New Hampshire’s New Law is on the Books

2023 was a record-breaking year, with legislators in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Texas passing comprehensive data privacy laws, joining California, Colorado, Connecticut, Utah and Virginia. Already 2024 is on pace to beat 2023’s record year, as New Hampshire (New Hampshire Privacy Act, SB 255-FN), New Jersey (New Jersey Privacy Act, SB 332) and Kentucky (HB 15) lawmakers have already passed comprehensive privacy laws.

This post will provide the details and information you and your business need to know about the New Hampshire Privacy Act (NHPA), signed into law by Governor Sununu in March. 

Applicability Criteria

The NHPA applicability criteria mirrors the Virginia law and applies to any business or person that produces products or services that are targeted to residents of New Hampshire, and either: (i) controls or processes the personal data of at least 35,000 unique New Hampshire consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) controls or processes the personal data of at least 10,000 unique New Hampshire consumers and derives more than 25% of its gross revenue from the sale of personal data. In passing this law, New Hampshire becomes the first state to add the “unique” descriptor to consumers in this context (though most practitioners have read this qualifying language into other state privacy laws.

The notion of “consumer” as used in the NHPA means an individual who is a resident of New Hampshire. It does not include individuals acting in a commercial or employment context. This important distinction is the predominant approach we are seeing adopted by the states, with the notable exception being California.

Exemptions

The NHPA does not apply to:

• New Hampshire government entities (or of any political subdivision of New Hampshire)
• Financial institutions and affiliates, or data subject to the federal GLBA
• National securities associations registered under the Exchange Act
• Covered entities or business associates governed by certain rules under HIPAA
• Nonprofit organizations
• Institutions of higher education
• Public utilities or service companies affiliated with a public utility
• Certain research data or employment-related information; and
• Information governed by federal laws, such as HIPAA, Driver’s Privacy Protection Act, the Airline Deregulation Act, the Controlled Substances Act, the Family Educational Rights and Privacy Act, the Fair Credit Reporting Act or the Farm Credit Act

Consumer Rights

Consumers who are New Hampshire residents will be able to exercise the following rights under the NHPA:

• Right to confirm whether or not their personal data is processed (unless such confirmation or access would require the controller to reveal a trade secret)
• Right to access their personal data
• Right to correct inaccuracies in their personal data (limited to data the consumer previously provided)
• Right to deletion of their personal data
• Right to portability of their personal data
• Right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling through automated means

Business Obligations to Consumers

The NHPA looks a lot like the business-friendly regulation enacted in Virginia two years ago, Here are some of the compliance obligations on the horizon for those businesses:

• Respond to consumer requests under the NHPA without undue delay, but not later than 45 days of receipt of such request (may be extended an additional 45 days when reasonably necessary so long as the controller notifies the consumer of their intent to extend)
• Provide required information to consumers free of charge, once per twelve-month period
• Use commercially reasonable efforts to authenticate requests 
• Establish a process for consumers to appeal any refusal to take action on a consumer request

Notices to Consumers

• Businesses must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that meets standards established by the Secretary of State of New Hampshire, including: 
  • Categories of personal data processed by the business; 
  • The purpose of processing personal data; 
  • How consumers may exercise their consumer rights (including how a consumer may appeal a business’s decision with regard to a consumer’s request);
  • Categories of personal data that the business may share with third parties;
  • Categories of third parties with which the business shares personal data; and 
  • An active email address or online mechanism that the consumer may use to contract the business.
• Businesses must “clearly and conspicuously” disclose any sale of personal data or use of personal data for targeted advertising (and how to opt-out of such sale or use)
• Businesses must establish (and describe in a privacy notice), one or more secure and reliable means for consumers to submit a request to exercise their consumer rights, including:  
  • A clear and conspicuous link on the businesses website enabling opt-out of targeted advertising or sale of the consumers personal data; and 
  • Not later than January 1, 2025, allow a consumer to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data.

Other Business Obligations

The Do’s:

• Conduct and document data protection impact assessments for certain data processing activities created or generated after July 1, 2024 (not retroactive), which include extensive requirements and an obligation to provide assessments to the Attorney General upon request
• Data Minimization:  Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which such data is processed
• No Surprises:  Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents (noting that aggregate data is excluded from the definition of personal data)
• Establish, implement, and maintain data security practices

And the Do Not’s:

• Do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers
• Do not discriminate against a consumer for exercising any consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to consumers
• Do not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act 

“Sensitive data” will include (1) personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; or, (4) precise geolocation data (within a radius of 1,750 feet). 

Impacts on Vendors/Data Processors

Vendors that are data processors have direct obligations under the NHPA, such as adhering to instructions from data controllers, assisting data controllers with their own compliance obligations, assisting data controllers with data protection impact assessments, and required subcontractor flow-down obligations.

The NHPA also contains specific requirements that must be included in data processing agreements between data controllers and data processors.

Private right of action

Like comprehensive data privacy laws in most other states where they have been enacted (except California’s limited private right related to data breaches), the NHPA does not provide for a private right of action. The NHPA will be enforced exclusively by New Hampshire’s Attorney General and, before initiating an enforcement action, the New Hampshire AG must provide 60 days’ prior written notice of an alleged violation and an opportunity to cure the violation. Beginning in January 2026, the cure period becomes discretionary, and the state AG may consider providing a cure period for a violation by considering certain specified factors.

Fines and Penalties

Civil penalties are not specified, but the AG may bring violations as constituting an unfair method of competition or any unfair or deceptive act or practice under N.H. Rev. Stat. §358-A:2.

Effective Date for NHPA

January 1, 2025. 

[View source.]