Hawaii Just Banned the Sale of Your Location and Browser Data—To Protect Abortion Access

In 2023, the Federal Trade Commission sued a data broker for selling the precise location data of people who had visited reproductive health clinics, domestic violence shelters, and addiction treatment centers. The data was granular enough to identify individuals by name and track their movements over time. No consent had been obtained. No law clearly prohibited it.

Hawaii looked at that case and decided to act. The result is SB 1163, passed during the 33rd Legislature in 2025, which creates one of the most targeted and explicit data sale bans in the country. The law doesn't just restrict what companies can collect—it restricts what they can sell, and it demands a clear yes from users before any sale can happen.

The legislature was direct about its motivation: such sales "may inhibit access to safe abortion care."

Three Categories of Data Now Off Limits

SB 1163 prohibits the sale of three distinct categories of personal data without prior express opt in authorization:

• Geolocation information — precise location data identifying a person's whereabouts within a one mile radius. This captures the kind of clinic proximity data at the center of the FTC lawsuit.
• Eavesdropping data — audio recordings of individuals, regardless of how they were obtained or what device captured them.
• Internet browser information — web browsing history, app usage patterns, IP addresses, and device identifiers. This covers the full trail of digital behavior that ad tech companies routinely aggregate and sell.

The breadth is intentional. Each category represents a different surveillance vector: physical movement, ambient sound, and online behavior. Together they constitute a nearly complete picture of a person's daily life.

The Reproductive Health Connection

The FTC's 2023 action against data broker Kochava revealed how the location data industry operates in practice. Advertisers, hedge funds, insurers, and government agencies can purchase datasets showing which specific individuals visited which specific locations on which specific dates. The data originates from apps on mobile phones—weather apps, games, retail apps—that harvest location in the background and sell it onward through a chain of brokers.

After the Supreme Court's 2022 Dobbs decision removed federal abortion protections, the potential harm from this data became acute. States that criminalized abortion could theoretically purchase location data to identify residents who had traveled to clinics in other states. Anti abortion groups could use the same data to target individuals for harassment or legal action.

Hawaii's legislature cited this dynamic explicitly in SB 1163's findings. The law frames geolocation tracking near reproductive health clinics not merely as a privacy problem but as a potential barrier to healthcare access—a framing that broadens the political coalition behind the bill and may influence how similar legislation is drafted elsewhere.

Opt In, Not Opt Out

The most consequential aspect of SB 1163 is its consent standard. Most state privacy laws—including those in Virginia, Colorado, and Connecticut—use an opt out model for data sales. Under opt out, companies can sell your data unless you proactively object. The burden is on the consumer to find the right settings page, submit a request, and hope it is honored.

Hawaii's law flips this entirely. No sale of geolocation, audio, or browser data can occur unless the company has obtained "prior express opt in authorization" from the individual. The authorization must be affirmative and specific—not buried in a terms of service agreement or pre checked during account creation.

Critically, the law also requires that consent be revocable at any time by the user. Opting in once does not grant permanent permission. If a user changes their mind, their withdrawal of consent must be respected. This revocability requirement is more demanding than what most existing state laws impose.

California's CCPA and its amendment CPRA come closest to this standard for certain sensitive data categories, but they still rely primarily on opt out mechanisms for general data sales. Hawaii's opt in mandate for these three specific categories places it among the most protective frameworks in the United States.

Who Is Covered—and the One Exemption

SB 1163 applies broadly. The law covers mobile device users, internet service subscribers, and data brokers—the three primary nodes through which personal location and browser data flows from individuals to the commercial market. Carriers that sell subscriber data, apps that monetize location, and the brokers who aggregate and resell all fall within its scope.

There is one explicit exemption: data sales made for emergency response purposes are permitted without opt in consent. The legislature drew a clear line between life safety uses, where the speed of data access may matter, and commercial uses, where there is no comparable justification for bypassing consent.

The emergency exemption is notably narrow. It does not extend to law enforcement generally, government agencies broadly, or insurers who might claim risk assessment as a public benefit. The exemption is limited to the specific context of responding to emergencies—a deliberate choice that reflects awareness of how broadly such carve outs can be exploited.

What This Means for Data Brokers

The data brokerage industry has operated largely outside meaningful legal constraint in the United States. Companies like LexisNexis, Acxiom, and hundreds of smaller firms compile and sell personal information including location histories, browsing profiles, and device level identifiers. For most of that industry's history, no federal privacy law and few state laws directly regulated the act of selling this data.

Hawaii's law directly targets that gap. By requiring opt in consent before any sale of the three covered data types, SB 1163 effectively makes it illegal for a broker to sell geolocation or browser data about a Hawaii resident unless that resident has explicitly agreed. Given how rarely consumers are even asked for such consent in current industry practice, the law will require brokers to build entirely new consent collection and verification infrastructure—or exit those data categories for Hawaii residents.

The ripple effects may extend beyond Hawaii. States watching the FTC's ongoing enforcement actions against location data brokers now have a legislative model to reference. And companies that build opt in consent systems for Hawaii compliance will face pressure to apply those same standards elsewhere—or explain publicly why they choose not to.

Privacy law in the United States has historically advanced through state level experimentation before federal frameworks emerge. Hawaii's SB 1163 is a sharp, targeted experiment: a focused ban on the specific data types most directly tied to physical surveillance, driven by a concrete documented harm. Whether other states follow will depend in part on how effectively advocates, researchers, and compliance professionals communicate what the law actually does—and why it was necessary.