Bill Text - HB314 (2024)

Relative to the expectation of privacy in the collection and use of personal information.


Revision: Dec. 1, 2022, 4:12 p.m.

 

2023 SESSION

23-0451.0

04/05

 

HOUSE BILL [bill number]

 

AN ACT relative to the expectation of privacy in the collection and use of personal information.

 

SPONSORS: [sponsors]

 

COMMITTEE: [committee]

 

─────────────────────────────────────────────────────────────────

 

ANALYSIS

 

This bill regulates the collection, retention, and use of personal information and establishes a cause of action for violations of an individual's expectation of privacy in personal information.

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

23-0451.0

04/05

 

STATE OF NEW HAMPSHIRE

 

In the Year of Our Lord Two Thousand Twenty Three

 

AN ACT relative to the expectation of privacy in the collection and use of personal information.

 

Be it Enacted by the Senate and House of Representatives in General Court convened:

 

1  New Chapter; Expectation of Privacy.  Amend RSA by inserting after chapter 507-G the following new chapter:

CHAPTER 507-H

EXPECTATION OF PRIVACY

507-H:1  Definitions.  In this chapter:

I.  “Personal information” means an individual’s name, date or place of birth; social security number; address; employment history; credit history; financial and other account numbers; cellular telephone numbers; voice over Internet protocol or landline telephone numbers; location information; biometric identifiers including fingerprints, facial photographs or images, retinal scans, genetic profiles, and DNA/RNA data; or other identifying data unique to that individual.

II.  “Third party providers of information and services” means individuals or organizations which collect personal information about an individual in order to provide information or services to that individual, including but not limited to cellular and land-line telephone, electric, water, and other utility services; Internet service providers; cable television providers; streaming services; social media providers; email service providers; banks and financial institutions; insurance companies; and credit card companies.

III.  “Government entity” means municipal, county state or federal department, agency board, commission, or employee, elected official, or contractor.  “Government entity” shall not apply to a federal government agency to the extent that federal statute preempts such application.

507-H:2  Expectation of Privacy in Personal Information.  

I.  Except as otherwise provided in law, an individual shall have a reasonable expectation of privacy in personal information, including content and usage, given or available to third-party providers of information and services, and not available to the public.  

II.  No government entity shall, acquire, collect, retain, or use any personal information of any individual residing in New Hampshire from any third-party provider.  

III.  Paragraph II shall not apply to:

(a)  Personal information acquired, collected, retained, or used by any state regulatory or administrative agency when such acquisition, collection, retention, or use is within the agency’s regulatory, investigative, adjudicatory, or administrative function.

(b)  A warrant signed by a judge and based on probable cause has been issued or a judicially-recognized exception to the warrant requirement applies.

(c)  In the case of the division of emergency services and communications when handling emergency 911 telecommunications.

(d)  In an emergency where the immediate danger of death or serious physical injury to an individual requires the disclosure, without delay, of personal information concerning a specific individual and where a warrant cannot be obtained in time to prevent the identified danger.

(e)  Where the acquisition, collection, retention or use of personal information is authorized or required by state or federal law, provided that such personal information is requested of and supplied by a third-party provider of information and services for named individuals only or, in the case of employees and/or contractors of a third-party provider of information and services, for all of its employees and/or contractors.

(f)  Where the individual to whom personal information in the possession of third-party providers of information and services pertains:

(1)  Provides it to a government entity, but only for the purpose for which it is provided, including but not limited to credit card transactions and affinity programs; or

(2)  Authorizes access to it by a government entity, but only for the purpose for which such authorization is granted.

IV.  Any person violating the provisions of this section shall be guilty of a violation if a natural person, or guilty of a misdemeanor if any other person.

V.  A person who suffers injury as a result of a violation of this chapter shall be entitled to damages from the person who committed the violation of not less than $1,000 for each such violation and an award of costs and reasonable attorney fees.

507-H:3  Action Against a Nongovernment Entity.  This chapter shall not be construed to create a cause of action against a nongovernment entity for providing information to a government entity.

507-H:4  Federal Preemption.  If federal law preempts any provision of this chapter, that provision shall not apply.

2  Regulation of Biometric Information; Collection of Biometric Data Prohibited.  Amend RSA 359-N:2, I(c) to read as follows:

(c)  Obtain, retain, or provide any individual's biometric data except as set forth in this chapter or in RSA 507-H.

3  Effective Date.  This act shall take effect on January 1, 2024.