Regulon — HI-SB-2524 · HI SB 2524 (Algorithmic Discrimination)

WHAT THIS BILL REGULATES · 4 REQUIREMENT TYPES

How Is This Bill Enforced

Enforcement Authority

Attorney general enforcement and private right of action. The attorney general may commence civil action when there is reason to believe a violation has occurred or is occurring, and may subpoena witnesses, administer oaths, and compel production of records. Any person aggrieved by a violation may bring a civil action; a violation with respect to an individual constitutes a concrete and particularized injury to that individual.

Private Right of Action

private right of action.

Penalties

AG enforcement: civil penalty up to $10,000 per violation. Private action: not less than $100 and not greater than $10,000 per violation or actual damages, whichever is greater. Court may also award punitive damages, reasonable attorney's fees and litigation costs, and any other relief including equitable or declaratory relief. AG-recovered penalties deposited in the litigation deposits trust account under § 28-16.

Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.

Statutory Text

Analysis & Obligations

§ -1

Definitions

As used in this chapter: "Adverse action" means a denial, cancellation, or other adverse change or assessment regarding an individual's eligibility for, opportunity to access, or terms of access to important life opportunities. "Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities. "Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity. "Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider. "Important life opportunities" means access to, approval for, or offer of credit, insurance, education, employment, housing, or place of public accommodation as defined in section 489-2. "Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes. "Reasonably linkable to an individual, household, or personal device" means personal information that can be used on its own or in combination with other information reasonably available to the covered entity, regardless of whether the other information is held by the covered entity, to identify an individual, household, or personal device. "Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.

This section establishes the definitional framework for the new chapter. The key scope limiters are the definitions of covered entity (which imposes size thresholds based on data volume, revenue, or data-broker status) and important life opportunities (which confines the chapter's reach to credit, insurance, education, employment, housing, and public accommodations). The definition of personal information is notably broad, encompassing inferences and profiles derived from identified data categories.

§ -2

Prohibited practices; exemptions

Deployer

(a) 1 A covered entity shall not make an algorithmic eligibility determination or an algorithmic information availability determination on the basis of an individual's or class of individuals' actual or perceived race, color, religion, national origin, sex, gender identity or expression, sexual orientation, familial status, source of income, or disability in a manner that segregates, discriminates against, or otherwise makes important life opportunities unavailable to an individual or class of individuals.

(b) 1 Any practice that has the effect or consequence of violating subsection (a) shall be deemed to be an unlawful discriminatory practice.

(c) Nothing in subsection (a) shall prohibit covered entities from using individuals' personal information as part of an affirmative action plan adopted pursuant to state or federal law.

This section establishes the chapter's core anti-discrimination prohibition: covered entities may not make algorithmic eligibility or information-availability determinations on the basis of protected characteristics in a manner that segregates, discriminates against, or otherwise makes important life opportunities unavailable. Subsection (b) extends liability to practices with a discriminatory effect, establishing disparate-impact liability independent of intent. Subsection (c) carves out affirmative-action plans adopted pursuant to state or federal law.

Compliance actions 1 item

Covered entities must not make algorithmic eligibility determinations or algorithmic information availability determinations on the basis of actual or perceived race, color, religion, national origin, sex, gender identity or expression, sexual orientation, familial status, source of income, or disability in a manner that segregates, discriminates against, or otherwise makes important life opportunities unavailable. Practices with a discriminatory effect are also prohibited.

H-02

§ -3

Relationships with service providers

Deployer

2 Any covered entity that relies in whole or in part on a service provider to conduct an algorithmic eligibility determination or an algorithmic information availability determination shall require by written agreement that the service provider implement and maintain measures reasonably designed to ensure that the service provider complies with this chapter.

This section requires covered entities that outsource algorithmic determinations to service providers to impose contractual compliance obligations. The written agreement must require the service provider to implement and maintain measures reasonably designed to ensure chapter compliance — a flow-down obligation that prevents covered entities from avoiding liability by outsourcing the algorithmic function.

Compliance actions 1 item

Covered entities that rely on a service provider for algorithmic eligibility or information-availability determinations must require by written agreement that the service provider implement and maintain measures reasonably designed to ensure compliance with this chapter.

—

§ -4

Right to notice and disclosure

Deployer

(a)(1)–(5), (b)–(c) 3 A covered entity shall: (1) Develop a notice that explains how the covered entity uses personal information in algorithmic eligibility determinations and algorithmic information availability determinations, including: (A) What personal information the covered entity collects, generates, infers, uses, and retains; (B) What sources the covered entity uses to collect, generate, or infer personal information; (C) Whether the personal information is shared, sold, leased, or exchanged with any service providers for any kind of consideration, and if so, the names of those service providers, including subsidiaries of the service providers; (D) A brief description of the relationship between the personal information and the algorithmic eligibility or algorithmic information availability determinations; (E) How long the covered entity will hold the personal information; and (F) The rights provided under this chapter; (2) Ensure that the notice developed and made available under paragraph (1) of this subsection: (A) Is clear, concise, and complete; (B) Does not contain unrelated, confusing, or contradictory materials; and (C) Is in a format that is: (i) Prominent and easily accessible; (ii) Capable of fitting on one printed page; and (iii) Provided in English, as well as in any non-English language spoken by at least five hundred individuals in the State population; (3) Within thirty days after changing its collection or use practices or policies in a way that affects the content of the notice required by paragraph (1) of this subsection, update that notice; (4) Make the notice required under paragraph (1) of this subsection continuously and conspicuously available: (A) On the covered entity's website or mobile application, if the covered entity maintains a website or mobile application; and (B) At the physical place of business or any offline equivalent the covered entity maintains; and (5) Send the notice required under paragraph (1) of this subsection to an individual before the first algorithmic information availability determination it makes about the individual by: (A) Mail, if the personal information was gathered through the individual contacting or contracting with the covered entity through mail; (B) Email, if the personal information was gathered through the individual contacting or contracting with the covered entity through email, or if the covered entity has the individual's email address for another reason; (C) Informing individuals through a "pop-up" notification upon navigation to the covered entity's website or within the covered entity's mobile application; or (D) Providing a clear and conspicuous link on the covered entity's website's homepage, or the home screen of its mobile application, leading to the notice. (b) A covered entity need not provide the notice described under subsection (a) of this section if another covered entity has provided notice to the same individual for the same action as part of a contracted arrangement with the covered entity. (c) A covered entity that is subject to subsection (a)(1), with respect to any individual whose personal information the covered entity holds as described in that subsection, shall not use any personal information of the individual in an algorithmic eligibility determination unless the covered entity has provided the individual with notice consistent with that subsection.

(d) 4 If a covered entity takes any adverse action with respect to any individual that is based in whole or in part on the results of an algorithmic eligibility determination, the covered entity shall provide the individual a written or electronic disclosure that includes: (1) The covered entity's name, address, email address, and telephone number; (2) The factors the determination depended on; and (3) An explanation that the individual may: (A) Access any personal information pertaining to that individual that the covered entity used to make the determination; (B) Submit corrections to that information; and (C) If the individual submits corrections, request that the covered entity conduct a reasoned reevaluation of the relevant algorithmic eligibility determination, conducted by a human, based on the corrected data.

This section imposes two distinct transparency obligations. Subsections (a)(1)–(5) and (b)–(c) require covered entities to develop, maintain, and deliver a comprehensive notice explaining how personal information is used in algorithmic determinations — covering data types, sources, sharing, purpose, retention periods, and individual rights. The notice must be clear, concise, multilingual, continuously posted, and individually delivered before the first algorithmic information-availability determination.

Subsection (d) imposes a separate adverse-action disclosure obligation: when a covered entity takes an adverse action based on an algorithmic eligibility determination, it must provide the individual with the factors the determination depended on, the right to access and correct their personal information, and the right to request a human-conducted reevaluation based on corrected data.

Compliance actions 2 items

Covered entities must develop, continuously post, and individually deliver a clear, concise notice — in English and all non-English languages spoken by at least 500 Hawaii residents — explaining what personal information is collected, generated, inferred, used, and retained; data sources; whether data is shared with service providers (and their names); the relationship between personal information and algorithmic determinations; data retention periods; and individual rights. The notice must be updated within 30 days of any change to collection or use practices. A covered entity may not use personal information in an algorithmic eligibility determination unless notice has been provided.

D-01.1

Covered entities must, upon taking any adverse action based on an algorithmic eligibility determination, provide the individual a written or electronic disclosure identifying (1) the covered entity's contact information, (2) the factors the determination depended on, and (3) the individual's right to access their personal information used in the determination, submit corrections, and request a human-conducted reevaluation based on corrected data.

H-01.1

§ -5

Auditing for discriminatory processing and reporting requirement

Deployer

(a)(1)–(6) 5 A covered entity shall annually audit its algorithmic eligibility determination and algorithmic information availability determination practices to: (1) Determine whether the processing practices discriminate in a manner prohibited under § -2; (2) Analyze disparate-impact risks of algorithmic eligibility determinations and algorithmic information availability determinations based on actual or perceived race, color, religion, national origin, sex, gender identity or expression, sexual orientation, familial status, genetic information, source of income, or disability; (3) Create and retain for at least five years an audit trail that records, for each algorithmic eligibility determination: (A) The type of algorithmic eligibility determination made; (B) The data used in the determination, including the source of the data; (C) The methodology used by the entity to establish the algorithm; (D) The algorithm used to make the determination; (E) Any data or sets of data used to train the algorithm; (F) Any testing and results for model performance across different subgroups or for discriminatory effects; (G) The methodology used to render the determination; and (H) The ultimate decision rendered; (4) Conduct annual impact assessments of: (A) Existing systems that render algorithmic eligibility determinations and algorithmic information availability determinations; and (B) Prior to implementation, new systems that render algorithmic eligibility determinations and algorithmic information availability determinations; (5) Conduct the audits under paragraphs (1), (2), and (3) of this subsection in consultation with third parties who have substantial information about or participated in the covered entity's algorithmic eligibility determinations and algorithmic information availability determinations, including service providers; and (6) Identify and implement reasonable measures to address risks of an unlawful disparate impact identified in the audits and impact assessments conducted under paragraphs (1), (2), and (3) of this subsection, including the risks posed by determinations made by the covered entity's service providers.

(b)(1)–(10) 6 A covered entity shall annually submit a report containing the results of the audit mandated under this section to the department of the attorney general on a form provided by the department of the attorney general. The report shall contain the following information: (1) The types of algorithmic eligibility determinations and algorithmic information availability determinations that the covered entity makes; (2) The data and methodologies that the covered entity uses to establish the algorithms; (3) The optimization criteria of the algorithms used to make the determinations; (4) Any data or sets of data used to train the algorithms, and the source or sources of the data; (5) The methodologies the covered entity uses to render the determinations; (6) Any performance metrics the entity uses to gauge the accuracy of the assessments, including accuracy, confidence intervals, and how those assessments are obtained; (7) The frequency, methodology, and results of the impact assessments or risk assessments that the entity has conducted; (8) Within the description of each of the decisions in paragraphs (1) through (7), the rationale for each decision; (9) Whether the covered entity has received complaints from individuals regarding the algorithmic eligibility determinations and algorithmic information availability determinations it has made; and (10) If the covered entity has determined that one or more of the exemptions referred to in section -2(c) apply to practices that would otherwise violate section -2(a), a declaration and explanation of the covered entity's reliance on those exemptions.

(c) 6 To the extent consistent with federal law or state law, a covered entity may, in place of the report required by subsection (a), submit to the department of the attorney general a report previously submitted to a federal, state, or other government entity, if that report contains the required information or is supplemented with missing information.

(d) The attorney general may adopt rules pursuant to chapter 91 necessary to implement the reporting provisions of this section.

This section imposes two overlapping but distinct obligations. Subsection (a) requires covered entities to conduct annual internal audits of their algorithmic determination practices, covering discrimination testing, disparate-impact analysis across all protected characteristics, creation and five-year retention of detailed audit trails, annual impact assessments of both existing and new systems, third-party consultation during audits, and identification and implementation of reasonable mitigation measures for disparate-impact risks.

Subsection (b) requires covered entities to annually submit a structured report to the Department of the Attorney General containing the results of the mandated audit along with ten enumerated categories of information — determination types, data and methodologies, optimization criteria, training data, performance metrics, impact-assessment results, rationale for design decisions, complaint history, and any reliance on the affirmative-action exemption. Subsections (c) and (d) allow substitution of equivalent federal or state reports and authorize attorney general rulemaking.

Compliance actions 2 items

Covered entities must annually audit their algorithmic eligibility and information-availability determination practices to (1) determine whether practices discriminate under § -2, (2) analyze disparate-impact risks across all protected characteristics, (3) create and retain for at least five years a detailed audit trail recording determination type, data, sources, methodology, algorithm, training data, subgroup testing results, and ultimate decision for each determination, (4) conduct annual impact assessments of existing systems and pre-implementation assessments of new systems, (5) conduct audits in consultation with third parties including service providers, and (6) identify and implement reasonable mitigation measures for disparate-impact risks.

H-02.1

Covered entities must annually submit to the Department of the Attorney General a structured report containing audit results, including determination types, data and methodologies, optimization criteria, training data sources, rendering methodologies, performance metrics, impact assessment results and methodology, rationale for design decisions, complaint history, and any reliance on the affirmative-action exemption. An equivalent report previously submitted to another government entity may be substituted if it contains or is supplemented with all required information.

R-02.1

§ -6

Enforcement; penalties

(a)–(g) In any case in which the attorney general has reason to believe that any person has used, is using, or intends to use any method, act, or practice in violation of this chapter or rule adopted under this chapter, or has failed to provide a notice, a disclosure, or a report required by this chapter, the attorney general may commence appropriate civil action for: (1) A temporary or permanent injunction; (2) Penalties as described in subsection (c) of this section; (3) Damages or restitution; or (4) Any other relief that the court considers appropriate. (b) In the course of an investigation to determine whether to seek relief, the attorney general may subpoena witnesses; administer oaths; examine an individual under oath; require sworn written responses to written questions; and compel production of records, books, papers, contracts, and other documents. (c) Any covered entity or service provider that violates this chapter shall be liable for a civil penalty of not more than $10,000 for each violation, which may be recovered in a civil action brought by the attorney general. (d) Any civil penalty assessed for a violation of this chapter, and the proceeds of any settlement of an action brought pursuant to this section, shall be deposited in the litigation deposits trust account under section 28-16. (e) Any person aggrieved by a violation of this chapter may bring a civil action in any court of competent jurisdiction, and the court may award an amount not less than $100 and not greater than $10,000 per violation or actual damages, whichever is greater. (f) In a civil action brought under either subsection (c) or (e) of this section in which the plaintiff prevails, the court may also award: (1) Punitive damages; (2) Reasonable attorney's fees and litigation costs; and (3) Any other relief, including equitable or declaratory relief, that the court determines appropriate. (g) In a civil action brought under subsection (e) of this section, a violation of this chapter or a rule adopted under this chapter with respect to an individual constitutes a concrete and particularized injury to that individual.

This section establishes a dual enforcement framework. The attorney general may bring civil actions for injunctions, penalties up to $10,000 per violation, damages or restitution, and other relief, and has full investigative authority including subpoena power. Any aggrieved person may bring a private action for $100–$10,000 per violation or actual damages, whichever is greater. In both AG and private actions, the court may award punitive damages, reasonable attorney's fees and litigation costs, and equitable or declaratory relief. Subsection (g) establishes that a violation constitutes a concrete and particularized injury to the affected individual, which directly addresses Article III standing requirements for private plaintiffs.

Data Controls Data sale restrictions · deidentification

1 item

D-01.1