Revision: April 11, 2024, 3:15 p.m.
Sen. Carson, Dist 14
April 10, 2024
2024-1486s
11/05
Amendment to HB 1220-FN
Amend the title of the bill by replacing it with the following:
AN ACT abolishing the collection of racial and educational data for use in a marital application worksheet and relative to the expectation of privacy.
Amend the bill by replacing all after section 1 with the following:
2 New Paragraph; Expectation of Privacy; Definitions; Secure and Reliable Means. Amend RSA 507-H:1 by inserting after paragraph XXVII the following new paragraph:
XXVII-a. "Secure and reliable means" are methods, systems, technologies, or processes that ensure the protection, integrity, and confidentiality of data or information, and consistently function in a dependable manner without significant risk of unauthorized access, tampering, or failure. They include encryption protocols, authentication mechanisms, access controls, redundant systems, and other measures designed to safeguard personal data and ensure consistent performance and reasonable and appropriate physical, technical, organizational, and administrative measures to safeguard and keep personal data confidential.
3 Notice of Application. Amend RSA 507-H:2 to read as follows:
507-H:2 Application.
I. This chapter applies to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that during a one year period:
(a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
(b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.
II. The secretary of state shall notice and post a link to RSA 507-H on the secretary of state’s website.
4 Consumer Expectation of Privacy; Privacy Notice. Amend RSA 507-H:4, II to read as follows:
II. A consumer may exercise rights under this section by [a] any secure and reliable means [established by the secretary of state and] described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with RSA 507-H:5 to exercise the rights of such consumer to opt-out of the processing of such consumer's personal data for purposes of RSA 507-H:4, III(e) on behalf of the consumer. In the case of processing personal data of a known child, the parent or legal guardian may exercise such consumer rights on the child's behalf. In the case of processing personal data concerning a consumer subject to a guardianship, conservatorship, or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer's behalf.
5 Notice Format. Amend RSA 507-H:6, III to read as follows:
III. A controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice. The notice shall be provided in a readable format on all devices through which consumers regularly interact with the controller, including on smaller screens and mobile applications, if applicable. Said notice shall also be reasonably accessible to consumers with disabilities, including through the use of digital accessibility tools. [meeting standards established by the secretary of state that includes] The notice must include the following:
(a) The categories of personal data processed by the controller;
(b) The purpose for processing personal data;
(c) How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request;
(d) The categories of personal data that the controller shares with third parties, if any;
(e) The categories of third-parties, if any, with which the controller shares personal data; and
(f) An active electronic mail address or other online mechanism that the consumer may use to contact the controller.
(g) A phone number and/or U.S. Mail address that the consumer may use to contact the controller.
(h) The date the privacy notice was last updated.
6 Controller Responsibilities; Prior Paragraph Reference. Amend RSA 507-H:6, V(a) to read as follows:
V.(a) A controller shall establish, and shall describe in [a] the privacy notice required by paragraph III of this section, [consistent with the requirements of the secretary of state,] one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account. Any such means shall include:
(1)(A) Providing a clear and conspicuous link on the controller's Internet website to an Internet webpage that enables a consumer, or an agent of the consumer, to opt-out of the targeted advertising or sale of the consumer's personal data; and
(B) Not later than January 1, 2025, allowing a consumer to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology, or mechanism to the controller indicating such consumer's intent to opt-out of any such processing or sale. Such platform, technology, or mechanism shall:
(i) Not unfairly disadvantage another controller;
(ii) Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given, and unambiguous choice to opt-out of any processing of such consumer's personal data pursuant to this chapter;
(iii) Be consumer-friendly and easy to use by the average consumer;
(iv) Be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation; and
(v) Enable the controller to accurately determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt-out of any sale of such consumer's personal data or targeted advertising.
(2) If a consumer's decision to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent in accordance with RSA 507-H:6, V(a)(1)(A) conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with such consumer's opt-out preference signal but may notify such consumer of such conflict and provide to such consumer the choice to confirm such controller-specific privacy setting or participation in such program.
7 Effective Date. This act shall take effect at 12:01 a.m. on January 1, 2025.
2024-1486s
AMENDED ANALYSIS
This bill abolishes the collection of racial and educational data for use in a marital application worksheet and further delineates notice requirements and procedures regarding consumer privacy rights.