HB 523 - AS INTRODUCED
HOUSE BILL 523
AN ACT relative to limitations on the use of biometric information.
SPONSORS: Rep. Kurk, Hills. 2; Rep. King, Hills. 33; Rep. Cushing, Rock. 21; Sen. Avard, Dist 12; Sen. Feltes, Dist 15
COMMITTEE: Commerce and Consumer Affairs
This bill regulates the collection, retention, and use of biometric information by individuals and private entities.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Seventeen
AN ACT relative to limitations on the use of biometric information.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 Short Title. This act may be cited as the Biometric Information Privacy Act.
2 Legislative Findings; Intent. The general court finds all of the following:
I. The use of biometrics is growing in the business and security screening sectors and appears to promise streamlined financial transactions and security screenings.
II. Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
III. An overwhelming majority of members of the public are wary of the use of biometrics when such information is tied to finances and other personal information.
IV. Despite limited state law regulating the collection, use, safeguarding, and storage of biometrics, many members of the public are deterred from partaking in biometric identifier-facilitated transactions.
V. The full ramifications of biometric technology are not fully known.
VI. The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.
3 New Subdivision; Limitations on the Use of Biometric Identifiers. Amend RSA 359-N by inserting after section 4 the following new subdivision:
Limitations on the Use of Biometric Identifiers
359-N:5 Definitions. In this subdivision:
I.(a) "Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or record of facial or hand geometry.
(b) Biometric identifiers do not include:
(1) Writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.
(2) Donated organs, tissues, or parts as defined in the New Hampshire Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency.
(3) Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
(4) An X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose or treat an illness or other medical condition or to further validate scientific testing or screening.
II. "Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
III. "Confidential and sensitive information" means personal information that can be used to uniquely identify an individual or an individual's account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver's license number, or a social security number.
IV. "Person" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.
V. "Written release" means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.
359-N:6 Retention; Collection; Disclosure; Destruction.
I. A person in possession of biometric identifiers or biometric information shall develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of its collection, whichever occurs first. Absent a valid warrant or subpoena issued by a judge of a court of competent jurisdiction, a person or government in possession of biometric identifiers or biometric information shall comply with its established retention schedule and destruction guidelines.
II. No person may collect, capture, purchase, receive through trade, or otherwise obtain an individual's or a customer's biometric identifier or biometric information, unless the person first:
(a) Informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
(b) Informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(c) Receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
III. No person in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit or benefit from a person's or a customer's biometric identifier or biometric information.
IV. No person in possession of a biometric identifier or biometric information may disclose, re-disclose, or otherwise disseminate an individual's or a customer's biometric identifier or biometric information unless:
(a) The subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or re-disclosure;
(b) The disclosure or re-disclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative;
(c) The disclosure or re-disclosure is required by state or federal law; or
(d) The disclosure is required pursuant to a valid warrant or subpoena issued by a judge of a court of competent jurisdiction.
V. A person in possession of a biometric identifier or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the person or government stores, transmits, and protects other confidential and sensitive information.
VI. No person shall refuse to employ an individual or refuse to do business with an individual who declines to consent to or declines to execute a written release with respect to the collection, capture, purchase, receipt through trade or otherwise obtaining of the individual's biometric identifier or biometric information.
359-N:7 Right of Action. Any person aggrieved by a violation of this subdivision shall have a right of action against an offending party. A prevailing party may recover for each violation:
I. Against a person that negligently violates a provision of this subdivision, liquidated damages of $1,000 or actual damages, whichever is greater;
II. Against a person that intentionally or recklessly violates a provision of this subdivision, liquidated damages of $5,000 or actual damages, whichever is greater;
III. Reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and
IV. Other relief, including an injunction, as the court may deem appropriate.
I. Nothing in this chapter shall be construed to impact the admission or discovery of biometric identifiers and biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.
II. Nothing in this chapter shall be construed to conflict with the federal Health Insurance Portability and Accountability Act of 1996 and the rules promulgated thereunder.
III. Nothing in this chapter shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution to the extent that it conflicts with Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.
4 Section Heading; Reference Change. Amend the section heading of RSA 359-N:2 to read as follows:
359-N:2 Limitation on the Collection of Biometric Data by Government Agencies [Prohibited].
5 Regulation of Biometric Data Collected by Government Agency; Violation; Reference Change. Amend the introductory paragraph of RSA 359-N:4 to read as follows:
359-N:4 Violation; Civil Action Against Government Agency. Any individual aggrieved by a violation of [this chapter] RSA 359-N:2 or RSA 359-N:3, including the loss or misuse of biometric data lawfully collected under RSA 359-N:2 or RSA 359-N:3, may bring a civil action against a government agency under this section to obtain the following:
6 Effective Date. This act shall take effect January 1, 2018.