New Hampshire’s Comprehensive Data Privacy Legislation
As the state boasting the headquarters of the International Association of Privacy Professionals, many have been watching the development of the New Hampshire comprehensive consumer data privacy law with great interest, wondering if it may be a practical model for the nation. On March 6, 2024, Governor Chris Sununu signed SB 255-FN (“the Act”) into law. In some respects, New Hampshire’s privacy law is comparatively more moderate than some other state laws. For instance, the New Hampshire Secretary of State’s rulemaking authority under the Act is currently limited to establishing requirements for privacy notices. This narrow extension of rulemaking authority is a divergence from the broad rulemaking authority granted by California, Colorado, and other states. The New Hampshire law does not allow for a private right of action. There is a right to cure alleged violations through the first year the law is in force; afterwards, the opportunity to cure is left to the Attorney General’s discretion. The legislation will take effect on January 1, 2025.
Scope of Applicability
The Act applies to any person that conducts business in New Hampshire, or that provides products or services targeted at residents of New Hampshire, and that, during a one-year period, controls or processes either:
- The personal data of 35,000 or more unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- The personal data of 10,000 or more unique consumers, while deriving more than 25 percent of the person’s annual gross revenue from the sale of personal data.
Importantly, the definition of “consumers” is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data. “Sale” is defined broadly as the “exchange of personal data for monetary or other valuable consideration” by the controller to a third party with exceptions for publicly available data and data disclosed to processors, affiliates, or third parties as part of a merger or acquisition.
Notable Exemptions
The Act contains a number of noteworthy entity-level exclusions, including but not limited to nonprofits, state entities, institutions of higher education, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, and entities subject to the Health Insurance Portability and Accountability Act (HIPAA). There are also data-level exclusions for HIPAA data and other enumerated health data types, as well as specified credit, driver, educational, employee, airline, and controlled substances data.
Sensitive Data
The Act broadly defines “sensitive data” as (i) data that reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual activity, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying an individual; (iii) data belonging to a known child under the age of 13; and (iv) precise geolocation data (capable of identifying the specific location of an individual within a radius of 1,750 feet).
The Act requires opt-in consent for any processing of sensitive data, and controllers must comply with the Children’s Online Privacy Protection Act (COPPA) in order to process the sensitive data of a known child (currently defined in COPPA as under the age of 13). The Act prohibits engaging in targeted advertising or the sale of personal data when a covered entity has actual knowledge that a data subject is between the ages of 13 and 16 yet willfully disregards that fact. This provision highlights the growing focus on heightened protections for children’s data.
Consumer Rights
The Act provides access, correction, deletion, and opt-out rights common to other states’ data privacy laws. Under the Act, consumers have the following rights:
- Right to Know: Consumers have the right to know that a controller is processing or has processed their personal data.
- Right to Correct: Taking into account the nature of the personal data being processed and the purpose for processing that data, a controller must respond to a consumer exercising the right to correct inaccuracies in their collected personal data.
- Right to Delete: Consumers have the right to delete personal data provided by or obtained about the consumer.
- Right to Opt-Out: Consumers have the right to opt-out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance.
- Right to Data Portability: Consumers have the right to obtain a portable and readily usable copy of their personal data.
- Protection Against Discrimination: Controllers cannot process personal data in violation of state and federal laws or cannot discriminate against consumers for exercising their rights.
The Act requires controllers to honor universal opt-out signals, such as the Global Privacy Control.
Obligations of Controllers
In addition to the provisions described above, the Act imposes the following obligations on controllers:
- Provide consumers with a reasonably accessible and clear privacy notice that includes: (i) the categories of personal data processed; (ii) the purpose for processing personal data, (iii) the categories of personal data shared with third parties and categories of third parties receiving such data; (iv) information on exercising consumers’ rights; (v) a description of any targeted advertising or sale of personal data; and (vi) contact information.
- Limit the collection of personal data to only what is adequate, relevant and reasonably necessary to accomplish the purposes for which the data is processed, and integrate other privacy by design principles.
- Implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
- Provide an effective means to revoke consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and which, if exercised, should cause the controller to cease processing within 15 days after receipt of the request.
- Conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, namely: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
Furthermore, the Act requires processors to assist controllers in meeting their obligations by specifying the elements to be contained in contracts between processors and controllers.
AG Enforcement; No Private Right of Action
The New Hampshire Attorney General has exclusive authority to enforce the Act. Between January 1, 2025 and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure, but is not required to provide such an opportunity. In exercising their discretion under the Act, the attorney general may consider a limited series of factors, including the number of violations, size and complexity of the controller, whether there is a substantial likelihood of injury to the public, and whether the alleged violation was likely the result of human or technical error. The Act does not include a private right of action.
Conclusion
While the Act shares similarities to other state privacy laws, and many may view it as a practical compromise text that includes most of the consumer protection rights seen in other state laws to date, the New Hampshire law inevitably adds to the complexity of the U.S. data privacy landscape given the continuing absence of comprehensive and preempting federal privacy legislation. In the meantime, the New Hampshire Secretary of State will establish guidance or regulations explicating the criteria for the exercise of consumer rights and standards for privacy notices required by the Act, and companies will need to monitor these developments as they further expand their privacy programs for yet another variation on U.S. privacy law rights and requirements.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.