On March 6, 2024, New Hampshire joined the steadily expanding number of states adopting a comprehensive data privacy law, when Governor Chris Sununu signed SB 225 (the "New Hampshire Privacy Act"). The law will take effect January 1, 2025.
In this latest in our series of articles on US State Data Privacy Laws, we summarize the key components of the New Hampshire Privacy Act.
To whom does the New Hampshire Privacy Act apply?
New Hampshire’s law imposes obligations on "controllers"—individuals or legal entities that determine the purpose and means of processing personal data—who either conduct business in the state of New Hampshire or produce products or services targeted to residents of New Hampshire and who, within a one-year period, either:
- Control or process the personal data of at least 35,000 unique New Hampshire consumers; or
- Control or process personal data of 10,000 unique New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data. "Sale" of data includes exchange for not only monetary compensation but also "other valuable consideration."
"Personal data" is any information that is "linked or reasonably linkable to an identified or identifiable individual" and excludes publicly available or de-identified information.
Like other state privacy laws, the New Hampshire law exempts several categories of entities, including state and municipal government agencies; financial institutions and data regulated by: the Gramm-Leach-Bliley Act; registered broker-dealers; nonprofit organizations; higher education institutions; and HIPAA-covered entities and business associates. Certain types of information and data are also exempted, including: consumer credit-reporting data; data covered by the Drivers’ Privacy Protection Act, the Family Educational Rights and Privacy Act, Fair Credit Reporting Act, and the Farm Credit Act; data covered by HIPAA and other health care statutes; and data processed or maintained for emergency contact purposes.
What rights does the New Hampshire Privacy Act give to consumers?
New Hampshire consumers, defined as New Hampshire residents acting only in a personal capacity, will gain rights that are largely consistent with other states’ data privacy regimes. Consumers may:
- Confirm whether a controller is processing their personal data and providing access to their data, unless providing confirmation and access would require the controller to reveal a trade secret;
- Correct inaccuracies in their personal data;
- Delete their personal data;
- Obtain a copy, in an accessible format, of their personal data processed by the controller (i.e., data portability); and
- Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling. The New Hampshire law allows consumer to opt out using universal opt-out mechanisms.
The New Hampshire law requires controllers who receive a request from a consumer seeking to exercise these rights to respond to the consumer within 45 days, unless it is reasonably necessary, due to the extent or complexity of the request, to extend that time and the controller notifies the consumer of the extension within 45 days.
Controllers must also establish a process for consumers to appeal denials of their requests, within a reasonable time after communicating that denial. The appeal process must be "conspicuously available and similar to the process for submitting [initial requests]." The controller must respond to an appeal within 60 days, and if the controller denies an appeal, they must provide an online or other method for the consumer to submit a complaint to the New Hampshire Attorney General.
What obligations does the New Hampshire Privacy Act impose on controllers and processors?
New Hampshire’s law requires controllers to provide consumers a "reasonably accessible, clear, and meaningful" privacy notice that includes: the categories of personal data it processes; its purpose for processing the data; the categories of third parties to which it may disclose the personal data and which categories of data it may disclose; information on how consumers may exercise their rights and appeal the controller’s decisions, and an active email address or other online mechanism for the consumer to directly contact the controller.
Controllers must also:
- Limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" in relation to the disclosed purposes with which the data is processed—unless the controller obtains the consumer’s consent;
- Establish and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility of personal data that are appropriate for the volume and type of data;
- Disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising and provide a clear and conspicuous link on their website for consumers to opt out; "sale" of personal data is broadly defined, like the California and Connecticut laws, to include not only monetary consideration but also exchange for "other valuable consideration;"
- Not process "sensitive data" without the consumer’s consent, or in the case of a known child, in accordance with COPPA. Sensitive data is defined in the New Hampshire Privacy Act as: personal data revealing racial or ethnic origin; religious beliefs; mental or physical health diagnosis; sex life or sexual orientation; citizenship or immigration status; genetic or biometric data that could identify an individual; data collected from a known child; and geolocation data;
- Provide a mechanism for the consumer to revoke consent that is as easy as the mechanism they used to provide consent;
- Not process data in violation of state and federal laws prohibiting discrimination;
- Conduct a data protection impact assessment on the processing of personal data created or generated on or after July 1, 2024 that presents a heightened risk of harm to the consumer, including targeted advertising, processing sensitive data, selling personal data, or processing for profiling, if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact on consumers; financial, physical or reputational injury to consumers; a physical or other intrusion upon their "solitude or seclusion, or the private affairs, or concerns" where that intrusion would offend a reasonable person. The New Hampshire Attorney General may review an assessment for compliance with the law. Data protection impact assessments that a controller conducted to comply with other states’ laws of a similar scope and effect may also be used to comply with this requirement.
Like the data privacy laws of some other states, including California, Connecticut, New Jersey and Texas, the New Hampshire Data Privacy Act requires controllers to allow consumers to opt out of processing their personal data by using universal opt-out mechanisms ("UOOMs").
The New Hampshire Data Privacy Law requires data processors to "assist the controller in meeting [its] obligations" under the law. A controller and processor must enter into a binding contract that governs their data processing, including requiring processors to protect confidentiality of the data (including ensuring each person processing personal data is subject to a duty of confidentiality), and to delete or return personal data to the controller when requested.
Enforcement
The New Hampshire Attorney General will have exclusive enforcement authority, and there is no private right of action available under this act. For the first year the New Hampshire Data Privacy Act is in effect, it provides controllers a 60-day period to cure alleged violations before an enforcement action may proceed, if a cure is possible. Beginning January 1, 2026, a controller or processor will only be allowed to cure at the discretion of the Attorney General, taking into consideration a list of factors, including the number of violations, the size and complexity of the controller or processor, the likelihood of harm to the public, and whether the alleged violation was probably caused by human or technical error.
The New Hampshire Privacy Act states that violations of that Act will constitute violations of the state’s broader Regulation of Business Practices for Consumer Protection (Title 358-A), under which each violation can incur civil penalties of up to $10,000. The Attorney General may also bring an action for injunctive relief to curb identified violations.
Key Aspects of the New Hampshire Data Privacy Act
- Obtain Consent Before Processing Sensitive Data. Like some, but not all other state data privacy laws, New Hampshire will require controllers to obtain the consumer’s consent before processing their sensitive data.
- Allows for Universal Opt Outs. Like several other states that have passed comprehensive data privacy laws, New Hampshire will require controllers to allow consumers to communicate their privacy preferences through UOOMs.
- One-year 60-day Cure Provision. Unlike some other state data privacy laws that sunset their cure provisions after an initial period, the New Hampshire Attorney General will have continuing discretion after January 1, 2026, to provide an opportunity to rectify alleged deficiencies.
- Civil Penalties. The potential of civil penalties of up to $10,000 per violation could lead to substantial fines for controllers or processors unprepared to implement the law or to cure within the prescribed period.
White & Case’s Data Privacy and Cybersecurity team will continue to provide updates on this law and any related rules and regulations. Please reference our US Data Privacy Guide and other client alerts for general steps to take to comply with US State Data Privacy Laws.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP