Mar 252024

New Hampshire’s Comprehensive Data Privacy Legislation

Colleen Theresa Brown, Ben Cross and Joyce Yeager
, , , , ,

As the state boasting the headquarters of the International Association of Privacy Professionals, many have been watching the development of the New Hampshire comprehensive consumer data privacy law with great interest, wondering if it may be a practical model for the nation. On March 6, 2024, Governor Chris Sununu signed SB 255-FN (“the Act”) into law. In some respects, New Hampshire’s privacy law is comparatively more moderate than some other state laws. For instance, the New Hampshire Secretary of State’s rulemaking authority under the Act is currently limited to establishing requirements for privacy notices. This narrow extension of rulemaking authority is a divergence from the broad rulemaking authority granted by California, Colorado, and other states. The New Hampshire law does not allow for a private right of action. There is a right to cure alleged violations through the first year the law is in force; afterwards, the opportunity to cure is left to the Attorney General’s discretion. The legislation will take effect on January 1, 2025.

Scope of Applicability

The Act applies to any person that conducts business in New Hampshire, or that provides products or services targeted at residents of New Hampshire, and that, during a one-year period, controls or processes either:

  • The personal data of 35,000 or more unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • The personal data of 10,000 or more unique consumers, while deriving more than 25 percent of the person’s annual gross revenue from the sale of personal data.

Importantly, the definition of “consumers” is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data. “Sale” is defined broadly as the “exchange of personal data for monetary or other valuable consideration” by the controller to a third party with exceptions for publicly available data and data disclosed to processors, affiliates, or third parties as part of a merger or acquisition.

Notable Exemptions

The Act contains a number of noteworthy entity-level exclusions, including but not limited to nonprofits, state entities, institutions of higher education, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, and entities subject to the Health Insurance Portability and Accountability Act (HIPAA). There are also data-level exclusions for HIPAA data and other enumerated health data types, as well as specified credit, driver, educational, employee, airline, and controlled substances data.

Sensitive Data

The Act broadly defines “sensitive data” as (i) data that reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual activity, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying an individual; (iii) data belonging to a known child under the age of 13; and (iv) precise geolocation data (capable of identifying the specific location of an individual within a radius of 1,750 feet).

The Act requires opt-in consent for any processing of sensitive data, and controllers must comply with the Children’s Online Privacy Protection Act (COPPA) in order to process the sensitive data of a known child (currently defined in COPPA as under the age of 13).  The Act prohibits engaging in targeted advertising or the sale of personal data when a covered entity has actual knowledge that a data subject is between the ages of 13 and 16 yet willfully disregards that fact. This provision highlights the growing focus on heightened protections for children’s data.

Consumer Rights

The Act provides access, correction, deletion, and opt-out rights common to other states’ data privacy laws. Under the Act, consumers have the following rights:

  • Right to Know: Consumers have the right to know that a controller is processing or has processed their personal data.
  • Right to Correct: Taking into account the nature of the personal data being processed and the purpose for processing that data, a controller must respond to a consumer exercising the right to correct inaccuracies in their collected personal data.
  • Right to Delete: Consumers have the right to delete personal data provided by or obtained about the consumer.
  • Right to Opt-Out: Consumers have the right to opt-out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance.
  • Right to Data Portability: Consumers have the right to obtain a portable and readily usable copy of their personal data.
  • Protection Against Discrimination: Controllers cannot process personal data in violation of state and federal laws or cannot discriminate against consumers for exercising their rights.

The Act requires controllers to honor universal opt-out signals, such as the Global Privacy Control.

Obligations of Controllers

In addition to the provisions described above, the Act imposes the following obligations on controllers:

  • Provide consumers with a reasonably accessible and clear privacy notice that includes: (i) the categories of personal data processed; (ii) the purpose for processing personal data, (iii) the categories of personal data shared with third parties and categories of third parties receiving such data; (iv) information on exercising consumers’ rights; (v) a description of any targeted advertising or sale of personal data; and (vi) contact information.
  • Limit the collection of personal data to only what is adequate, relevant and reasonably necessary to accomplish the purposes for which the data is processed, and integrate other privacy by design principles.
  • Implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
  • Provide an effective means to revoke consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and which, if exercised, should cause the controller to cease processing within 15 days after receipt of the request.
  • Conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, namely: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.

Furthermore, the Act requires processors to assist controllers in meeting their obligations by specifying the elements to be contained in contracts between processors and controllers.

AG Enforcement; No Private Right of Action

The New Hampshire Attorney General has exclusive authority to enforce the Act. Between January 1, 2025 and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure, but is not required to provide such an opportunity. In exercising their discretion under the Act, the attorney general may consider a limited series of factors, including the number of violations, size and complexity of the controller, whether there is a substantial likelihood of injury to the public, and whether the alleged violation was likely the result of human or technical error. The Act does not include a private right of action.

Conclusion

While the Act shares similarities to other state privacy laws, and many may view it as a practical compromise text that includes most of the consumer protection rights seen in other state laws to date, the New Hampshire law inevitably adds to the complexity of the U.S. data privacy landscape given the continuing absence of comprehensive and preempting federal privacy legislation. In the meantime, the New Hampshire Secretary of State will establish guidance or regulations explicating the criteria for the exercise of consumer rights and standards for privacy notices required by the Act, and companies will need to monitor these developments as they further expand their privacy programs for yet another variation on U.S. privacy law rights and requirements.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Ben Cross

Chicago

bcross@sidley.com

Joyce Yeager

Knowledge Management Lawyer

jyeager@sidley.com

You might also like
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FTC Proposes Significant and Sweeping Changes to COPPA and Requests Public Comment

On January 11, 2024, the Federal Trade Commission (“FTC”) published its Notice of Proposed Rule Making (“NPRM”) seeking to update the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule in the Federal Register.  Among other things, the proposed changes would require more granular privacy notices, require fairly detailed identification of, and parental consent to, third-party data sharing (including targeted advertising), expand the scope of personal information subject to COPPA, make it easier for parents to provide consent via text message, clarify various requirements around EdTech, including school authorization for parental consent, and impose significant new programmatic information security and data retention requirements.

UK and Australian Governments Sign “world-first” Online Safety and Security Memorandum of Understanding

On 20 February 2024, the UK Government and the Australian Federal Government co-signed a historic Online Safety and Security Memorandum of Understanding (MoU) signifying the bilateral cooperation between the two countries to help boost their respective online safety regimes. Notably, this is the first arrangement of its kind, with the MoU intending to encompass a wide range of digital online safety and security issues. These include illegal content, child safety, age assurance, technology facilitated gender-based violence, and addressing harms caused by rapidly evolving technologies, such as generative artificial intelligence.