Revision: March 25, 2025, 3:31 p.m.
Rep. McFarlane, Graf. 18
Rep. Lynn, Rock. 17
March 25, 2025
2025-1372h
07/08
Floor Amendment to HB 195-FN
Amend the bill by replacing all after the enacting clause with the following:
1 New Chapter; Protections from Disclosure of Personal Information. Amend RSA by inserting after chapter 507-H the following new chapter:
CHAPTER 507-I
PROTECTIONS FROM DISCLOSURE OF PERSONAL INFORMATION
507-I:1 Definitions. In this chapter:
I. “Available to the public” means personal information about an individual which is widely known or readily accessible to the public and in which an individual could not have a reasonable expectation of privacy.
II. “Government entity” means municipal, county state or federal department, agency, board, commission, or employee, elected official, or contractor. “Government entity” shall not apply to a federal government agency to the extent that federal statute or the United States Constitution preempts such application.
III. “Personal information” means an individual’s name, date or place of birth; social security number; address; employment history; credit history; financial and other account numbers; cellular telephone numbers; voice over Internet protocol or landline telephone numbers; location information; biometric identifiers including fingerprints, facial photographs or images, retinal scans, genetic profiles, and DNA/RNA data; or other identifying data unique to that individual.
IV. “Third party providers of information and services” means individuals or organizations that collect personal information about an individual in connection with providing the following kinds of services to that individual: cellular and land-line telephone, electric, water, or other utilities; Internet service providers; cable television; streaming services; social media services; email service providers; banks and financial institutions; insurance companies; and credit card companies.
507-I:2 Protection from Disclosure of Personal Information; Consent.
I. An individual shall have a reasonable expectation of privacy in personal information, including content and usage, given to or held by third party providers of information and services, and not available to the public. Unless specifically authorized by law, third party providers of information and services shall not disclose to anyone personal information of an individual that is not available to the public unless:
(a) Such individual has given explicit consent for the disclosure of such information to one or more others;
(b) The third-party provider of information and services has reason to believe that such disclosure is beneficial to prevent, detect, protect against, or respond to past, present, or expected criminal or fraudulent conduct, identity theft, harassment or deceptive or malicious or unauthorized or abusive activity, or other threats to the reliability, survivability or resilience of critical infrastructure;
(c) Personal information may be disclosed in an emergency where there is an immediate danger of death or serious physical injury to an individual, and where obtaining a warrant is impractical due to the urgency of the situation. If disclosure occurs without a warrant, the requesting entity shall seek judicial review within 72 hours to justify the disclosure or have the data expunged. Failure to seek judicial review within the required timeframe shall result in the automatic suppression of any information obtained and a civil penalty of up to $10,000 per violation;
(d) The information is disclosed in accordance with RSA 507-I:3; or
(e) The information is disclosed as necessary to provide the service that the individual has requested, including disclosure to subcontractors, service providers, partners, or other vendors who are employed for the provision, maintenance, security, or support of the requested service, provided that such third parties shall not use the information for other unrelated purposes.
II. If a third-party provider of information and services seeks to obtain consent from an individual to disclose to others personal information given to or held by such provider, the procedure by which it does so shall meet the following requirements:
(a) The communication to the individual by which consent is sought shall be simple, clear, and unambiguous; and shall state the purpose or purposes for which the information is to be disclosed;
(b) The communication shall be separate from any other communication sent to the individual by the third-party provider of information and services; and
(c) The communication shall be structured so that the individual is required to respond by performing an affirmative act to “opt in” in order to grant consent.
III. Any third-party provider of information and services that discloses personal information to subcontractors, vendors, partners or service providers for the purposes of fulfilling a requested service shall require such third parties to maintain reasonable data security measures and to restrict the use of the data to the specific purposes for which they were shared.
507-I:3 Disclosure of Personal Information to Government Entities.
I. A third-party provider of information and services may disclose to a government entity personal information of an individual without the consent of the individual in the following circumstances:
(a) When requested to do so by a government investigative, law enforcement, regulatory, administrative, or adjudicative body or agency acting within the scope of its authority.
(b) When required to do so by a subpoena duly issued by a government investigative, law enforcement, regulatory, administrative, or adjudicative body or agency acting within the scope of its authority, by a duly empaneled grand jury, or by a court.
(c) When compelled to do so pursuant to a duly issued search warrant or pursuant to a judicially recognized exception to the requirement for a search warrant.
(d) When requested by the division of emergency services and communications for purposes of responding or assisting with emergency 911 telecommunications.
(e) In an emergency, where the immediate danger of death or serious physical injury to an individual or substantial loss or destruction of property requires the disclosure, without delay, of personal information concerning a specific individual, telephone number, username, or other unique identifier, and where judicial process cannot be obtained in time to prevent the identified danger.
(f) When specifically authorized by other law.
II. Unless the government entity can show good cause for requiring compliance more promptly, when a government entity seeks the disclosure of personal information from a third-party provider of information and services pursuant to RSA 507-I:3, I(a) or I(b), the request or demand for such information shall not require production of the information sooner than 10 days from the date the request or demand is made. Within 5 days of receiving such request or demand, the third-party provider shall notify the individual to whom the information pertains that the request or demand has been made so that such individual has an opportunity to pursue judicial remedies to prevent compliance with the request or demand if there are valid grounds to do so; provided, however, that no such notice shall be given if (a) the government entity seeking the information requests that such notice not be provided and demonstrates good cause for making such request; or (b) a court has
issued an order that such notice not be given.
III. When a third-party provider of information and services discloses personal information of an individual in an emergency situation covered by RSA 507-I:2, I(c), or when a government entity seeks disclosure of personal information from a third-party provider of information and services pursuant to RSA 507-I:3, I(c), I(d), or I(e), the provider shall promptly after such disclosure provide notice that it has made the disclosure to the individual to whom the information pertains; provided, however, that no such notice shall be given if (a) the government entity seeking the information demands that such notice not be provided and demonstrates good cause for making such request; or (b) a court has issued an order that such notice not be given.
507-I:4 Waivers. No third-party provider of information and services may require a waiver from the provisions of this chapter as a condition for any individual to do business with it.
507-I:5 Remedies.
I. Any person who knowingly violates the provisions of this chapter shall be guilty of a violation if a natural person, or guilty of a misdemeanor if any other person.
II. The attorney general shall have exclusive authority to bring a civil action against any third party provider of information and services who violates this chapter to obtain declaratory or injunctive relief and to recover monetary damages on behalf of the public or any individual or entity aggrieved by such violation. In any such action, the attorney general shall be entitled to recover the greater of actual damages or $1,000 for each violation of this chapter.
III. An individual whose personal information has been unlawfully disclosed in violation of this chapter may bring a civil action for damages against the violating entity, limited to actual damages or statutory damages of up to $5,000 per violation. Attorney’s fees and injunctive relief may be awarded if a court finds willful or reckless disregard for this chapter. This section shall not apply to disclosures made in good faith reliance on a court order, warrant, or subpoena.
507-I:6 Federal Preemption. If federal law preempts any provision of this chapter, that provision shall not apply.
2 Regulation of Biometric Information; Collection of Biometric Data Prohibited. Amend RSA 359-N:2, I(c) to read as follows:
(c) Obtain, retain, or provide any individual's biometric data except as set forth in this chapter or in RSA 507-I.
3 Effective Date. This act shall take effect on January 1, 2026.