HI HB2296

Internet service providers are prohibited from using, disclosing, selling, or permitting access to customer personal information without prior written consent, which customers may revoke at any time.

ISPs must provide easy-to-use, clear, and persistent consent mechanisms available through all account management methods at no additional cost to customers.

ISPs cannot refuse service or charge different rates based on whether customers grant or deny consent to data use.

Exceptions allow ISPs to use customer data without consent for service provision, legal compliance, billing, fraud prevention, emergency services, and marketing communications-related services (with opt-out rights).

ISPs must implement reasonable security measures, provide clear notice of data practices, limit data retention, and violators face fines of $1,000 to $3,000 for first offenses and $3,000 to $9,000 for subsequent violations.