This bill introduces new regulations concerning the collection, retention, and use of personal information, and it establishes a cause of action for violations of an individual's expectation of privacy. Personal information is defined broadly to include items such as an individual's name, social security number, address, employment and credit history, phone numbers, location information, biometric identifiers, and other unique data. The bill prohibits government entities from acquiring, collecting, retaining, or using personal information from third-party providers unless certain conditions apply, such as regulatory functions, warrants based on probable cause, emergency situations, or when the individual has provided or authorized access to their information.

The bill includes exceptions where government entities may collect personal information, such as for regulatory or administrative functions, with a warrant, during emergencies, or when required by law. Violations of the bill's provisions can result in penalties, including a minimum of $1,000 in damages for each violation, plus costs and attorney fees. The bill also amends RSA 359-N:2, I(c) to include RSA 507-H in the regulation of biometric information. The fiscal impact of the bill is indeterminate, as it is unclear how many charges would be brought under the new regulations. The bill is set to take effect on January 1, 2024. There are insertions and deletions in the bill, such as the insertion of "or in RSA 507-H" in the regulation of biometric information and the deletion of fiscal impact categories that are not applicable.

Statutes affected:
Introduced: 359-N:2