New Hampshire: the 14th State to Enact a Comprehensive Privacy Law
March 11, 2024On March 6, 2024, New Hampshire’s Governor signed Senate Bill 255 (the “Act”) making New Hampshire the fourteenth state to enact a comprehensive privacy law. The Act will take effect on January 1, 2025 and is substantially similar to the other state comprehensive privacy laws. The trend of enacting such laws with shorter periods between enactment and the effective date continues presumably under the assumption that businesses can achieve compliance within such shorter timeframes because they comply with existing laws or the new laws are intended to codify industry best practices that businesses already follow.
Applicability
The Act applies to persons or entities conducting business in New Hampshire or producing products or services that are targeted to residents of New Hampshire and that, during a one-year period, either:
- control or process the personal data of at least 35,000 unique consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- control or process the personal data of not less than 10,000 unique consumers and derive more than 25% of gross revenue from the sale of personal data.
The threshold numbers of consumers is lower than the thresholds used in some other state privacy laws but aligns with the thresholds used in Delaware’s law, which makes sense given relative population sizes. Of note, the Act does not apply to non-profit organizations and institutions of higher education. Other state comprehensive privacy laws vary on whether they apply to non-profits with states recently trending towards including them. The Act goes against this trend.
Additionally, the Act does not apply to other entities, such as governmental entities and financial institutions governed by the Gramm-Leach-Bliley Act. It also includes exemptions for certain types of information, such as protected health information under HIPAA, personal data processed by a consumer reporting agency under the Fair Credit Reporting Act, and personal data regulated by the Family Educational Rights and Privacy Act.
Key Definitions
Like the majority of state comprehensive privacy laws, the Act narrowly defines “consumer” to mean an individual who is a New Hampshire resident and excludes individuals acting in a commercial or employment context. As a result, employee personal data and business-to-business personal data are not within the scope of the Act.
The Act governs a consumer’s “personal data” in addition to a special category of personal data known as “sensitive data,” which it defines as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship status or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying an individual; (iii) personal data of a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. Businesses should take note of the scope of “sensitive data” because the Act requires controllers to obtain consent from consumers before processing sensitive data or, in the case of processing of sensitive data of a known child, to process such data in accordance with the federal Children’s Online Privacy Protection Act (COPPA).
Under the Act, the “sale of personal data” means the exchange of personal data for monetary consideration or other valuable consideration by the controller to a third party, which aligns with the definitions in the state comprehensive privacy laws in California, Connecticut, Colorado, Delaware, Montana, New Jersey, Florida, Texas, and Oregon. The Act also includes broad exceptions to the definition of “sale” that are similar to exceptions in other state comprehensive privacy laws and likely cover many ordinary business activities such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, transfers of personal data to an affiliate or a controller, or disclosure of personal data to a third party for the purpose of providing a product or service requested by a consumer.
Compliance
For the most part, the Act contains compliance obligations that are substantially similar to those found in the other state comprehensive privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data on their behalf. Further, like the privacy laws in Colorado, Connecticut, Delaware, Florida, Indiana, Montana, New Jersey, Tennessee, Texas, Virginia, and Oregon, the Act requires controllers to conduct and document data protection assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, the processing of sensitive data, or, in certain instances, profiling. Of note, although the Act takes effect on January 1, 2025, data protection assessment requirements apply to processing activities created or generated after July 1, 2024. Businesses should take this into account when planning their compliance efforts.
Consumer Rights and Requests
Like the other state comprehensive privacy laws, a core component of the Act is that it grants consumers rights regarding their personal data. Specifically, the Act grants consumers the right to make requests to (1) confirm whether a controller is processing the consumer’s personal data and access such personal data; (2) correct inaccuracies in their personal data (taking into account the nature of the personal data and the purposes of processing such data); (3) delete their personal data; (4) obtain a copy of their personal data; and (5) opt out of the processing of their personal data for targeted advertising, the sale of personal data, or certain types of profiling.
The Act provides that a consumer may exercise these rights under a secure and reliable means to be established by the New Hampshire Secretary of State. Looking to the secretary of state to establish consumer request methods is unique to the Act. As of the date of this article, the New Hampshire Secretary of State has not established such methods.
When a consumer requests to exercise these rights, the Act grants a controller 45 days to respond, which may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of the consumer’s requests. Additionally, the Act requires a controller to provide consumers with an appeals process if it denies a consumer’s request, and a controller has 60 days to respond to an appeal. Such an appeal process is now common with only the state comprehensive privacy laws in California and Utah not containing a right to appeal.
Enforcement and Rulemaking Authority
Importantly, the Act has no private right of action. Instead, the New Hampshire Attorney General’s Office has exclusive enforcement authority. From January 1, 2025 until December 31, 2025, the New Hampshire Attorney General must issue a notice and grant a controller a 60-day cure period before any enforcement action is taken as long as a cure is possible. Beginning January 1, 2026, the Attorney General may extend this cure period in its discretion.
A violation of the Act constitutes an unfair method of competition or an unfair or deceptive act or practice under New Hampshire law which allows for civil penalties of up to $10,000 per violation.
Conclusion
The number of state comprehensive privacy laws continues to increase, and businesses' compliance efforts should continue to evolve. Although these laws contain many similarities, businesses should be mindful of their distinctions. Developing and maintaining compliance efforts with the state comprehensive privacy laws is important for all covered businesses.
If you would like assistance with, or have any questions about, complying with the Act or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.
