HB314 (2024) Compare Changes


The Bill Text indicates a new section is being inserted. This situation is not handled right now, and the new text is displayed in both the changed and unchanged versions.

Unchanged Version

Text to be removed highlighted in red.

1 New Chapter; Expectation of Privacy. Amend RSA by inserting after chapter 507-G the following new chapter:

CHAPTER 507-H

EXPECTATION OF PRIVACY

507-H:1 Definitions. In this chapter:

I. "Available to the public" means personal information legally obtained directly or indirectly from either a third party provider of information and services or the individual to whom it relates, directly or through social media, whether or not offered for sale or obtainable without charge, by an individual or organization.

II. "Government entity" means municipal, county state or federal department, agency, board, commission, or employee, elected official, or contractor. "Government entity" shall not apply to a federal government agency to the extent that federal statute or the United States Constitution preempts such application.

III. "Personal information" means an individual's name, date or place of birth; social security number; address; employment history; credit history; financial and other account numbers; cellular telephone numbers; voice over Internet protocol or landline telephone numbers; location information; biometric identifiers including fingerprints, facial photographs or images, retinal scans, genetic profiles, and DNA/RNA data; or other identifying data unique to that individual.

IV. "Third party providers of information and services" means individuals or organizations that collect personal information about an individual in connection with providing the following kinds of services to that individual: cellular and land-line telephone, electric, water, or other utilities; Internet service providers; cable television; streaming services; social media services; email service providers; banks and financial institutions; insurance companies; and credit card companies.

507-H:2 Expectation of Privacy in Personal Information; Consent.

I. An individual shall have a reasonable expectation of privacy in personal information, including content and usage, given to or held by third party providers of information and services, and not available to the public. Unless specifically authorized by law, third party providers of information and services shall not disclose personal information of an individual to anyone unless:

(a) Such individual has given explicit consent for the disclosure of such information to one or more others;

(b) The third-party provider of information and services has reason to believe that such disclosure is necessary to prevent, detect, protect against, or respond to past, present, or expected criminal or fraudulent conduct, identity theft, harassment, or deceptive or malicious activity;

(c) An emergency exists where there is an immediate danger of death or serious physical injury to an individual or substantial loss or destruction of property if the information is not disclosed; or

(d) The information is disclosed in accordance with RSA 507-H:3.

II. If a third party provider of information and services seeks to obtain consent from an individual to disclose to others personal information given to or held by such provider, the procedure by which it does so shall meet the following requirements:

(a) The communication to the individual by which consent is sought shall be simple, clear, and unambiguous; and shall state the purpose or purposes for which the information is to be disclosed;

(b) The communication shall be separate from any other communication sent to the individual by the third party provider of information and services; and

(c) The communication shall be structured so that the individual is required to respond by performing an affirmative act to "opt in" in order to grant consent.

507-H:3 Disclosure of Personal Information to Government Entities.

I. A third party provider of information and services may disclose to a government entity personal information of an individual without the consent of the individual in the following circumstances:

(a) When requested to do so by a government investigative, regulatory, administrative, or adjudicative body or agency acting within the scope of its authority.

(b) When required to do so by a subpoena duly issued by a government investigative, regulatory, administrative, or adjudicative body or agency acting within the scope of its authority, by a duly empaneled grand jury, or by a court.

(c) When compelled to do so pursuant to a duly issued search warrant or pursuant to a judicially recognized exception to the requirement for a search warrant.

(d) When requested by the division of emergency services and communications for purposes of responding or assisting with emergency 911 telecommunications.

(e) In an emergency, where the immediate danger of death or serious physical injury to an individual or substantial loss or destruction of property requires the disclosure, without delay, of personal information concerning a specific individual, telephone number, username, or other unique identifier, and where judicial process cannot be obtained in time to prevent the identified danger.

(f) When specifically authorized by other law.

II. When a government entity seeks the disclosure of personal information from a provider of information and services pursuant to RSA 507-H:3, I(a) or I(b), the request or demand for such information shall not require production of the information sooner than 10 days from the date the request or demand is made. Within 5 days of receiving such request or demand, the provider shall notify the individual to whom the information pertains that the request or demand has been made so that such individual has an opportunity to pursue judicial remedies to prevent compliance with the request or demand if there are valid grounds to do so; provided, however, that no such notice shall be given if (i) the government entity seeking the information demands that such notice not be provided and furnishes the provider with the basis of its authority to make such demand; or (ii) a court has issued an order that such notice not be given.

III. When a provider of information and services discloses personal information of an individual in an emergency situation covered by RSA 507-H:2, I(c), or when a government entity seeks disclosure of personal information from a provider of information and services pursuant to RSA 507-H:3, I(c), I(d), or I(e), the provider shall contemporaneously with such disclosure provide notice that it has made the disclosure to the individual to whom the information pertains; provided, however, that no such notice shall be given if (i) the government entity seeking the information demands that such notice not be provided and furnishes the provider with the basis of its authority to make such demand; or (ii) a court has issued an order that such notice not be given.

507-H:4 Waivers. No third party provider of information and services may require a waiver from the provisions of this chapter as a condition for any individual to do business with it.

507-H:5 Remedies.

I. Any person who knowingly violates the provisions of this chapter shall be guilty of a violation if a natural person, or guilty of a misdemeanor if any other person.

II. The attorney general shall have exclusive authority to bring a civil action against any third party provider of information and services who violates this chapter to recover on behalf of the public or any individual or entity aggrieved by such violation. In any such action, the attorney general shall be entitled to recover the greater of actual damages or $1,000 for each violation of this chapter.

III. Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations under this chapter.

507-H:6 Federal Preemption. If federal law preempts any provision of this chapter, that provision shall not apply.

2 Regulation of Biometric Information; Collection of Biometric Data Prohibited. Amend RSA 359-N:2, I(c) to read as follows:

(c) Obtain, retain, or provide any individual's biometric data except as set forth in this chapter .

3 Effective Date. This act shall take effect on January 1, 2025.

Changed Version

Text to be added highlighted in green.

1 New Chapter; Expectation of Privacy. Amend RSA by inserting after chapter 507-G the following new chapter:

CHAPTER 507-H

EXPECTATION OF PRIVACY

507-H:1 Definitions. In this chapter:

I. "Available to the public" means personal information legally obtained directly or indirectly from either a third party provider of information and services or the individual to whom it relates, directly or through social media, whether or not offered for sale or obtainable without charge, by an individual or organization.

II. "Government entity" means municipal, county state or federal department, agency, board, commission, or employee, elected official, or contractor. "Government entity" shall not apply to a federal government agency to the extent that federal statute or the United States Constitution preempts such application.

III. "Personal information" means an individual's name, date or place of birth; social security number; address; employment history; credit history; financial and other account numbers; cellular telephone numbers; voice over Internet protocol or landline telephone numbers; location information; biometric identifiers including fingerprints, facial photographs or images, retinal scans, genetic profiles, and DNA/RNA data; or other identifying data unique to that individual.

IV. "Third party providers of information and services" means individuals or organizations that collect personal information about an individual in connection with providing the following kinds of services to that individual: cellular and land-line telephone, electric, water, or other utilities; Internet service providers; cable television; streaming services; social media services; email service providers; banks and financial institutions; insurance companies; and credit card companies.

507-H:2 Expectation of Privacy in Personal Information; Consent.

I. An individual shall have a reasonable expectation of privacy in personal information, including content and usage, given to or held by third party providers of information and services, and not available to the public. Unless specifically authorized by law, third party providers of information and services shall not disclose personal information of an individual to anyone unless:

(a) Such individual has given explicit consent for the disclosure of such information to one or more others;

(b) The third-party provider of information and services has reason to believe that such disclosure is necessary to prevent, detect, protect against, or respond to past, present, or expected criminal or fraudulent conduct, identity theft, harassment, or deceptive or malicious activity;

(c) An emergency exists where there is an immediate danger of death or serious physical injury to an individual or substantial loss or destruction of property if the information is not disclosed; or

(d) The information is disclosed in accordance with RSA 507-H:3.

II. If a third party provider of information and services seeks to obtain consent from an individual to disclose to others personal information given to or held by such provider, the procedure by which it does so shall meet the following requirements:

(a) The communication to the individual by which consent is sought shall be simple, clear, and unambiguous; and shall state the purpose or purposes for which the information is to be disclosed;

(b) The communication shall be separate from any other communication sent to the individual by the third party provider of information and services; and

(c) The communication shall be structured so that the individual is required to respond by performing an affirmative act to "opt in" in order to grant consent.

507-H:3 Disclosure of Personal Information to Government Entities.

I. A third party provider of information and services may disclose to a government entity personal information of an individual without the consent of the individual in the following circumstances:

(a) When requested to do so by a government investigative, regulatory, administrative, or adjudicative body or agency acting within the scope of its authority.

(b) When required to do so by a subpoena duly issued by a government investigative, regulatory, administrative, or adjudicative body or agency acting within the scope of its authority, by a duly empaneled grand jury, or by a court.

(c) When compelled to do so pursuant to a duly issued search warrant or pursuant to a judicially recognized exception to the requirement for a search warrant.

(d) When requested by the division of emergency services and communications for purposes of responding or assisting with emergency 911 telecommunications.

(e) In an emergency, where the immediate danger of death or serious physical injury to an individual or substantial loss or destruction of property requires the disclosure, without delay, of personal information concerning a specific individual, telephone number, username, or other unique identifier, and where judicial process cannot be obtained in time to prevent the identified danger.

(f) When specifically authorized by other law.

II. When a government entity seeks the disclosure of personal information from a provider of information and services pursuant to RSA 507-H:3, I(a) or I(b), the request or demand for such information shall not require production of the information sooner than 10 days from the date the request or demand is made. Within 5 days of receiving such request or demand, the provider shall notify the individual to whom the information pertains that the request or demand has been made so that such individual has an opportunity to pursue judicial remedies to prevent compliance with the request or demand if there are valid grounds to do so; provided, however, that no such notice shall be given if (i) the government entity seeking the information demands that such notice not be provided and furnishes the provider with the basis of its authority to make such demand; or (ii) a court has issued an order that such notice not be given.

III. When a provider of information and services discloses personal information of an individual in an emergency situation covered by RSA 507-H:2, I(c), or when a government entity seeks disclosure of personal information from a provider of information and services pursuant to RSA 507-H:3, I(c), I(d), or I(e), the provider shall contemporaneously with such disclosure provide notice that it has made the disclosure to the individual to whom the information pertains; provided, however, that no such notice shall be given if (i) the government entity seeking the information demands that such notice not be provided and furnishes the provider with the basis of its authority to make such demand; or (ii) a court has issued an order that such notice not be given.

507-H:4 Waivers. No third party provider of information and services may require a waiver from the provisions of this chapter as a condition for any individual to do business with it.

507-H:5 Remedies.

I. Any person who knowingly violates the provisions of this chapter shall be guilty of a violation if a natural person, or guilty of a misdemeanor if any other person.

II. The attorney general shall have exclusive authority to bring a civil action against any third party provider of information and services who violates this chapter to recover on behalf of the public or any individual or entity aggrieved by such violation. In any such action, the attorney general shall be entitled to recover the greater of actual damages or $1,000 for each violation of this chapter.

III. Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations under this chapter.

507-H:6 Federal Preemption. If federal law preempts any provision of this chapter, that provision shall not apply.

2 Regulation of Biometric Information; Collection of Biometric Data Prohibited. Amend RSA 359-N:2, I(c) to read as follows:

(c) Obtain, retain, or provide any individual's biometric data except as set forth in this chapter or inRSA 507-H .

3 Effective Date. This act shall take effect on January 1, 2025.