Following on the heels of passage of New Jersey’s state privacy law, on March 6, 2024, New Hampshire stamped its approval on its own comprehensive consumer privacy law. The law will take effect January 1, 2025 along with Delaware and Iowa.
The new law is not a major departure from the majority of the other existing privacy laws, so businesses’ current compliance efforts will translate well for compliance with the Granite State’s privacy law.
Scope
The law applies to persons that conduct business in New Hampshire or persons that produce products or services in New Hampshire that are targeted to New Hampshire residents that during a one-year period:
- Controlled or processed the personal data of at least 35,000 unique consumers, excluding personal data controlled or processed solely to complete a payment transaction; or
- Controlled or processed the personal data of at least 10,000 unique consumers and derived more than 25% of gross revenue from the sale of personal data.
Like many other state privacy laws, New Hampshire’s law contains exemptions for nonprofit organizations, higher education institutes, financial institutions regulated by Title V of the Gramm-Leach-Bliley Act, as well as organizations regulated by other laws, including the SEC Act and HIPAA. Similar to other state laws—with California as the notable exception—the New Hampshire law does not apply to personal data collected from an individual acting in a commercial or employment context.
Consumer Rights
New Hampshire’s privacy law offers the familiar slate of consumer rights to its residents. These include the rights to: (1) confirm whether or not a controller is processing the consumer’s personal data and access such personal data; (2) correct inaccuracies in the consumer’s personal data; (3) delete personal data provided by or obtained about the consumer; and (4) opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Consumers can exercise these rights through authorized agents and have the right to appeal decisions where a controller declined to take action on a request.
Controller & Processor Obligations
New Hampshire’s consumer privacy law does not add any novel obligations for controllers and processors, following the core responsibilities laid out in other state laws. These include, for example:
- Including mandatory provisions in contracts between controllers and processors;
- Conducting data protection assessments for controllers’ processing activities that present a heightened risk of harm to a consumers;
- Presenting consumers with a privacy notice;
- Responding to consumer requests within 45 days;
- Conspicuously disclosing sales of data to third parties or processing for targeted advertising;
- Implementing reasonable security measures; and
- Obtaining consent to process a consumer’s sensitive data.
Notably, controllers must also obtain consent to process the data of a child between ages 13 and 16 for the purposes of targeted advertising or sale, modifying similar obligations present in Delaware’s and New Jersey’s laws (which cover children 13-18 and 13-17, respectively).
The New Hampshire Attorney General will have exclusive enforcement over the new law, with a 60-day cure period for alleged violations during the first calendar year the law is in effect. The law does not specify any monetary penalties for violations.
The Patchwork Expands
The federal American Data Privacy and Protection Act (ADPPA) has not yet been reintroduced in the 118th Congress, and states are continuing to pass their own privacy legislation in the absence of a federal law – New Hampshire Governor Chris Sununu even called out “congressional inaction to establish national consumer protections” in his signing statement.
Before 2024 is over, more state privacy legislation is expected to be signed into law, underscoring the importance for businesses to establish processes that allow them to quickly identify when they are covered by a new law and what new obligations they may have, if any.