+
+[^suit-487j3-penalty]: **HRS § 487J-3** — "Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency." *Haw. Rev. Stat. § 487J-3(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487J/HRS_0487J-0003.htm>
+
+[^suit-487r3-penalty]: **HRS § 487R-3** — "Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency." *Haw. Rev. Stat. § 487R-3(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487R/HRS_0487R-0003.htm>
+
+[^suit-487j3-private]: **HRS § 487J-3** — "In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party." *Haw. Rev. Stat. § 487J-3(b).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487J/HRS_0487J-0003.htm>
+
+[^suit-487r3-private]: **HRS § 487R-3** — "In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party." *Haw. Rev. Stat. § 487R-3(b).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487R/HRS_0487R-0003.htm>
+
+[^suit-480-2-standing]: **HRS § 480-2** — "No person other than a consumer, the attorney general or the director of the office of consumer protection may bring an action based upon unfair or deceptive acts or practices declared unlawful by this section." *Haw. Rev. Stat. § 480-2(d).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0480/HRS_0480-0002.htm>
+
+[^suit-480-3-1-penalty]: **HRS § 480-3.1** — "Any person, firm, company, association, or corporation violating any of the provisions of section 480-2 shall be fined a sum of not less than $500 nor more than $10,000 for each violation, which sum shall be collected in a civil action brought by the attorney general or the director of the office of consumer protection on behalf of the State." *Haw. Rev. Stat. § 480-3.1.* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0480/HRS_0480-0003_0001.htm>
+
+[^suit-480-13-5-elder]: **HRS § 480-13.5** — "If a person commits a violation under section 480-2 which is directed toward, targets, or injures an elder, a court, in addition to any other civil penalty, may impose a civil penalty not to exceed $10,000 for each violation." *Haw. Rev. Stat. § 480-13.5(a).* <https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0480/HRS_0480-0013_0005.htm>

package/skills/legal-explainers/data-privacy-law-explainer/content/idaho.md

@@ -0,0 +1,149 @@
+---
+jurisdiction: "Idaho"
+slug: idaho
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/idaho
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/idaho · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Idaho Consumer Privacy Law[^about]
+
+Idaho has no comprehensive consumer-privacy statute. The operative state framework is the data-breach notification provisions of Idaho Code §§ 28-51-104 to 28-51-107 plus the Idaho Consumer Protection Act as the deception hook, layered under the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA) — with two narrow new laws (social-media minors, conversational AI) arriving July 2026 and July 2027.
+
+
+## At a glance
+
+| Question | Idaho |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Idaho has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state statutes are the breach-notification provisions in the identity-theft chapter — a misuse-triggered notice duty with no day-count deadline and no regulator notice for private businesses — and the Idaho Consumer Protection Act, which makes a privacy policy you publish but do not follow a deceptive practice. Build to the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA) and the breach statute, and watch two narrow 2026 enactments, one on social-media minors and one on conversational AI. |
+| **Main law** | Idaho Code §§ 28-51-104 to 28-51-107 (data-breach notification) plus the Idaho Consumer Protection Act, Idaho Code § 48-601 et seq. — Idaho has no comprehensive consumer-privacy statute |
+| **Privacy policy required?** | No Idaho statute requires a consumer privacy policy or fixes its contents; the binding constraints are FTC Act § 5 and the Idaho Consumer Protection Act's ban on misleading or deceptive practices, plus GLBA, HIPAA, and COPPA where the business is in scope |
+| **Who does it cover?** | Any agency, individual, or commercial entity (for profit or not) that conducts business in Idaho and owns or licenses computerized personal information about Idaho residents; no revenue or consumer-volume threshold |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the breach statute — enforcement runs through each entity's primary regulator; the Idaho Consumer Protection Act gives purchasers a private action for actual damages or $1,000 (Idaho Code § 48-608), with narrow 2026 sectoral enactments to track separately |
+| **Who enforces it?** | Idaho Attorney General (the primary regulator for most businesses; the Department of Finance and Department of Insurance for their licensees) |
+
+## Which privacy laws apply to your business in Idaho? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Idaho consumer-privacy law. The operative state framework has two pieces. First, the breach-notification provisions of the identity-theft chapter apply to any city, county, or state agency, individual, or commercial entity that conducts business in Idaho and owns or licenses computerized data that includes personal information about an Idaho resident [^breach-duty-scope] — *commercial entity* sweeps in essentially every legal entity, for profit or not [^commercial-entity-def], and there is no revenue or volume threshold. Second, the Idaho Consumer Protection Act (ICPA) bans, among other listed practices, engaging in any act or practice that is otherwise misleading, false, or deceptive to the consumer — the hook that reaches privacy misrepresentations [^icpa-catchall].
+
+Idaho has not enacted an omnibus privacy statute of the kind now common in other states, so Idaho residents have no general state-law rights to access, delete, or correct their personal data or to opt out of its sale, and businesses face no state notice-at-collection, consent, data-protection-assessment, or processor-contract duties. The breach statute governs incident response; the ICPA governs what you tell consumers. The rest of an Idaho-facing privacy program rides the federal overlay: Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide, the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities and their business associates, and the Children's Online Privacy Protection Act governs services directed to children under 13.
+
+Around that spine, Idaho legislates by sector and by harm rather than by data inventory. Recent examples include payment-card receipt truncation, an age-verification law for adult sites with a ban on retaining identifying information, genetic-testing restrictions on employers, license-plate-reader limits for government agencies, and mortgage trigger-lead disclosure rules — none of which imposes general data-handling duties on a typical business.
+
+Two 2026 enactments deserve a calendar entry: the Stop Harms from Addictive Social Media Act (House Bill 542, 2026 Session Laws chapter 268) and the Conversational AI Safety Act (Senate Bill 1297, 2026 Session Laws chapter 249). Treat both as narrow sectoral watchlist items, not as an omnibus privacy regime. *Open codification question:* both acts were designated as a new chapter 21 of title 48, Idaho Code, with overlapping section numbers, so until the code commission resolves the collision in the July 2026 compilation, cite these laws by session-law chapter rather than by a section number in chapter 21.
+
+## What must your Idaho privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Idaho statute requires a general consumer privacy policy or fixes what it must say. The binding rule is that whatever you publish has to be true. Under Section 5 of the FTC Act, unfair or deceptive acts or practices in or affecting commerce are unlawful [^ftc5-deceptive], and the Idaho Consumer Protection Act separately declares unlawful any act or practice that is otherwise misleading, false, or deceptive to the consumer [^icpa-deception-policy] — so a privacy policy that misstates how you actually collect, use, share, retain, or secure data is actionable under both. Where a sectoral regime applies, that regime supplies the contents: a HIPAA covered entity, for example, must give individuals adequate notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^hipaa-notice], and a GLBA financial institution must deliver a privacy notice before sharing nonpublic personal information with nonaffiliated third parties [^glba-notice].
+
+In practice the Idaho drafting question is less what must be included and more does the policy match actual practice. The ICPA's list of unlawful practices carries a knowledge element — it reaches a person who knows, or in the exercise of due care should know, that a practice is deceptive [^icpa-deception-policy] — which arguably extends to negligently inaccurate policy statements, not just deliberate ones. And unlike the ICPA's private remedy, the Attorney General's enforcement powers carry no purchase-or-lease or ascertainable-loss limit, so public enforcement does not depend on showing that any consumer paid for anything.
+
+Build the policy from the overlay that actually binds you: the GLBA privacy-notice rules if you are a financial institution, the HIPAA Notice of Privacy Practices if you are a covered entity, HIPAA business-associate and security obligations if you are a business associate, a COPPA notice if COPPA applies, and the comprehensive laws of other states whose residents you reach — many of which mandate a posted policy regardless of where your business sits. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because in Idaho the enforceable obligation is consistency between the statement and the conduct.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Idaho has no data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs. The one vendor-facing duty in Idaho law is a breach-response rule: an entity that maintains computerized personal information it does not own or license must notify and cooperate with the data's owner or licensee immediately following discovery of a breach if misuse of an Idaho resident's information occurred or is reasonably likely to occur [^breach-maintainer-notice].
+
+Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers, including by requiring them by contract to implement and maintain appropriate safeguards [^glba-safeguards], and HIPAA business-associate rules require a compliant agreement establishing the permitted uses and disclosures of protected health information [^hipaa-baa]. Outside those verticals, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Idaho statute compels them.
+
+The maintainer-notice rule is worth writing into vendor contracts anyway. The statute requires the vendor to notify the owner immediately and to share information relevant to the breach, but it sets no contractual specifics — so a well-drafted agreement should fix the notice channel, the timeline, and the cooperation duties the statute leaves general, and should allocate who pays for resident notification, since under Idaho law the notice duty to residents stays with the entity that owns or licenses the data.
+
+## Do Idaho residents have rights to access, delete, or opt out? {#consumer-rights}
+
+**Short answer.** No. Idaho law gives consumers no general rights to access, correct, delete, or port their personal data, no right to opt out of its sale or of targeted advertising, and no duty on businesses to honor universal opt-out signals such as Global Privacy Control. The generally applicable Idaho resident-facing disclosure duty is breach notice when the breach statute's trigger is met: if a covered entity's investigation determines that misuse of a resident's personal information has occurred or is reasonably likely, the entity must give that resident notice as soon as possible [^rights-breach-notice].
+
+The rights an Idaho resident does hold come from federal sectoral law, where applicable. A GLBA financial institution must give consumers the opportunity to opt out before their nonpublic personal information is disclosed to nonaffiliated third parties [^glba-optout]. Under COPPA, a parent can refuse to permit an operator's further use, maintenance, or future collection of the child's personal information [^coppa-parental]. HIPAA adds access, amendment, and accounting rights for protected health information, and the FCRA adds access and dispute rights in consumer reports. Residents of other states may also carry their home-state rights into dealings with an Idaho business that meets those statutes' thresholds — the absence of an Idaho law does not insulate an Idaho company from California, Colorado, or Washington requests.
+
+One narrow set of state-law rights is scheduled to arrive under the Stop Harms from Addictive Social Media Act (2026 Session Laws chapter 268), but it is a sectoral social-media minors law, not a general access, deletion, or opt-out regime. Track that act separately before treating it as an operational consumer-rights workflow.
+
+## When must you notify people of a data breach in Idaho? {#breach-notification}
+
+**Short answer.** When your investigation shows misuse — not merely access. An entity that becomes aware of a breach must conduct a good-faith, reasonable, and prompt investigation into the likelihood of misuse; if the investigation determines that misuse of an Idaho resident's information has occurred or is reasonably likely to occur, notice must go to the affected resident in the most expedient time possible and without unreasonable delay [^breach-trigger-timing]. A reportable breach is the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information [^breach-def] — so encryption is a built-in safe harbor. There is no day-count deadline and no statutory notice-content checklist.
+
+Be precise about who owes notice to whom, because Idaho splits the regulator-notice duty by entity type. A government *agency* that becomes aware of a breach must notify the office of the Idaho Attorney General within twenty-four hours of discovery [^breach-agency-ag-notice]. A private business owes no notice to the Attorney General or any other state regulator at any threshold — Idaho is one of the few states where a commercial breach never has to be reported to a state agency; the only mandatory recipients are the affected residents themselves (and the data's owner, if you are a vendor holding someone else's data). Notice may be written, telephonic, or electronic, with substitute notice (email plus website posting plus statewide media) available when costs would exceed $25,000, more than 50,000 residents are affected, or contact information is insufficient [^breach-notice-methods], and notice may be delayed at law enforcement's request [^breach-law-enforcement-delay].
+
+*Personal information* is also narrower than in modern statutes: a resident's name combined with an unencrypted Social Security number, driver's license or Idaho ID number, or a financial-account or card number with its access code [^breach-personal-info] — no medical, biometric, health-insurance, or online-credential elements. Two compliance off-ramps round out the scheme: an entity that follows its own information-security-policy notice procedures consistent with the statute's timing is deemed compliant, and an entity regulated by state or federal law that follows its primary or functional regulator's breach procedures is likewise deemed compliant [^breach-safe-harbor] — which effectively lets GLBA- and HIPAA-regulated businesses run their federal playbooks. The cost of getting it wrong is concentrated on concealment: an entity that intentionally fails to give notice faces a fine of up to $25,000 per breach, enforceable by its primary regulator — the Attorney General for most businesses [^breach-fine].
+
+## Can a consumer sue your business in Idaho over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the breach statute — that chapter creates no private right of action. Enforcement belongs to each entity's primary regulator, which may bring a civil action to enforce compliance and enjoin further violations when it believes an entity failed to give required notice [^breach-enforcement]; for businesses not overseen by the Department of Finance, the Department of Insurance, or a federal regulator, that primary regulator is the Attorney General [^primary-regulator-def]. The consumer's route is the Idaho Consumer Protection Act: a person who purchases or leases goods or services and suffers an ascertainable loss from a deceptive practice — which can include a privacy promise the business did not keep — may sue for actual damages or $1,000, whichever is greater [^icpa-pra].
+
+The ICPA action comes with real teeth and real limits. A prevailing plaintiff recovers mandatory attorney's fees [^icpa-fees], courts may award punitive damages for repeated or flagrant violations, and an elderly (62 or older) or disabled plaintiff who proves an enumerated severe loss adds an enhanced penalty of $15,000 or treble actual damages [^icpa-elderly]. But standing requires a purchase or lease plus ascertainable loss — whether a user of a free, ad-supported service can satisfy that is untested in Idaho appellate case law — and class actions are largely defanged: the statute caps a class's statutory recovery at $1,000 total for the class [^icpa-pra], leaving only actual damages (hard to prove in privacy cases) uncapped.
+
+Public enforcement faces none of those limits. The Attorney General may sue for injunctions, consumer restitution, and civil penalties of up to $5,000 per violation plus expenses, investigative costs, and attorney's fees [^icpa-ag-penalties] — and must ordinarily first give the target written notice and an opportunity to execute an assurance of voluntary compliance or consent judgment [^icpa-avc], Idaho's nearest analog to a cure period. Two narrower sectoral remedies round out the picture. A merchant that prints more than the last five digits of a payment-card number or prints the expiration date on a receipt faces civil penalties; the cardholder's personal action is expressly keyed to a receipt that printed the payment-card number and the prosecuting attorney's failure to act within sixty days [^card-receipt-action]. And the 2026 social-media minors and conversational-AI enactments should be tracked as narrow sectoral remedy changes, not as general consumer-privacy causes of action.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Idaho. This article synthesizes Idaho primary law and is not legal advice from a Idaho-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^breach-duty-scope]: **Idaho Code § 28-51-105** — "A city, county or state agency, individual or a commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused." *Idaho Code § 28-51-105(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^commercial-entity-def]: **Idaho Code § 28-51-104** — "‘Commercial entity’ includes corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture and any other legal entity, whether for profit or not-for-profit." *Idaho Code § 28-51-104(3).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^icpa-catchall]: **Idaho Code § 48-603** — "Engaging in any act or practice that is otherwise misleading, false, or deceptive to the consumer" *Idaho Code § 48-603(17).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-603/>
+
+[^ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^icpa-deception-policy]: **Idaho Code § 48-603** — "The following unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared to be unlawful, where a person knows, or in the exercise of due care should know, that he has in the past, or is: (1) Passing off goods or services as those of another; (2) Causing likelihood of confusion or of misunderstanding as to the source, sponsorship, approval, or certification of goods or services; (3) Causing likelihood of confusion or of misunderstanding as to affiliation, connection, or association with, or certification by, another; (4) Using deceptive representations or designations of geographic origin in connection with goods or services; (5) Representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities that they do not have or that a person has a sponsorship, approval, status, affiliation, connection, qualifications or license that he does not have; (6) Representing that goods are original or new if they are deteriorated, altered, reconditioned, reclaimed, used, or secondhand; (7) Representing that goods or services are of a particular standard, quality, or grade, or that goods are of a particular style or model, if they are of another; (8) Disparaging the goods, services, or business of another by false or misleading representation of fact; (9) Advertising goods or services with intent not to sell them as advertised; (10) Advertising goods or services with intent not to supply reasonably expectable public demand, unless the advertisement discloses a limitation of quantity; (11) Making false or misleading statements of fact concerning the reasons for, existence of, or amounts of price reductions; (12) Obtaining the signature of the buyer to a contract when it contains blank spaces to be filled in after it has been signed; (13) Failing to deliver to the consumer at the time of the consumer’s signature a legible copy of the contract or of any other document that the seller or lender has required or requested the buyer to sign, and that he has signed, during or after the contract negotiation; (14) Making false or misleading statements of fact concerning the age, extent of use, or mileage of any goods; (15) Promising or offering to pay, credit or allow to any buyer or lessee any compensation or reward in consideration of his giving to the seller or lessor the names of prospective purchasers or lessees, or otherwise aiding the seller or lessor in making a sale or lease to another person, if the earning of the rebate, discount or other value is contingent upon the occurrence of an event subsequent to the time the buyer or lessee agrees to buy or lease; (16) Representing that services, replacements or repairs are needed if they are not needed, or providing services, replacements or repairs that are not needed; (17) Engaging in any act or practice that is otherwise misleading, false, or deceptive to the consumer" *Idaho Code § 48-603.* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-603/>
+
+[^hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^glba-notice]: **GLBA privacy notice** — "a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=a%20financial%20institution%20may%20not%2C,section%206803%20of%20this%20title.>
+
+[^breach-maintainer-notice]: **Idaho Code § 28-51-105** — "An agency, individual or a commercial entity that maintains computerized data that includes personal information that the agency, individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur." *Idaho Code § 28-51-105(2).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate." *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,information%20by%20the%20business%20associate.>
+
+[^rights-breach-notice]: **Idaho Code § 28-51-105** — "If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident." *Idaho Code § 28-51-105(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^glba-optout]: **GLBA opt-out** — "A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless— (A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party; (B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and (C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option." *15 U.S.C. § 6802(b)(1).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=A%20financial%20institution%20may%20not%20disclose,can%20exercise%20that%20nondisclosure%20option.>
+
+[^coppa-parental]: **COPPA parental rights** — "the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child" *15 U.S.C. § 6502(b)(1)(B)(ii).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=the%20opportunity%20at%20any%20time,personal%20information%20from%20that%20child>
+
+[^breach-trigger-timing]: **Idaho Code § 28-51-105** — "If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system." *Idaho Code § 28-51-105(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^breach-def]: **Idaho Code § 28-51-104** — "‘Breach of the security of the system’ means the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one (1) or more persons maintained by an agency, individual or a commercial entity." *Idaho Code § 28-51-104(2).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^breach-agency-ag-notice]: **Idaho Code § 28-51-105** — "When an agency becomes aware of a breach of the security of the system, it shall, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general." *Idaho Code § 28-51-105(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^breach-notice-methods]: **Idaho Code § 28-51-104** — "‘Notice’ means: (a) Written notice to the most recent address the agency, individual or commercial entity has in its records; (b) Telephonic notice; (c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. section 7001; or (d) Substitute notice, if the agency, individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed twenty-five thousand dollars ($25,000), or that the number of Idaho residents to be notified exceeds fifty thousand (50,000), or that the agency, individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following: (i) E-mail notice if the agency, individual or the commercial entity has e-mail addresses for the affected Idaho residents; and (ii) Conspicuous posting of the notice on the website page of the agency, individual or the commercial entity if the agency, individual or the commercial entity maintains one; and (iii) Notice to major statewide media." *Idaho Code § 28-51-104(4).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^breach-law-enforcement-delay]: **Idaho Code § 28-51-105** — "Notice required by this section may be delayed if a law enforcement agency advises the agency, individual or commercial entity that the notice will impede a criminal investigation. Notice required by this section must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency advises the agency, individual or commercial entity that notification will no longer impede the investigation." *Idaho Code § 28-51-105(3).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^breach-personal-info]: **Idaho Code § 28-51-104** — "‘Personal information’ means an Idaho resident’s first name or first initial and last name in combination with any one (1) or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted: (a) Social security number; (b) Driver’s license number or Idaho identification card number; or (c) Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account." *Idaho Code § 28-51-104(5).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^breach-safe-harbor]: **Idaho Code § 28-51-106** — "An agency, individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of section 28-51-105, Idaho Code, is deemed to be in compliance with the notice requirements of section 28-51-105, Idaho Code, if the agency, individual or the commercial entity notifies affected Idaho residents in accordance with its policies in the event of a breach of security of the system. (2) An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with section 28-51-105, Idaho Code, if the individual or the commercial entity complies with the maintained procedures when a breach of the security of the system occurs." *Idaho Code § 28-51-106(1)-(2).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-106/>
+
+[^breach-fine]: **Idaho Code § 28-51-107** — "Any agency, individual or commercial entity that intentionally fails to give notice in accordance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system." *Idaho Code § 28-51-107.* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-107/>
+
+[^breach-enforcement]: **Idaho Code § 28-51-107** — "In any case in which an agency’s, commercial entity’s or individual’s primary regulator has reason to believe that an agency, individual or commercial entity subject to that primary regulator’s jurisdiction under section 28-51-104(6), Idaho Code, has violated section 28-51-105, Idaho Code, by failing to give notice in accordance with that section, the primary regulator may bring a civil action to enforce compliance with that section and enjoin that agency, individual or commercial entity from further violations." *Idaho Code § 28-51-107.* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-107/>
+
+[^primary-regulator-def]: **Idaho Code § 28-51-104** — "the primary regulator of a commercial entity or individual licensed by the department of finance is the department of finance, the primary regulator of a commercial entity or individual licensed by the department of insurance is the department of insurance and, for all agencies and all other commercial entities or individuals, the primary regulator is the attorney general." *Idaho Code § 28-51-104(6).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^icpa-pra]: **Idaho Code § 48-608** — "Any person who purchases or leases goods or services and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by this chapter, may treat any agreement incident thereto as voidable or, in the alternative, may bring an action to recover actual damages or one thousand dollars ($1,000), whichever is the greater; provided, however, that in the case of a class action, the class may bring an action for actual damages or a total for the class that may not exceed one thousand dollars ($1,000), whichever is the greater." *Idaho Code § 48-608(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-608/>
+
+[^icpa-fees]: **Idaho Code § 48-608** — "In any action brought by a person under this section, the court shall award, in addition to the relief provided in this section, reasonable attorney’s fees to the plaintiff if he prevails." *Idaho Code § 48-608(5).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-608/>
+
+[^icpa-elderly]: **Idaho Code § 48-608** — "An elderly person or a disabled person who brings an action under subsection (1) of this section shall, in addition to the remedies available under subsection (1) of this section, recover from the offending party an enhanced penalty of fifteen thousand dollars ($15,000) or treble the actual damages, whichever is greater. (a) In order to recover the enhanced penalty, the court must find that the offending party knew or should have known that his conduct was perpetrated against an elderly or disabled person and that his conduct caused one (1) of the following: (i) Loss or encumbrance of the elderly or disabled person’s primary residence; (ii) Loss of more than twenty-five percent (25%) of the elderly or disabled person’s principal monthly income; (iii) Loss of more than twenty-five percent (25%) of the funds belonging to the elderly or disabled person set aside by the elderly or disabled person for retirement or for personal or family care or maintenance; (iv) Loss of more than twenty-five percent (25%) of the monthly payments that the elderly or disabled person receives under a pension or retirement plan; or (v) Loss of assets essential to the health or welfare of the elderly or disabled person. (b) If the court orders restitution under subsection (1) of this section for a pecuniary or monetary loss suffered by an elderly or disabled person, the court shall require that the restitution be paid by the offending party before he pays the enhanced penalty imposed by this subsection. (c) In this subsection: (i) ‘Disabled person’ means a person who has an impairment of a physical, mental or emotional nature that substantially limits at least one (1) major life activity. (ii) ‘Elderly person’ means a person who is at least sixty-two (62) years of age." *Idaho Code § 48-608(2).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-608/>
+
+[^icpa-ag-penalties]: **Idaho Code § 48-606** — "Whenever the attorney general has reason to believe that any person is using, has used, or is about to use any method, act or practice declared by this chapter to be unlawful, and that proceedings would be in the public interest, he may bring an action in the name of the state against such person: (a) To obtain a declaratory judgment that a method, act or practice violates the provisions of this chapter; (b) To enjoin any method, act or practice that violates the provisions of this chapter by issuance of a temporary restraining order or preliminary or permanent injunction, upon the giving of appropriate notice to that person as provided by the Idaho rules of civil procedure; (c) To recover on behalf of consumers actual damages or restitution of money, property or other things received from such consumers in connection with a violation of the provisions of this chapter; (d) To order specific performance by the violator; (e) To recover from the alleged violator civil penalties of up to five thousand dollars ($5,000) per violation for violation of the provisions of this chapter; and (f) To recover from the alleged violator reasonable expenses, investigative costs and attorney’s fees incurred by the attorney general." *Idaho Code § 48-606(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-606/>
+
+[^icpa-avc]: **Idaho Code § 48-606** — "Unless the attorney general finds in writing that the purposes of this chapter will be substantially and materially impaired by delay in instituting legal proceedings, he shall, before initiating any legal proceedings as provided in this section, give notice in writing that such proceedings are contemplated to the person against whom proceedings are contemplated and allow such person a reasonable opportunity to appear before the attorney general and execute an assurance of voluntary compliance or a consent judgment as in this chapter provided." *Idaho Code § 48-606(3).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-606/>
+
+[^card-receipt-action]: **Idaho Code § 28-51-103** — "A merchant who accepts a payment card for the transaction of business may not print more than the last five (5) digits of the payment card’s account number or print the payment card’s expiration date on a receipt provided to the cardholder. This subsection does not apply to a transaction in which the sole means of recording the payment card’s account number or expiration date is by handwriting or by an imprint or copy of the payment card. Effective January 1, 2004, this section applies to all receipts that are electronically printed using a cash register or other machine or device that is first used on or after July 1, 2003. Effective January 1, 2005, this section applies to all receipts that are electronically printed, including those printed using a cash register or other machine or device that is first used before July 1, 2003. (3) A merchant who violates this section shall be subject to a civil penalty of not more than two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for a second or subsequent violation. An action to recover the civil penalty may be brought by a prosecuting attorney. If the prosecuting attorney does not file an action for such a civil penalty within sixty (60) days from the date the violation is reported by the cardholder whose payment card number was printed on a receipt in violation of this section, the cardholder may file such action." *Idaho Code § 28-51-103(2)-(3).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-103/>