New Hampshire Becomes 14th State to Enact Comprehensive Privacy Law
Key Takeaways: New Hampshire has officially become the fourteenth state to enact a comprehensive data privacy law after New Hampshire Governor Chris Sununu signed SB 255 into law on March 6, 2024. The New Hampshire bill (the “Act”) is fairly consistent with the Connecticut Data Privacy Act, with a few distinctions, including specific requirements regarding opt-in consent for the processing of sensitive data. The Act has an effective date of January 1, 2025.
Applicability and Scope
The Act defines “controller” as an individual or legal entity that solely or jointly determines the purpose and means of processing personal data. The Act applies to entities that conduct business in New Hampshire or produce products or services that target residents of New Hampshire, if, during a one-year period the entity either:
- Controlled or processed the personal data of a minimum of 35,000 New Hampshire consumers, excluding personal data controlled or processed solely for the purpose of completing a payment or transaction; or
- Controlled or processed the personal data of a minimum of 10,000 New Hampshire consumers and obtained more than 25% of their gross revenue from the sale of personal data.
There is no revenue threshold for applicability. The Act includes applicability exemptions consistent with most other state privacy laws, including exemptions for non-profit organizations, entities subject to the Gramm–Leach–Bliley Act (“GLBA”) and data subject to the GLBA, as well as Health Insurance Portability and Accountability Act (“HIPAA”) covered entities. Like all other state laws except for the California Consumer Privacy Act, “consumer” does not include employees or business-to-business contacts.
Privacy Notice
The Act requires Controllers to provide a privacy notice that provides information on the following:
- Categories of personal data processed by controller
- Purpose of processing personal data
- Methods of exercising consumer rights (including appeals to decisions)
- Categories of personal data controller shares with third parties
- An online mechanism by which consumers can contact the controller, such as an email address
- Whether controller sells personal data to third parties or processes personal data for targeted advertising and the method to opt-out
Requirements for Processors
The Bill defines a processor as “an individual who, or legal entity that, processes personal data on behalf of a controller.” The processor is required to meet the instructions that the controller provides, and assist in meeting with the controller’s obligations, including by:
- Taking appropriate and organizational measures to assist the controller’s obligation to respond to consumer requests
- Assisting the controller with the security of processing the personal data
- Providing information to the controller to enable the controller to conduct and document any data protection assessments
Consumer Rights
The Act gives consumers the right to:
- Confirm whether controller processes the consumer’s data and provides access to the data
- Correct inaccuracies in personal data
- Delete personal data
- Obtain a copy of the consumer’s personal data processed by the controller
- Opt-out of the processing of the personal data.
Controllers are expected to respond to requests within a 45-day time period after receipt of the request. However, the controller may extend the response period by an additional 45 days if the controller deems it reasonable, taking into consideration the complexity and volume of consumer’s requests. The controller must notify the consumer of the extension within the initial 45-day period along with the reason for the extension.
In the event that the controller declines to take action regarding the consumer’s request, the controller must also notify the consumer within 45 days upon receipt of request, the justification for declining to take action, and the instructions to appeal the decision. Additionally, if controller is unable to authenticate a consumer request to exercise any of the rights as described above, then the controller is not required to comply with the request. Instead, the controller shall provide to the consumer a notice detailing that the controller is unable to process the request until additional information is provided to authenticate the consumer’s identity.
Consumers may appoint an authorized agent to serve on their behalf to opt-out of the processing of consumer’s personal data. Unless the controller is unable to verify the identity of the consumer through the authorized agent, the controller is required to comply with the opt-out request.
Like Colorado, Connecticut, Montana, Oregon, Delaware, Texas, and New Jersey, the Act also requires the controller to honor consumer requests sent through universal opt-out mechanisms. Specifically, consumers may use universal opt-out mechanisms to opt out of targeted advertising or the sale of their data.
Opt-In Consent Required for Processing of Sensitive Data
The Act defines sensitive data as data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, sex life, sexual orientation, citizenship, or immigration status, as well as genetic or biometric data, personal data of a known child, and precise geolocation data (location within a radius of 1,750 feet). Further, the controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, where the controller has actual knowledge, and willfully disregards, that the consumer is between thirteen and sixteen years old.
Opt-in consent from the consumer (or from a parent, in the case of a known child under the age of 13) is required in order to process sensitive data. Notably, the Act specifically defines consent as a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent cannot be implied, nor can it be obtained through the acceptance of broad terms, interaction with non-related content (such as hovering or pausing), or the use of deceptive design patterns.
Data Protection Assessment
Controllers must conduct and document a Data Protection Assessment (“DPA”) for each of the controller’s processing activities which present a heightened risk of harm to a consumer. Activities that present heightened risk of harm under the Act include a) the processing of personal data for the purposes of targeted advertising b) the sale of personal data; and c) the processing of personal data for the purposes of profiling. DPA requirements will apply to processing activities that begin after July 1, 2024.
Enforcement
The Act will take effect on January 1, 2025. The Attorney General is provided with the exclusive authority to enforce violations that occur. The Attorney General may issue a notice of violation if the attorney general determines that a cure is possible. The controller has 60 days upon receipt of the notice of violation to cure violation, and if not cured, the Attorney General may take action.
Beginning January 1, 2026, the Attorney General, when granting the right to cure a violation, may take into consideration:
- The number of violations
- Size and complexity of the entity
- Nature and extent of the entity’s processing activities
- Substantial likelihood of injury to the public
- Safety of persons or property
- Whether the violation was caused by human or technical error
Koley Jessen will continue to monitor updates related to New Hampshire’s new data privacy law. As new information becomes available, we will provide guidance accordingly. If you have questions regarding your business’s compliance with the law or need assistance with the required measures, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area for support.
*Special thanks to Data Privacy & Cybersecurity Support Specialist Briseyda Garcia-Ticas for her contributions to this article.
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.