Bill Summary – FastDemocracy

HB 1680-FN - AS INTRODUCED

2020 SESSION

20-2535

05/04

HOUSE BILL 1680-FN

AN ACT relative to the collection of personal information by businesses.

SPONSORS: Rep. Muscatel, Graf. 12; Rep. Indruk, Hills. 34

COMMITTEE: Commerce and Consumer Affairs

ANALYSIS

This bill grants consumers the right to request that a business disclose the type of personal information it collects, the purpose for which it is collected, and the categories of third parties with which it is shared. The bill authorizes consumers to opt out of the sale of their personal information. The bill also establishes a private right of action and provides for further enforcement by the attorney general.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

20-2535

05/04

STATE OF NEW HAMPSHIRE

In the Year of Our Lord Two Thousand Twenty

AN ACT relative to the collection of personal information by businesses.

Be it Enacted by the Senate and House of Representatives in General Court convened:

1 New Chapter; Collection of Personal Information by Businesses. Amend RSA by inserting after chapter 359-Q the following new chapter:

CHAPTER 359-R

COLLECTION OF PERSONAL INFORMATION BY BUSINESSES

359-R:1 Definitions. In this chapter:

I. Aggregate consumer information means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. Aggregate consumer information does not mean one or more individual consumer records that have been deidentified.

II. Biometric information means an individual s physiological, biological or behavioral characteristics, including an individual s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

III. Business means:

(a) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers personal information, that does business in the state of New Hampshire, and that satisfies one or more of the following thresholds:

(1) Has annual gross revenues in excess of $25,000,000, as adjusted pursuant to RSA 359-R:13, I(e).

(2) Alone or in combination, annually buys, receives for the business s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

(3) Derives 50 percent or more of its annual revenues from selling consumers personal information.

(b) Any entity that controls or is controlled by a business, as defined in subparagraph (a), and that shares common branding with the business. Control or controlled means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. Common branding means a shared name, service mark, or trademark.

IV. Business purpose means the use of personal information for the business s or a service provider s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:

(a) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(b) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

(d) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

(e) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.

(f) Undertaking internal research for technological development and demonstration.

(g) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

V. Collects, collected, or collection means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer s behavior.

VI. Commercial purposes means to advance a person s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. Commercial purposes do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

VII. Consumer means a natural person who is a New Hampshire resident, however identified, including by any unique identifier.

VIII. Deidentified means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

(a) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

(b) Has implemented business processes that specifically prohibit reidentification of the information.