New Hampshire. On March 6, 2024, New Hampshire Governor Chris Sununu signed the state’s first comprehensive consumer privacy bill into law. The New Hampshire Privacy Act (the “NHPA”) is now the fourteenth such law to be passed in the United States, joining likes of California, Oregon, Montana, Iowa, Indiana, and Tennessee, just to name a few. The NHPA is slated to take effect January 1, 2025 and will be enforced by the New Hampshire Attorney General.
Like many of its predecessors, the NHPA provides New Hampshire residents with rights to access, correct, and delete their personal information. Likewise, it also requires businesses to provide consumers with a comprehensive privacy notice, obtain affirmative consent before processing sensitive data, and allow consumers to opt out of the sale of their personal data.
A few other noteworthy provisions include recognition of universal opt-out mechanisms (a hot topic for states like Colorado, which just announced the first universal opt-out mechanism the Attorney General will consider valid), and requiring affirmative consent before processing sensitive personal information, including information of children under the age of 13.
The NHPA also provides a narrow rulemaking provision by which the New Hampshire Secretary of State will establish standards for privacy notices and the means by which consumers may exercise their rights.
New Jersey. Additionally, earlier this year, New Jersey’s governor signed into law a comprehensive privacy law (the “New Jersey Data Privacy Law,” or NJDPL). New Jersey’s new law follows closely with other comprehensive privacy laws outside of California. Businesses transacting in the state will have less than one year from the date the law was signed to come into compliance, as the law will take effect January 15, 2025.
Following in the path of other states that have passed comprehensive privacy laws, New Jersey’s application thresholds are based on the number of New Jersey consumers whose data the business controls or processes. Like other state comprehensive privacy laws, the NJDPL does not apply to data collected by entities covered by HIPAA, financial institutes or data covered by the Gramm Leach Bliley Act, or insurance companies. Notably, there are no exceptions for non-profits, higher education, or data covered by the Family Educational Rights and Privacy Act (FERPA).
The NJDPL contains a noteworthy definition of “sensitive data,” which is set apart from other state privacy laws by the inclusion of certain financial information. “Financial information” includes account numbers and login information in confirmation with a security code or password that would allow access to the account. Controllers cannot process sensitive data (including financial information) without first obtaining the consumer’s consent, and such processing is subject to additional data processing assessments as it poses a “heightened risk” of harm to a consumer.
Like the New Hampshire law discussed above, New Jersey’s law includes rights of access, correction, deletion, portability, and to opt-out of processing for the purpose of targeted advertising. Data controllers must limit the collection of personal data to what is “adequate, relevant, and reasonably necessary” in regard to the purpose of processing and the disclosure to consumers. Additionally, the controller must provide a privacy notice that includes categories of data processed and what may be shared with third parties. The controller must provide information to the consumer on how to exercise their rights under the act, as well as contact information (an email address) for doing so. A controller who receives a verified request from a consumer has 45 days to respond.
The NJDPL does not include a private right to action but gives the New Jersey Division of Consumer Affairs rulemaking authority. The New Jersey Attorney General has the power to enforce the law, and violations are considered unlawful practices under the state’s Consumer Fraud Act. Until July 1, 2025, if the Division of Consumer Affairs issues a notice to a controller informing them that they are in violation of the law, the controller will have a thirty day cure period to come into compliance before any enforcement action may be brought.
What’s Next? With both New Hampshire’s and New Jersey’s laws going into effect in January 2025, 2024 will be a busy year. Texas’ comprehensive privacy law goes into effect in July 2024 and Montana follows in October 2024. The remaining provisions of the Washington My Health My Data Act go into effect within weeks on March 31, 2024 for non-small businesses and June 30, 2024 for small businesses. (The geofencing provisions are already in effect.) Florida’s Digital Bill of Rights Act also will go into effect in July of this year for the narrow band of entities covered by the statute. For 2025, in addition to New Hampshire and New Jersey, the comprehensive privacy laws in Delaware and Iowa go into effect in January 2025. Tennessee’s law is effective in July 2025. Only Indiana and Oregon’s laws go into effect in 2026. With the growing patchwork of state laws, multi-state businesses must weigh whether to adopt a one size fits all approach, or continue with piecemeal compliance.
