On March 6, 2024, New Hampshire Governor Chris Sununu signed Senate Bill 255 into law, making New Hampshire the 14th U.S. state to enact a comprehensive privacy law. The law, which becomes effective on January 1, 2025, is only enforceable by the state attorney general (AG), and provides a 60-day cure period for compliance violations for one year after enactment. After that, beginning on January 1, 2026, the AG will have the discretionary power to provide any cure period.
Applicability
The law applies to persons that conduct business in the state of New Hampshire or that produce products or services that are targeted to its residents. Specifically, it applies to those who, during a one-year period: (a) controlled or processed the personal data of no less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controlled or processed the personal data of no less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. The threshold requirements are typically lower compared to other states. For example, New Jersey, which only recently enacted its comprehensive privacy law, regulates businesses that “control or process the personal data of at least 100,000 consumers or control or process the personal data of at least 25,000 consumers (in line with Colorado, Connecticut, Iowa, Indiana, Oregon, and Virginia).” In contrast, California and Utah also established annual revenue thresholds in addition to thresholds on volume and sales.
Exemptions
The law, like other state privacy laws, carves out exemptions for certain entities and categories of data. For example, these exemptions include entities subject to Title V of the Gramm-Leach-Bliley Act, nonprofit organizations, and institutions of higher education to name a few. Additionally, the law provides data level exemptions, such as protected health information under HIPAA.
Consumer Rights
The new law provides consumers with a range of rights present in other comprehensive state privacy laws. These rights include the right to verify if a controller is processing their personal data; the right to rectify inaccuracies; the right to erase personal data; the right to receive a portable and easily usable copy of personal data; and the right to opt out of data processing for targeted advertising, personal data sales, or profiling that solely results in automated decisions with legal or similarly significant implications.
Expansive Definitions
In line with other comprehensive state privacy laws, New Hampshire will require that a business secure a consumer’s opt-in consent before processing sensitive data. The consent must be a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of their personal data. Additionally, under the new law, sensitive data is defined to encompass data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.
Enforcement
The AG maintains exclusive authority to enforce violations under the law, with no provision for a private right of action. Additionally, the law does not explicitly specify any fines or penalties for noncompliance.
Final Take-Away
Three months into the new year, New Hampshire has become the second state to implement a comprehensive privacy law. While the law does not impose new obligations, it underscores the necessity for organizations to reassess privacy compliance programs to guarantee adherence to the plethora of existing state privacy laws and prepare for future ones.
