On March 6, 2024, the New Hampshire Governor signed into law Senate Bill 255 (the “NH Act”), making New Hampshire the 15^th state to adopt a comprehensive state privacy law. The NH Act will take effect January 1, 2025. This post explores how the NH Act stacks up against the other comprehensive state privacy laws.

Applicability

The NH Act applies to covered businesses that either conduct business in New Hampshire or produce products or services targeted toward New Hampshire residents, and meet either of the following thresholds during a one-year period:

• control or process the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of not less than 10,000 unique consumers and derive more than 25 percent of their gross revenue from the sale of personal data.

These thresholds are considerably lower than most other states’ privacy laws. Businesses who may not trigger compliance with other state privacy laws, including those currently in effect (such as California, Colorado, Connecticut, Virginia, and Utah) should review their practices and determine whether these lower thresholds trigger compliance in New Hampshire.

Like many other state privacy laws, the NH Act contains various exemptions such as those for nonprofits, institutes of higher education, financial institutions or data subject to the Gramm-Leach-Bliley Act. Additionally, the NH Act provides several Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) exemptions including those for “covered entities,” “business associates,” and “protected health information” (as these terms are defined under HIPAA).

Key Definitions

The NH Act’s definitions largely align with definitions from other state privacy laws. For instance:

Consent: Like most other state privacy laws, “consent” means “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.” This does not include “acceptance of a general or broad terms of use,” similar methods that bury language regarding processing personal data, or “the use of deceptive design patterns.”

Consumer: Under the NH Act, a “consumer” is “an individual who is a resident of [New Hampshire].” Similar to many other state privacy laws, “consumer” does not include an “individual acting in a commercial or employment context.”

De-identified Data: Means “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual.”

Personal Data: Means “any information that is linked or reasonably linkable to an identified or identifiable individual” but “does not include de-identified data or publicly available information.”

Profiling: Means “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

Sale of Personal Data: Means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” This does not include disclosures to processors or to third parties for purposes of providing a product or service that the consumer requested. The NH Act also limits this definition by carving out disclosures when the consumer requests that the disclosure occurs or when the consumer intentionally makes the information available to the general public “via a channel of mass media.” Additionally, a “sale of personal data” does not occur when the controller discloses or transfers the information to an affiliate.

Sensitive Data: Means “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data.”

Targeted Advertising: Means advertising to a consumer “based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests.”

Key Obligations

The NH Act imposes obligations on both controllers and processors, and like most comprehensive privacy laws, the majority of the responsibilities fall on controllers. Similar to other state comprehensive privacy laws, processors must adhere to the controller’s instructions, assist the controller in meeting its obligations, and enter into a data processing agreement with the controller.

Key requirements under the NH Act include:

• Privacy Notice: Under the NH Act, controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third-parties, if any, with which the controller shares personal data; and (6) an active electronic mail address or other online mechanism that the consumer may use to contact the controller. Importantly, the notice must meet the standards that the NH Act delegates to the New Hampshire Secretary of State to develop. These standards are forthcoming.

• Data Minimization & Purpose Limitation: Like most other comprehensive state privacy laws, the NH Act requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer and not process the data for incompatible purposes unless the controller first obtains the consumer’s consent.

• Security: The NH Act requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data “appropriate to the volume and nature of the personal data at issue.” Processors must ensure that persons that process personal data are subject to a confidentiality duty for that data and assist controllers in meeting their obligations to provide data breach notices and maintain reasonable security.

• Opt-Out Preference Signal: By January 1, 2025, the NH Act requires controllers to allow consumers to opt-out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal.

• Data Protection Assessments: The NH Act also requires controllers to conduct and document data protection assessments for each processing activity that “presents a heightened risk of harm to the consumer.” This includes: (1) the processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of sensitive data, and (4) profiling, when such profiling presents a reasonably foreseeable risk of:
  • Unfair or deceptive treatment of consumers;
  • Unlawful disparate impact on consumers;
  • Financial, physical or reputational injury to consumers;
  • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; and
  • Other substantial injury to consumers.

Consumer Rights

In line with other state privacy laws in effect, the NH Act provides consumers with the following rights:

• Right to access personal data
• Right to correct inaccuracies in personal data
• Right to delete personal data
• Right to obtain a copy of personal data
• Right to opt-out of the processing of the personal data for purposes of targeted advertising
• Right to opt-out of the sale of personal data (as defined above)
• Right to opt-out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
• Right to appeal a controller’s denial of a request to exercise one of the rights above

A consumer may also designate an authorized agent to submit opt out requests on the consumer’s behalf, but not requests to correct, delete, or access information about, or obtain a copy of, their personal data processed by the controller. Additionally, consumers are entitled to at least one free request per year, after which a controller may charge a “reasonable fee” to cover administrative costs associated with handling the request.

Similar to many other states, the NH Act requires controllers to respond to a rights request within 45 days absent an additional 45-day extension when “reasonably necessary.” The controller must inform the consumer about the extension within the initial 45-day period and provide a rationale for the extension.

Enforcement

The New Hampshire Attorney General (the “Attorney General”) has the exclusive authority to enforce the NH Act. The NH Act does not specify any statutory penalties. Like most other state privacy laws, the NH Act does not provide for a private right of action.

The NH Act also provides covered businesses a 60-day cure period to address alleged violations until December 31, 2025. Beginning January 1, 2026, the Attorney General may provide controllers the opportunity to cure after considering the following factors: (1) the number of violations; (2) the size and complexity of the controller or processor; (3) the nature and extent of the controller’s or processor’s processing activities; (4) the substantial likelihood of injury to the public; (5) the safety of persons or property; and (6) whether such alleged violation was likely caused by human or technical error.

In addition to the NH Act, several other newly adopted privacy laws are set to take effect in 2024, 2025, and beyond. For more information about these developments, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Cybersecurity Practice.