Bill Text - HB1413 (2022)

Relative to privacy of online customer information.


Revision: Dec. 1, 2021, 1:27 p.m.

HB 1413  - AS INTRODUCED

 

 

2022 SESSION

22-2754

12/08

 

HOUSE BILL 1413

 

AN ACT relative to privacy of online customer information.

 

SPONSORS: Rep. Wuelper, Straf. 3; Rep. Gould, Hills. 7; Rep. T. Lekas, Hills. 37; Rep. Wallace, Rock. 12; Rep. Testerman, Merr. 2

 

COMMITTEE: Commerce and Consumer Affairs

 

-----------------------------------------------------------------

 

ANALYSIS

 

This bill prohibits a provider of broadband Internet access service from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access unless exempted under this chapter.  This bill also provides exceptions to this prohibition.

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

22-2754

12/08

 

STATE OF NEW HAMPSHIRE

 

In the Year of Our Lord Two Thousand Twenty Two

 

AN ACT relative to privacy of online customer information.

 

Be it Enacted by the Senate and House of Representatives in General Court convened:

 

1  New Chapter; Broadband Internet Access Service Customer Privacy.  Amend RSA by inserting after chapter 359-S the following new chapter:

CHAPTER 359-T

BROADBAND INTERNET ACCESS SERVICE CUSTOMER PRIVACY

359-T:1  Definitions.  In this chapter:

I.  "Broadband Internet access service" means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service.

II.  "Customer" means an applicant for or a current or former subscriber of broadband Internet access service.

III.  "Customer personal information" means:

(a)  Personally identifying information about a customer, including but not limited to the customer's name, billing information, social security number, billing address and demographic data; and

(b)  Information from a customer's use of broadband Internet access service, including but not limited to:

(1)  The customer's web browsing history;

(2)  The customer's application usage history;

(3)  The customer's precise geolocation information;

(4)  The customer's financial information;

(5)  The customer's health information;

(6)  Information pertaining to the customer's children;

(7)  The customer's device identifier, such as a media access control address, international mobile equipment identity or Internet protocol address;

(8)  The content of the customer's communications; and

(9)  The origin and destination Internet protocol addresses.

IV.  "Provider" means a person who provides broadband Internet access service.

359-T:2  Privacy of Customer Personal Information.  A provider shall not use, disclose, sell, or permit access to customer personal information, except as provided in RSA 359-T:3 and RSA 359-T:4.

359-T:3  Customer Consent Exception.

I.  A provider may use, disclose, sell, or permit access to a customer's customer personal information if the customer gives the provider express, affirmative consent to such use, disclosure, sale, or access.  A customer may revoke the customer's consent under this paragraph at any time.

II.  A provider shall not:

(a)  Refuse to serve a customer who does not provide consent under paragraph I; or

(b)  Charge a customer a penalty or offer a customer a discount based on the customer's decision to provide or not provide consent under paragraph I.

III.  A provider may use, disclose, sell, or permit access to information the provider collects pertaining to a customer that is not customer personal information, except upon written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell, or permit access to that information.

359-T:4  Other Exceptions.  Notwithstanding the provisions of RSA 359-T:2 and RSA 359-T:3, a provider may collect, retain, use, disclose, sell, and permit access to customer personal information without customer approval:

I.  For the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service.

II.  To advertise or market the provider's communications-related services to the customer.

III.  To comply with a lawful court order.

IV.  To initiate, render, bill for, and collect payment for broadband Internet access service.

V.  To protect users of the provider's or other providers' services from fraudulent,

abusive, or unlawful use of, or subscription to, such services; and

VI.  To provide geolocation information concerning the customer to:

(a)  For the purpose of responding to a customer's call for emergency services, a public safety answering point; a provider of` emergency medical or emergency dispatch services; a public safety, fire service, or law enforcement official; or a hospital emergency or trauma care facility;

(b)  The customer's legal guardian or a member of the customer's immediate family in an emergency situation that involves the risk of death or serious physical harm; or

(c)  A provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency.

359-T:5  A provider shall take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.

I.  In implementing security measures required by this section, a provider shall take into account each of the following factors:

(a)  The nature and scope of the provider's activities;

(b)  The sensitivity of the data the provider collects;

(c)  The size of the provider; and

(d)  The technical feasibility of the security measures.

II.  A provider may employ any lawful measure that allows the provider to comply with the requirements of this section.

359-T:6  Notice Required.  A provider shall provide to each of the provider's customers a clear, conspicuous, and nondeceptive notice at the point of sale and on the provider's publicly accessible website of the provider's obligations and a customer's rights under this section.

359-T:7  Applicability.  The requirements of this section shall apply to providers operating within the state when providing broadband Internet access service to customers that are physically located and billed for service received in the state.

359-T:8  Private Right of Action.  Any customer whose personal information has been shared in violation of this chapter may bring a private action against the provider.  If a court finds a provider has violated a provision of this chapter, the court may award actual damages, reasonable attorney's fees, and recovery of any other costs incurred by the customer in maintaining the civil action.

359-T:9  Penalties and Enforcement.  Whoever violates any of the provisions of this chapter shall be subject to a civil penalty not to exceed $1,000 per violation.  The attorney general shall have authority to notify suspected violators of this chapter of the state's intention to seek a civil penalty, to negotiate, and to settle with such suspected violators without court action, provided any civil penalty paid as settlement shall be paid to the deposited into the general fund.  The court, upon petition of the attorney general, may levy upon any person who violates this chapter a civil penalty in an amount not to exceed $1,000 per violation.  All penalties assessed under this paragraph shall be deposited into the general fund.

2  Effective Date.  This act shall take effect 60 days after its passage.