On January 18, the New Hampshire legislature passed on a bipartisan basis its version of the state comprehensive privacy law first adopted by Virginia in 2021 and subsequently by more than ten other states, most recently New Jersey. If signed by the governor, it will take effect on January 1, 2025, and New Hampshire will become the second New England state with a comprehensive privacy law.
Organizations operating in New Hampshire should pay attention to these developments, as should organizations elsewhere in New England. The region’s smaller states are seeking to have a bigger say in the protection of their residents’ personal information.
If signed, New Hampshire’s bill will impose disclosure obligations on entities that do business with New Hampshire residents and provide New Hampshire residents with access, deletion and consent rights. The bill resembles the Connecticut Data Privacy Act, without its subsequent amendments to specifically address consumer health data. If you’re reading this, you’re probably familiar with Connecticut’s and other states’ privacy laws, and this summary addresses only the high points or distinctions with other laws.
Applicability and compliance responsibilities
The law will apply to any individual or entity that conducts business in New Hampshire or that produce products or services that are targeted to residents of New Hampshire, so long as the individual or entity within a one-year period (a) controlled or proceeded the personal data of not less than 10,000 New Hampshire residents and derived more than 25 percent of their gross revenue from the sale of personal data or (b) controlled or proceeded the personal data of not less than 35,000 New Hampshire residents. But there are entity-level exceptions for New Hampshire state agencies, nonprofits, higher education, national securities associations, GLBA-regulated entities, and HIPAA covered entities and business associates.
Employment and business-to-business exceptions
Like the other states to adopt this style of comprehensive privacy law, the law is keyed to the definition of “consumer.” New Hampshire’s bill jettisons the other state’s definitions of consumer as an individual acting in an individual or household context, simplifying it as New Hampshire residents, full stop. But it excludes (like all but Tennessee) individuals acting in a commercial or employment context from the definition, with a broadly worded exception that roughly tracks the exception in Connecticut’s, Delaware’s and Montana’s laws: “individuals acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s rule with the company, partnership, sole proprietorship, nonprofit or government agency.” Moreover, like every state but New Jersey, there is an express data-level carveout for data processed or maintained for employment purposes. This carveout is worded similarly to the equivalent carveout in all of the similar state comprehensive privacy laws other than Colorado’s, New Jersey’s and Oregon’s.
Sensitive Data
Sensitive data is defined similarly to other laws, as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; processing personal genetic or biometric data for purposes of identifying an individual; personal data collected from a known child; or precise location data (within approximately one-third of a mile). Notably, precise location data excludes communication contents and data generated by or connected to advanced utility metering infrastructure systems. As in other comprehensive state privacy laws, GDPR-style affirmative consent is require to collect and process sensitive data.
Enforcement and Regulation
Like other state comprehensive privacy laws enacted to date, New Hampshire’s law would permit only the New Hampshire attorney general to enforce it and prohibits private claims. For the first year, there is a mandatory cure period before enforcement can commence; after that, a pre-enforcement right to cure is within the discretion of the New Hampshire attorney general based on six enumerated factors, such as the likelihood of injury to the public, number of violations, and how big or complex the controller or processor is. The bill as written does not contemplate adoption of regulations.
Expect Other New England States to Follow, in Their Own Way
The Massachusetts legislature is considering two dueling comprehensive privacy bills, one that was reported favorably out of committee in February 2022 and one that is modeled on the proposed American Data Privacy and Protection Act. Neither is modeled on the form of law that has been adopted by many states. And Vermont is considering its version of Washington’s “My Health My Data Act.” In short, among the six New England states, there are already four different approaches enacted or under serious consideration. Organizations operating in New England should be prepared to vary their compliance efforts within this region.
