HB 1650-FN - AS INTRODUCED
2026 SESSION
26-3111
12/08
HOUSE BILL 1650-FN
AN ACT relative to an age-appropriate design code.
SPONSORS: Rep. Litchfield, Rock. 32; Rep. Nadeau, Rock. 4; Rep. Thibault, Merr. 25; Rep. L. Miner, Rock. 7; Rep. Terry, Belk. 7
COMMITTEE: Commerce and Consumer Affairs
-----------------------------------------------------------------
ANALYSIS
This bill establishes an age-appropriate design code which limits businesses' ability to collect and use the personal data of minors in the state. The bill also limits what may be considered publicly available information which businesses may collect and use, and authorizes the attorney general to establish rules to enforce such provisions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
26-3111
12/08
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Twenty-Six
AN ACT relative to an age-appropriate design code.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 New Subdivision; Age-Appropriate Design Code Act. Amend RSA 359-C by inserting after section 21 the following new subdivision:
Age-Appropriate Design Code Act
359-C:22 Definitions. For the purposes of this subdivision:
I. "Affiliate” means a legal entity that shares common branding with another legal entity or controls, is controlled by, or is under common control with another legal entity.
II. "Control" or "controlled" means:
(a) Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company;
(b) Control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or
(c) The power to exercise controlling influence over the management of a company.
III. “Age assurance” encompasses a range of methods used to determine, estimate, or communicate the age or an age range of an online user.
IV. “Age range” means either an interval with an upper and lower age limit or a label indicating age above or below a specific age.
V. “Algorithmic recommendation system” means a system that uses an algorithm to select, filter, and arrange media on a covered business’s website for the purpose of selecting, recommending, or prioritizing media for a user.
VI.(a) “Biometric data” means data generated from the technological processing of an individual’s unique biological, physical, or physiological characteristics that allow or confirm the unique identification of the consumer, including:
(1) Iris or retina scans;
(2) Fingerprints;
(3) Facial or hand mapping, geometry, or templates;
(4) Vein patterns;
(5) Voice prints or vocal biomarkers; and
(6) Gait or personally identifying physical movement or patterns.
(b) “Biometric data” does not include:
(1) A digital or physical photograph;
(2) An audio or video recording; or
(3) Any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
VII. “Business associate” has the same meaning as in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
VIII. “Collect” means buying, renting, gathering, obtaining, receiving, or accessing any personal data by any means. This includes receiving data from the consumer, either actively or passively, or by observing the consumer’s behavior.
IX. “Compulsive use” means the repetitive use of a covered business’s service that materially disrupts one or more major life activities of a minor, including sleeping, eating, learning, reading, concentrating, communicating, or working.
X.(a) “Consumer” means an individual who is a resident of the state.
(b) “Consumer” shall not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the covered business occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
XI. “Covered business” means a sole proprietorship, partnership, limited liability company, corporation, association, other legal entity, or an affiliate thereof:
(a) That conducts business in this state;
(b) That generates a majority of its annual revenue from online services;
(c) Whose online products, services, or features are reasonably likely to be accessed by a minor;
(d) That collects consumers’ personal data or has consumers’ personal data collected on its behalf by a processor; and
(e) That alone or jointly with others determines the purposes and means of the processing of consumers personal data.
XII. “Covered entity” has the same meaning as in HIPAA.
XIII. “Covered minor” is a consumer who a covered business actually knows is a minor or labels as a minor pursuant to age assurance methods in rules adopted by the attorney general.
XIV. “Default” means a preselected option adopted by the covered business for the online service, product, or feature.
XV. “De-identified data” means data that does not identify and cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to the individual, if the covered business that possesses the data:
(a)(1) Takes reasonable measures to ensure that the data cannot be used to re-identify an identified or identifiable individual or be associated with an individual or device that identifies or is linked or reasonably linkable to an individual or household; and
(2) For purposes of subparagraph (a) "reasonable measures” includes the de-identification requirements set forth under 45 C.F.R. § 164.514;
(b) Publicly commits to process the data only in a de-identified fashion and not attempt to re-identify the data; and
(c) Contractually obligates any recipients of the data to comply with all provisions of this subdivision.
XVI. “Derived data” means data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information or data about a minor or a minor’s device.
XVII. “Genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), epigenetic markers, uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.
XVIII. “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly, including by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.
XIX. “Known adult” is a consumer who a covered business actually knows is an adult or labels as an adult pursuant to age assurance methods in rules adopted by the attorney general.
XX. “Minor” means an individual under 18 years of age.
XXI. “Online service, product, or feature” means a digital product that is accessible to the public via the Internet, including a website or application, and does not mean any of the following:
(a) Telecommunications service, as defined in 47 U.S.C. § 153;
(b) A broadband Internet access service as defined in 47 C.F.R. § 54.400; or
(c) The sale, delivery, or use of a physical product.
XXII.(a) “Personal data” means any information, including derived data and unique identifiers, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual or to a device that identifies, is linked to, or is reasonably linkable to one or more identified or identifiable individuals in a household; and
(b) Personal data does not include de-identified data or publicly available information.
XXIII. “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, modification, or otherwise handling of personal data.
XXIV. “Processor” means a person who processes personal data on behalf of:
(a) A covered business;
(b) Another processor; or
(c) A federal, state, tribal, or local government entity.
XXV. “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects, including an individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, movements, or identifying characteristics.
XXVI.(a) “Publicly available information” means information that:
(1) Is made available through federal, state, or local government records or to the general public from widely distributed media; or
(2) A covered business has a reasonable basis to believe that the consumer has lawfully made available to the general public.
(b) “Publicly available information” does not include:
(1) Biometric data collected by a business about a consumer without the consumer’s knowledge;
(2) Information that is collated and combined to create a consumer profile that is made available to a user of a publicly available website either in exchange for payment or free of charge;
(3) Information that is made available for sale;
(4) An inference that is generated from the information described in subparagraphs (b)(2) and (b)(3) of this paragraph;
(5) Any obscene visual depiction, as defined in 18 U.S.C. § 1460;
(6) Personal data that is created through the combination of personal data with publicly available information;
(7) Genetic data, unless otherwise made publicly available by the consumer to whom the information pertains;
(8) Information provided by a consumer on a website or online service made available to all members of the public, for free or for a fee, where the consumer has maintained a reasonable expectation of privacy in the information, such as by restricting the information to a specific audience; or
(9) Intimate images, authentic or computer-generated, known to be non-consensual.
XXVII. “Reasonably likely to be accessed” means an online service, product, or feature that is reasonably likely to be accessed by a covered minor based on any of the following indicators:
(a) The online service, product, or feature is directed to children, as defined by the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506 and the Federal Trade Commission rules implementing that Act;
(b) The online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by an audience that is composed of at least two percent minors two through 17 years of age;
(c) The audience of the online service, product, or feature is determined, based on internal company research, to be composed of at least two percent minors two through 17 years of age; or
(d) The covered business knew or should have known that at least two percent of the audience of the online service, product, or feature includes minors two through 17 years of age, provided that, in making this assessment, the business shall not collect or process any personal data that is not reasonably necessary to provide an online service, product, or feature with which a minor
is actively and knowingly engaged.
XXVIII.(a) “Social media platform” means a public or semipublic Internet-�based service or application that is primarily intended to connect and allow a user to socially interact within such service or application and enables a user to:
(1) Construct a public or semipublic profile for the purposes of signing into and using such service or application;
(2) Populate a public list of other users with whom the user shares a social connection within such service or application; or
(3) Create or post content that is viewable by other users, including content on message boards and in chat rooms, and that presents the user with content generated by other users.
(b) “Social media platform” does not mean a public or semipublic Internet-based service or application that:
(1) Exclusively provides email or direct messaging services; or
(2) Is used by and under the direction of an educational entity, including a learning management system or a student engagement program.
XXIX “Third party” means a natural or legal person, public authority, agency, or body other than the covered minor or the covered business.
359-C:23 Exclusions. This subdivision shall not apply to:
I. A federal, state, tribal, or local government entity in the ordinary course of its operation;
II. Protected health information that a covered entity or business associate processes in accordance with, or documents that a covered entity or business associate creates for the purpose of complying with, HIPAA;
III. Information used only for public health activities and purposes described in 45 C.F.R. § 164.512;
IV. Information that identifies a consumer in connection with:
(a) Activities that are subject to the Federal Policy for the Protection of Human Subjects as set forth in 45 C.F.R. Part 46;
(b) Research on human subjects undertaken in accordance with good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use;
(c) Activities that are subject to the protections provided in 21 C.F.R. Part 50 and 21 C.F.R. Part 56; or
(d) Research conducted in accordance with the requirements set forth in subparagraphs (a), (b), and (c) of this paragraph or otherwise in accordance with state or federal law;
V. An entity whose primary purpose is journalism and that has a majority of its workforce consisting of individuals engaging in journalism; and
VI. A financial institution subject to Title V of the Gramm-Leach-Bliley Act and regulations adopted to implement that act.
359-C:24 Duty of Care.
I. A covered business that processes a covered minor’s data in any capacity owes a minimum duty of care to the covered minor.
II. As used in this subdivision, “a minimum duty of care” means the use of the personal data of a covered minor and the design of an online service, product, or feature will not result in:
(a) Reasonably foreseeable emotional distress to a covered minor;
(b) Reasonably foreseeable compulsive use of the online service, product, or feature by a covered minor; or
(c) Discrimination against a covered minor based upon race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, religion, or national origin.
III. The content of the media viewed by a covered minor shall not establish emotional distress, compulsive use, or discrimination, as those terms are used in subparagraph (2)(b) of this section.
IV. Nothing in this section shall be construed to require a covered business to prevent or preclude a covered minor from accessing or viewing any piece of media or category of media.
359-C:25 Privacy Settings.
I. A covered business shall configure all default privacy settings provided to a covered minor through the online service, product, or feature to the highest level of privacy, including the following default settings:
(a) Not displaying the existence of the covered minor’s account on a social media platform to any known adult user unless the covered minor has expressly and unambiguously allowed a specific known adult user to view their account or has expressly and unambiguously chosen to make their account’s existence public;
(b) Not displaying media created or posted by the covered minor on a social media platform to any known adult user unless the covered minor has expressly and unambiguously allowed a specific known adult user to view their media or has expressly and unambiguously chosen to make their media publicly available;
(c) Not permitting any known adult users to like, comment on, or otherwise provide feedback on the covered minor’s media on a social media platform unless the covered minor has expressly and unambiguously allowed a specific known adult user to do so;
(d) Not permitting direct messaging on a social media platform between the covered minor and any known adult user unless the covered minor has expressly and unambiguously decided to allow direct messaging with a specific known adult user;
(e) Not displaying the covered minor’s location to other users, unless the covered minor expressly and unambiguously shares their location with a specific user;
(f) Not displaying the users connected to the covered minor on a social media platform unless the covered minor expressly and unambiguously chooses to share the information with a specific user;
(g) Disabling search engine indexing of the covered minor’s account profile; and
(h) Not sending push notifications to the covered minors.
II. A covered business shall not:
(a) Provide a covered minor with a single setting that makes all of the default privacy settings less protective at once; or
(b) Request or prompt a covered minor to make their privacy settings less protective, unless the change is strictly necessary for the covered minor to access a service or feature they have expressly and unambiguously requested.
III. A covered business shall:
(a) Provide a prominent, accessible, and responsive tool to allow a covered minor to request the covered minor’s account on a social media platform be unpublished or deleted; and
(b) Honor that request not later than 15 days after a covered business receives the request.
359-C:26 Transparency. A covered business shall prominently and clearly provide on their website or mobile application:
I. The covered business’ privacy information, terms of service, policies, and community standards;
II. The purpose of each algorithmic recommendation system in use by the covered business;
III. Inputs used by the algorithmic recommendation system and how each input:
(a) Is measured or determined;
(b) Uses the personal data of covered minors;
(c) Influences the recommendation issued by the system; and
(d) Is weighed relative to the other inputs reported in this paragraph; and
IV. Descriptions, for every feature of the service that uses the personal data of covered minors, of:
(a) The purpose of the service feature;
(b) The personal data collected by the service feature;
(c) The personal data used by the service feature;
(d) How the personal data is used by the service feature;
(e) Any personal data transferred to or shared with a processor or third party by the service feature, the identity of the processor or third party, and the purpose of the transfer or sharing; and
(f) How long the personal data is retained.
359-C:27 Prohibited Data and Design Practices. A covered business shall not:
I. Collect, sell, share, or retain any personal data of a covered minor that is not necessary to provide an online service, product, or feature with which the covered minor is actively and knowingly engaged;
II. Use previously collected personal data of a covered minor for any purpose other than a purpose for which the personal data was collected, unless necessary to comply with any obligation under this chapter;
III. Permit any individual, including a parent or guardian of a covered minor, to monitor the online activity of a covered minor or to track the location of the covered minor without providing a conspicuous signal to the covered minor when the covered minor is being monitored or tracked;
IV. Use the personal data of a covered minor to select, recommend, or prioritize media for the covered minor, unless the personal data is:
(a) The covered minor’s express and unambiguous request to receive:
(1) Media from a specific account, feed, or user, or to receive more or less media from that account, feed, or user;
(2) A specific category of media, such as “cat videos” or “breaking news,” or to see more or less of that category of media; or
(3) More or less media with similar characteristics as the media they are currently viewing;
(b) User-selected privacy or accessibility settings; or
(c) A search query, provided the search query is only used to select and prioritize media in response to the search; or
V. Send push notifications to a covered minor between 12:00 a.m. (midnight) and 6:00 a.m.
359-C:28 Age Assurance Privacy. During the process of conducting age assurance, covered businesses and processors shall:
I. Only collect personal data of a user that is strictly necessary for age assurance;
II. Immediately upon determining whether a user is a covered minor, delete any personal data collected of that user for age assurance, except the determination of the user’s age range;
III. Not use any personal data of a user collected for age assurance for any other purpose;
IV. Not combine personal data of a user collected for age assurance, except the determination of the user’s age range, with any other personal data of the user;
V. Not disclose personal data of a user collected for age assurance to a third party that is not a processor; and
VI. Implement a review process to allow users to appeal their age determination.
359-C:29 Rulemaking.
I. The attorney general shall, on or before January 1, 2027, adopt rules pursuant to RSA
359-C:27 that prohibits data processing or design practices of a covered business that, in the opinion of the attorney general, lead to compulsive use or subvert or impair user autonomy, decision making, or choice during the use of an online service, product, or feature of the covered business. The attorney general shall, at least once every 2 years, review and update these rules as necessary to keep pace with emerging technology.
II. The attorney general shall, on or before January 1, 2027, adopt rules pursuant to RSA
359-C:28, II that identify commercially reasonable and technically feasible methods for covered businesses and processors to determine if a user is a covered minor, describing appropriate review processes for users appealing their age designations, and providing any additional privacy protections for age assurance data. The attorney general shall periodically review and update these rules as necessary to keep pace with emerging technology. In adopting these rules, the attorney general shall:
(a) Prioritize user privacy and accessibility over the accuracy of age assurance methods; and
(b) Consider:
(1) The size, financial resources, and technical capabilities of covered businesses and processors;
(2) The costs and effectiveness of available age assurance methods;
(3) The impact of age assurance methods on users’ safety, utility, and experience;
(4) Whether and to what extent transparency measures would increase consumer trust in an age assurance method; and
(5) The efficacy of requiring covered businesses and processors to:
(i) Use previously collected data to determine user age;
(ii) Adopt interoperable age assurance methods; and
(iii) Provide users with multiple options for age assurance.
III. The attorney general shall adopt rules pursuant to RSA 359-C:30 relative to the enforcement of this subdivision. Such rulemaking authority shall include the ability to conduct civil investigations, bring civil actions, and enter into assurances of discontinuance.
359-C:30 Enforcement.
I. A covered business or processor that violates this subdivision or rules adopted pursuant to this subdivision commits an unfair or deceptive act in trade or commerce in violation of RSA 358-A:2. II. Nothing in this subdivision shall be interpreted or construed to:
(a) Impose liability in a manner that is inconsistent with 47 U.S.C. section 230; or
(b) Prevent or preclude any covered minor from deliberately or independently searching for, or specifically requesting, any media.
III. Nothing in this subdivision may be construed to infringe on the existing rights and freedoms of covered minors or be construed to discriminate against the covered minors based on race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, religion, or national origin.
IV. If any provision of this subdivision or the application thereof to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of the subdivision which can be given effect without the invalid provisions or applications, and to this end the provisions of the subdivision are severable.
2 Effective Date. This act shall take effect January 1, 2027.
LBA
26-3111
12/1/25
HB 1650-FN- FISCAL NOTE
AS INTRODUCED
AN ACT relative to an age-appropriate design code.
FISCAL IMPACT:
| |
Estimated State Impact |
| FY 2026 | FY 2027 | FY 2028 | FY 2029 |
Revenue | $0 | $0 | $0 | $0 |
Revenue Fund | None |
Expenditures* | Indeterminable |
Funding Source | General Fund |
Appropriations* | $0 | $0 | $0 | $0 |
Funding Source | None |
*Expenditure = Cost of bill *Appropriation = Authorized funding to cover cost of bill |
|
Estimated Political Subdivision Impact |
| FY 2026 | FY 2027 | FY 2028 | FY 2029 |
County Revenue | $0 | $0 | $0 | $0 |
County Expenditures | Indeterminable |
Local Revenue | $0 | $0 | $0 | $0 |
Local Expenditures | Indeterminable |
METHODOLOGY:
This bill adds, deletes, or modifies a criminal penalty, or changes statute to which there is a penalty for violation. Therefore, this bill may have an impact on the judicial and correctional systems, which could affect prosecution, incarceration, probation, and parole costs, for the state, as well as county and local governments. A summary of such costs can be found at: https://gencourt.state.nh.us/lba/Budget/Fiscal_Notes/JudicialCorrectionalCosts.pdf
AGENCIES CONTACTED:
Judicial Branch, Judicial Council, Department of Justice, Department of Corrections, New Hampshire Association of Counties, and New Hampshire Municipal Association