HB1220 (2024) Compare Changes


Unchanged Version

Text to be removed highlighted in red.

229:1 Vital Records; Marriage Registration Form; Race and Education. Amend RSA 5-C:41, III to read as follows:

III. The clerk of the town or city shall complete the following statistical and legal information on the marriage application worksheet for both the bride and groom with information supplied by the bride and groom: the number which represents of the currently intended marriage; if previously married, whether a civil annulment occurred or the marriage ended by death or divorce; the date of civil annulment or that the last marriage ended; their race and ancestry; their level of education; any waivers presented by the groom or the bride, either for time or age pursuant to RSA 457:4 through RSA 457:9 or RSA 457:26 and RSA 457:27; whether proof of age of the bride and groom was demonstrated using identification with photograph; if applicable, the divorce decree; and, if applicable, the death record of the former spouse.

229:2 New Paragraph; Expectation of Privacy; Definitions; Secure and Reliable Means. Amend RSA 507-H:1 by inserting after paragraph XXVII the following new paragraph:

XXVII-a. "Secure and reliable means" are methods, systems, technologies, or processes that are designed to reasonably ensure the protection, integrity, and confidentiality of data or information, and consistently function in a dependable manner. They include, but are not limited to encryption protocols, authentication mechanisms, access controls, redundant systems, and other measures designed to safeguard personal data and ensure consistent performance and reasonable and appropriate physical, technical, organizational, and administrative measures to safeguard and keep personal data confidential.

229:3 Notice of Application. Amend RSA 507-H:2 to read as follows:

507-H:2 Application.

This chapter applies to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that during a one year period:

(a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

229:4 Consumer Expectation of Privacy; Privacy Notice. Amend RSA 507-H:4, II to read as follows:

II. A consumer may exercise rights under this section by a secure and reliable means established by the secretary of state and described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with RSA 507-H:5 to exercise the rights of such consumer to opt-out of the processing of such consumer's personal data for purposes of RSA 507-H:4, III(e) on behalf of the consumer. In the case of processing personal data of a known child, the parent or legal guardian may exercise such consumer rights on the child's behalf. In the case of processing personal data concerning a consumer subject to a guardianship, conservatorship, or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer's behalf.

229:5 Notice Format. Amend RSA 507-H:6, III to read as follows:

III. A controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice meeting standards established by the secretary of state that includes . :

(a) The categories of personal data processed by the controller;

(b) The purpose for processing personal data;

(c) How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request;

(d) The categories of personal data that the controller shares with third parties, if any;

(e) The categories of third-parties, if any, with which the controller shares personal data; and

(f) An active electronic mail address or other online mechanism that the consumer may use to contact the controller

.

229:6 Controller Responsibilities; Prior Paragraph Reference. Amend RSA 507-H:6, V(a) to read as follows:

V.(a) A controller shall establish, and shall describe in a privacy notice , consistent with the requirements of the secretary of state, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account. Any such means shall include:

(1)(A) Providing a clear and conspicuous link on the controller's Internet website to an Internet webpage that enables a consumer, or an agent of the consumer, to opt-out of the targeted advertising or sale of the consumer's personal data; and

(B) Not later than January 1, 2025, allowing a consumer to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology, or mechanism to the controller indicating such consumer's intent to opt-out of any such processing or sale. Such platform, technology, or mechanism shall:

(i) Not unfairly disadvantage another controller;

(ii) Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given, and unambiguous choice to opt-out of any processing of such consumer's personal data pursuant to this chapter;

(iii) Be consumer-friendly and easy to use by the average consumer;

(iv) Be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation; and

(v) Enable the controller to accurately determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt-out of any sale of such consumer's personal data or targeted advertising.

(2) If a consumer's decision to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent in accordance with RSA 507-H:6, V(a)(1)(A) conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with such consumer's opt-out preference signal, but may notify such consumer of such conflict and provide to such consumer the choice to confirm such controller-specific privacy setting or participation in such program.

229:7 Effective Date. This act shall take effect at 12:01 a.m. on January 1, 2025.

Approved: July 19, 2024

Effective Date: January 1, 2025 12:01 a.m.

Changed Version

Text to be added highlighted in green.

229:1 Vital Records; Marriage Registration Form; Race and Education. Amend RSA 5-C:41, III to read as follows:

III. The clerk of the town or city shall complete the following statistical and legal information on the marriage application worksheet for both the bride and groom with information supplied by the bride and groom: the number which represents of the currently intended marriage; if previously married, whether a civil annulment occurred or the marriage ended by death or divorce; the date of civil annulment or that the last marriage ended; any waivers presented by the groom or the bride, either for time or age pursuant to RSA 457:4 through RSA 457:9 or RSA 457:26 and RSA 457:27; whether proof of age of the bride and groom was demonstrated using identification with photograph; if applicable, the divorce decree; and, if applicable, the death record of the former spouse.

229:2 New Paragraph; Expectation of Privacy; Definitions; Secure and Reliable Means. Amend RSA 507-H:1 by inserting after paragraph XXVII the following new paragraph:

XXVII-a. "Secure and reliable means" are methods, systems, technologies, or processes that are designed to reasonably ensure the protection, integrity, and confidentiality of data or information, and consistently function in a dependable manner. They include, but are not limited to encryption protocols, authentication mechanisms, access controls, redundant systems, and other measures designed to safeguard personal data and ensure consistent performance and reasonable and appropriate physical, technical, organizational, and administrative measures to safeguard and keep personal data confidential.

229:3 Notice of Application. Amend RSA 507-H:2 to read as follows:

507-H:2 Application.

I. This chapter applies to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that during a one year period:

(a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

II. The secretary of state shall notice and post a link to RSA 507-H on the secretary of state's website.

229:4 Consumer Expectation of Privacy; Privacy Notice. Amend RSA 507-H:4, II to read as follows:

II. A consumer may exercise rights under this section by established by the secretary of state andreasonably accessible,meeting standards established by the secretary of state that includesanda the privacy notice required by paragraph III* , one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account. Any such means shall include:

(1)(A) Providing a clear and conspicuous link on the controller's Internet website to an Internet webpage that enables a consumer, or an agent of the consumer, to opt-out of the targeted advertising or sale of the consumer's personal data; and

(B) Not later than January 1, 2025, allowing a consumer to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology, or mechanism to the controller indicating such consumer's intent to opt-out of any such processing or sale. Such platform, technology, or mechanism shall:

(i) Not unfairly disadvantage another controller;

(ii) Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given, and unambiguous choice to opt-out of any processing of such consumer's personal data pursuant to this chapter;

(iii) Be consumer-friendly and easy to use by the average consumer;

(iv) Be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation; and

(v) Enable the controller to accurately determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt-out of any sale of such consumer's personal data or targeted advertising.

(2) If a consumer's decision to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent in accordance with RSA 507-H:6, V(a)(1)(A) conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with such consumer's opt-out preference signal, but may notify such consumer of such conflict and provide to such consumer the choice to confirm such controller-specific privacy setting or participation in such program.

229:7 Effective Date. This act shall take effect at 12:01 a.m. on January 1, 2025.

Approved: July 19, 2024

Effective Date: January 1, 2025 12:01 a.m.