On March 6, 2024, New Hampshire Governor Chris Sununu signed into law SB 255-FN, An Act Relative to the Expectation of Privacy (the “Act”), making New Hampshire the 14th state to enact a comprehensive data privacy law — joining California, Colorado, Connecticut, Delaware, Texas, and others. The Act will take effect on January 1, 2025.
Applicability
The Act generally applies to businesses operating in New Hampshire or producing products or services targeted to New Hampshire residents that, during a one-year period, either (i) controlled or processed the personal data of at least 35,000 unique consumers (excluding personal data controlled or processed solely to complete a payment transaction); or (ii) controlled or processed the personal data of at least 10,000 unique consumers and derived over 25% of their gross revenue from the sale of personal data.
The Act contains broad exemptions for certain types of entities, including New Hampshire governmental entities, nonprofit organizations, higher education institutions, and financial institutions subject to Title V of the Gramm-Leach-Bliley Act. The Act also exempts certain enumerated categories of consumer information, including protected health information under the Health Insurance Portability and Accountability Act (HIPAA).
Consumer Rights
Similar to other comprehensive data privacy laws, the Act provides certain rights to New Hampshire residents to protect their personal data, including the right to (i) confirm whether a business is processing their personal data, and access such data; (ii) correct inaccuracies in their personal data; (iii) direct the deletion of their personal data; (iv) obtain a portable copy of their personal data processed by the business; and (v) opt-out of the use of personal data for targeted advertising and certain types of profiling as well as most sales of personal data.
Requirements Imposed on Businesses
The Act sets forth specific requirements for businesses. Under the Act, businesses are required to, among other things, (i) limit the collection of personal data to that which is adequate, relevant, and reasonably necessary for the uses that have been disclosed to the consumer; (ii) establish, implement, and maintain reasonable data security measures to protect consumers’ personal data; and (iii) respond to, and comply with the provisions of the Act relating to, the exercise by New Hampshire residents of their consumer rights (and not discriminate against any consumers who exercise such rights).
The Act contains additional requirements for businesses as well, including:
Privacy Notices. The Act requires businesses to provide consumers with a reasonably accessible, clear, and meaningful privacy notice and outlines specific information that the notice must contain, including the types of personal data processed by the business, the purposes for which such data is processed, and how consumers may exercise their rights relating to such data (including the process for appealing any adverse decisions relating to the exercise of their consumer rights).
Data Protection Assessments. Businesses are required to conduct a data protection assessment for any processing that poses a heightened risk of harm to consumers, including the processing of personal data for targeted advertising, the sale of personal data, and the processing of personal data for certain types of profiling.
Sensitive Data. Under the Act, businesses must comply with heightened requirements relating to genetic and biometric data, data relating to minors, precise geolocation data, and other sensitive data (such as data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, or immigration status). For instance, businesses cannot process sensitive data without first obtaining the consumer’s consent, or process sensitive data relating to a known minor without complying with the provisions of the federal Children’s Online Privacy Protection Act.
Vendor Relationships. Third parties that process personal data (“processors”) on behalf of a business subject to the Act (a “controller”) are also subject to specific provisions of the Act. More specifically, processors must comply with data processing instructions provided by the controller and must assist the controller in complying with the Act, such as by assisting with responses to consumer requests and keeping personal data secure. The Act also requires that controllers enter into a binding contract with each of their processors and specifies a number of provisions that each such contract must contain.
Opt-Out Preference Signals. Under the Act, businesses must allow consumers to opt-out of personal data processing for targeted advertising and sales of personal data through an opt-out preference signal.
Enforcement
The Act does not provide individual consumers with a private right of action; instead, the Act grants the New Hampshire Attorney General exclusive enforcement authority. Until December 31, 2025, the Attorney General must provide a 60-day cure period for alleged violations if the Attorney General determines that a cure is possible. Beginning in 2026, the Attorney General may continue to provide a cure period, but is not required to do so; in making such determination, the Attorney General may consider the size and complexity of the business, the number of violations, and the substantial likelihood of public injury, among other factors. A violation of the Act constitutes an unfair method of competition or unfair or deceptive act or practice under New Hampshire law (to be enforced by the Attorney General).
Concluding Thoughts
While state comprehensive data privacy laws share many similarities, each state’s privacy law contains unique distinctions. Businesses need to be mindful of such distinctions, particularly given that privacy law applicability is not determined by the state in which a business is located or primarily conducts business, but where a business’s consumers are located.
This article is only a summary of the Act; the text of the statute should be consulted for further information.
For more information on the topics above or on other state comprehensive privacy laws, please reach out to a member of Hinckley Allen’s Cybersecurity, Privacy & Data Protection Group.
