• On April 2, 2024, the CPPA Enforcement Division issued its inaugural advisory, emphasizing the importance of data minimization.  (Read more about the enforcement advisory below.)
• In March 2024, the CPPA’s March Board Meeting included several notable developments, including:
  • Draft proposed regulations on risk assessments and automated decision-making technology. Draft updates to existing CCPA Regulations, including updates to the definition of sensitive personal information and requirements relating to verifying and denying consumer requests. A summary of the CPPA’s enforcement priorities for 2024, which include privacy notices, right to delete issues, and the processing of consumer requests.
  • A report on the number of complaints received by the CPPA since July 2023.

(Read more about the March 2024 Board Meeting below.)

• On February 9, 2024, the CPPA won its appeal of a lower court ruling that delayed for one year the enforcement of the updated CCPA Regulations, implemented pursuant to the California Privacy Rights Act of 2020.   
• In January 2024, the CPPA launched https://privacy.ca.gov, a new online resource on California privacy rights for consumers.

In 2024, the CPPA has also weighed in on proposed federal and state privacy legislation, issuing a statement heavily critical of the federal American Privacy Rights Act legislation, and strongly supporting California’s AB 3048, which would expand business requirements regarding privacy preference and opt out signals.

CPPA Enforcement Advisory on Data Minimization

On April 2, 2024, the CPPA issued its inaugural enforcement advisory under the California Consumer Privacy Act (“CCPA”) which focused on the need to apply data minimization principles across its processing activities and its processing of consumer privacy requests, emphasizing:

Data minimization is a foundational principle in the CCPA. Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information.

The CPPA also observed that:

[C]ertain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.

As one of many core principles of the CCPA, data minimization requires businesses to restrict the processing of personal information to that which is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”[1]

Regulations issued pursuant to the CCPA expand on this principle, stating the necessary and proportionate assessment should be based on the following:

1. The minimum personal information that is necessary to achieve the purpose identified, as disclosed to the consumer;
2. The possible negative impacts on consumers posed by the business’s collection or processing of personal information; and
3. Additional safeguards used by the business to address the possible negative impacts on consumers.[2]

Data Minimization in Verifying Consumer Requests. When responding to consumer requests, the CCPA requires businesses to verify that the person making a request to delete, correct, or know is the consumer about whom the business has collected personal information.

The CCPA prohibits businesses from requiring a consumer to verify their identity to make a request to opt-out of the sale/sharing of personal information or to limit use and disclosure of sensitive personal information; however, the business may ask the consumer for information necessary to complete the request.

The CCPA regulations provide businesses with guidance in determining the method by which the business will verify the consumer’s identity:

1. Whenever feasible, match the identifying information provided by the consumer to the consumer’s personal information the business already maintains, or use a third-party identity verification service;
2. Avoid collecting certain types of personal information (such as Social Security number, driver’s license number, financial account numbers, or unique biometric data), unless necessary for the purpose of verifying the consumer; and
3. Consider the following factors, including (i) the type, sensitivity, and value of the personal information collected and maintained about the consumer; (ii) the risk of harm to the consumer; (iii) the likelihood that fraudulent or malicious actors would seek the personal information; (iv) whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated; (v) the manner in which the business interacts with the consumer, and (vi) available technology for verification.[3]

Businesses must generally avoid requesting additional information from the consumer for verification purposes; however, to the extent the business cannot verify the consumer’s identity, the business may request additional information which must only be used for verifying the consumer’s identity, security, or fraud-prevention. The business must delete any new personal information collected for verification purposes as soon as practical after processing the consumer’s request, subject to the CCPA’s record-keeping requirements.

Questions to Consider When Responding to Consumer Requests. The advisory includes illustrative scenarios on the application of the data minimization principle to CCPA requests to opt-out of the sale/sharing of personal information and requests to delete personal information.  The advisory also provides a list of questions for businesses to consider when processing consumer requests:

1. What is the minimum personal information that is necessary to achieve this purpose?
2. We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?
3. What are the possible negative impacts posed if we collect or use the personal information in this manner?
4. Are there additional safeguards we could put in place to address the possible negative impacts?

Businesses should keep the above questions in mind when determining how to verify and process consumer requests.

For more information about these developments, contact the authors of this blog post, your DLA relationship Partner, or any member of DLA’s Data, Privacy and Cybersecurity team.

Takeaways from CPPA March 2024 Board Meeting: Enforcement Priorities and Revised Regulations on the Horizon

On March 8, 2024, the CPPA held a public meeting to discuss, among other things, its enforcement priorities and proposed regulations on risk assessments and automated decisionmaking technology (“ADMT”). This article summaries the key takeaways from the meeting and highlights from the new regulations on the horizon in California.

Enforcement Priorities. During the meeting, Michael Macko the Deputy Director for the Enforcement Division presented on enforcement updates and priorities. The presentation reported the CPPA received 1,208 complaints between July 6, 2023, and February 22, 2024. It may come as no surprise to privacy officers and compliance managers that the most common categories of complaints include right to delete and right to opt-out of sale issues. 

The CPPA reported that its upcoming enforcement priorities will be privacy notices, right to delete issues, and implementation of consumer requests.[4]

ADMT and Risk Assessment Regulations. As we recently reported, in late 2023, the CPPA released its initial draft regulations for ADMT and risk assessments. During the March 8, 2023 meeting, the Board was presented with an updated draft of the ADMT and risk assessment regulations and voted to progress these proposed regulations to formal rulemaking. It is important to note that the regulations are discussion drafts that are still in the preliminary rulemaking phase. Staff will begin preparing the required paperwork to initiate formal rulemaking based on the Board’s vote. During the meeting, CPPA General Counsel, Philip Laird, clarified that the Agency intends to do more public engagement this spring and summer for additional feedback on the draft ADMT and risk assessment regulations. On April 24, 2024, the CPPA announced three stakeholder sessions to take place this May. More information about the sessions and how you can attend is available on the CPPA website. Additional modifications may be made to the draft regulations based on feedback from the Board and the public throughout this process.

The following are notable updates to draft ADMT and risk assessment requirements in these new proposed draft regulations:

• Revised Definition of ADMT. The CPPA has revised the definition of AMDT to mean “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” For purposes of this definition, the CPPA clarified that to “substantially facilitate human decisionmaking” means using the output of the technology as a key factor in a human’s decisionmaking. This includes, for example, using AMDT to generate a score about a consumer that the human reviewer uses as a primary factor to make a significant decision about them.
• ADMT Exclusions. The CPPA has clarified that ADMT does not include the following technologies, provided these technologies do not execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking: web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam and robocall-filtering, spellchecking, calculators, databases, spreadsheets, or similar technologies.
• Revised Definition of Profiling. The CPPA has expanded the definition of profiling to include automated processing of personal information to analyze or predict an individual’s intelligence, ability, aptitude, mental health and predispositions.
• New Trigger for Notice, Opt-Out and Access. The CPPA has revised the triggers for pre-use notice, opt-out, and access requirements by adding the use of ADMT for “profiling a consumer for behavioral advertising” as a trigger.
• Updated Pre-Use Notice Requirements for ADMT. The CPPA has updated the pre-use notice requirements to streamline the information that a business must provide, and to allow for greater flexibility in how the business presents the information. The proposed revisions also include tailoring pre-notice requirements to specific uses of ADMT and requiring that the business disclose that they cannot retaliate against consumers.
• Opt-Out Exceptions for ADMT. Under the proposed regulations, businesses would not be required to provide a consumer with the ability to opt-out of a business’s use of ADMT for a significant decision concerning the consumer if the business provides consumers with the ability to appeal to a human decisionmaker (the “human appeal exception”). To qualify for the human appeal exception, the business must satisfy certain requirements, including but not limited to, designating a qualified human reviewer who must consider relevant information, clearly describing how consumers can submit an appeal, and enabling the consumer to provide information for the human reviewer to consider. The proposed regulations also include an “evaluation exception” where a business does not need to provide a consumer with the ability to opt-out (subject to certain conditions) for purposes of admission, acceptance, or hiring decisions, allocation/assignment of work and compensation decisions, and work or educational profiling. Businesses would also not be required to provide a consumer with the ability to opt-out if the business’s use of the ADMT is necessary for security, fraud prevention, or safety purposes.
• Revised Risk Assessment Thresholds. The CPPA has revised the risk assessment thresholds to clarify that risk assessments are required when the business (1) sells or shares personal information; (2) processes sensitive personal information (including the personal information of consumers that the business has actual knowledge are less than 16 years of age); (3) uses ADMT for a significant decision or “extensive profiling” (i.e., work or educational profiling, public profiling, or profiling a consumer for behavioral advertising); or (4) processes personal information to train ADMT or artificial intelligence that is capable of being used for a significant decision, to establish identity, for physical or biological profiling, for generating deepfakes, or for operating generative models.
• Revised Risk Assessment Requirements. The CPPA’s proposed revisions include clarifying which operational elements must be identified in a risk assessment, which negative impacts to a consumers’ privacy a business may consider, and which safeguards a business must identify for ADMT to ensure the ADMT works as intended and does not discriminate.
• Revised Risk Assessment Submission Requirements. The CPPA has streamlined what must be included in an abridged risk assessment and further clarified exemptions to the risk assessment submission requirements. For example, a business is not required to submit a risk assessment if the business has previously conducted and submitted to the CPPA an abridged risk assessment for a given processing activity, and there were no material changes to that processing during a subsequent submission period (however, the business must still submit a certification of compliance to the Agency).

Draft Updates to Existing CCPA Regulations. In addition to the initial draft regulations for ADMT and risk assessments, the CPPA also discussed revisions to the pre-existing CCPA regulations. Similar to the Risk Assessment and ADMT regulations discussed above, formal rulemaking proceedings are still pending for these proposed amendments, which include the following notable updates:

• Revised Definition of Sensitive Personal Information. The CPPA proposed revising the definition of sensitive personal information to include “[p]ersonal information of consumers that the business has actual knowledge are less than 16 years of age.” The proposed revisions further clarify that businesses that willfully disregard the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
• Denying Consumer Requests. Under the revised regulations, if the business denies a consumer’s request to know, correct, delete, opt-out of the sale/sharing of personal information, or limit use and disclosure of sensitive personal information, the business must, among other things, inform the consumer that they can file a complaint with the Agency and the Attorney General and provide links to the complaint forms available on their respective websites.
• Verification of Consumer Requests. Under the revised regulations, businesses would be required to match identifying information provided by the consumer to the personal information of the consumer already maintained by the business before requesting additional information from the consumer (emphasis added).
• Service Providers and Contractors. The CPPA proposed adding a requirement that any retention, use, or disclosure of personal information by service providers or contractors pursuant to its written contract with a business must be “reasonably necessary and proportionate” for the purposes stated in the contract.

For more information about these developments, contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Security team.

[1] Civil Code § 1798.100(c)

[2] 11 CCR § 7002(d)

[3] 11 CCR § 7060(c)

[4] See the CPPA Enforcement Update & Priorities presentation available at https://cppa.ca.gov/meetings/materials/20240308_item6_enforcement_update.pdf.

The Act was enacted on March 15, 2022, following several significant and disruptive cyberattacks on critical infrastructure in the United States. The Act requires certain covered entities to report cyber incidents and ransom payments within short time periods, specifically:

1. within 72 hours after a covered entity “reasonably believes that [a] substantial cyber incident has occurred,” and
2. not later than 24 hours after making a ransom payment that results from a ransomware attack against a covered entity.

Many of the details on how the Act will be implemented were left to public rulemaking by CISA, which published its draft regulations in the Federal Register on April 4, 2024 (“Proposed Rule”). The Proposed Rule (totaling over 400 pages) adds significant requirements and clarifications for companies who will be required to report under CIRCIA. This article summarizes some of the key details from the Proposed Rule.

To What Companies Does CIRCIA Apply?

While the Act includes a definition for the term “covered entity,” the statute explicitly requires CISA to further clarify the meaning of that term through its CIRCIA rulemaking.[1] Specifically, the Act defines “covered entity” as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21.”[2] The Presidential Policy Directive 21 (“PPD-21”), Critical Infrastructure Security and Resilience, which was issued in February 2013  establishes a national policy on critical infrastructure security and resilience, encompassing assets, systems, and networks (whether physical or virtual) associated with critical infrastructure sectors. The sixteen sectors identified as critical infrastructure are: (1) chemical, (2) commercial facilities, (3) communications, (4) critical manufacturing, (5) dams, (6) defense industrial base, (7) emergency services, (8) energy, (9) financial services, (10) food and agriculture, (11) government facilities, (12) healthcare and public health, (13) information technology, (14) nuclear, (15) transportation, and (16) water and waste water systems.

In its Proposed Rule, CISA proposed to include as covered entities, entities that meet two threshold criteria:

1. Size-Based Criteria

The first group of entities that CISA is proposing to include as covered entities are entities within a critical infrastructure sector that exceed the U.S. Small Business Administration’s (SBA) small business size standard. The SBA standards are expressed either in number of employees or annual receipts in millions of dollars, depending on the classification of the particular business (using the North American Industry Classification System code).

2. Sector-Based Criteria

CISA is also proposing to include in the scope of covered entity any entity that meets any of the following proposed sector-based criteria:

• any entity that owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards (Chemical Sector).

• any entity that provides communications services by wire or radio communications, as defined in 47 U.S.C. 153(40), 153(59), to the public, business, or government (Communications Sector).

• any entity that owns or has business operations that engage in primary metal manufacturing; machinery manufacturing; electrical equipment, appliance, and component manufacturing; or transportation equipment manufacturing (Critical Manufacturing Sector).

• any contractor or subcontractor required to report cyber incidents to the Department of Defense pursuant to DFARS 48 C.F.R. § 252.204-7012 (Defense Industrial Base Sector).

• any entity that provides (1) law enforcement, (2) fire and rescue services, (3) emergency medical services, (4) emergency management, and/or (5) public works that contribute to public health and safety services or functions to a population equal to or greater than 50,000 individuals (Emergency Services Sector).

• any entity that is required to report cybersecurity incidents under NERC’s CIP Reliability Standards or required to file an Electric Emergency Incident and Disturbance Report OE-417 form, or any successor form, to the Department of Energy (Energy Sector).

• certain financial services entities that have the potential to impact the economic security of the nation if victimized by a covered cyber incident (Financial Services Sector).

• state, local, tribal, and territorial government entities that serve a jurisdiction with a population equal to or greater than 50,000 individuals; certain entities related to education; and certain entities involved with election processes (Government Facilities Sector).

• certain entities providing direct patient care; manufacturers of drugs listed in Appendix A of the report Essential Medicines Supply Chain and Manufacturing Resilience Assessment; and manufacturers of Class II (moderate risk) and Class III (high risk) devices, as defined in 21 U.S.C. § 360c (Healthcare and Public Health Sector).[3]

• any entity that (a) knowingly provides hardware, software, systems, or services to the Federal government; (b) developed and continues to sell, license, or maintain any software that meets the definition of “critical software” as that term was defined by NIST pursuant to Executive Order 14028; (c) is an original equipment manufacturer, vendor, or integrator of Operational Technology (OT) hardware or software components; or (d) performs functions related to domain name operations (Information Technology Sector).

• any entity that owns or operates a commercial nuclear power reactor or fuel cycle facility (Nuclear Reactors, Materials, and Waste Sector).

• certain entities that own/operate certain non-maritime transportation system infrastructure, such as freight railroad, public transportation and passenger railroads, pipeline facilities and systems, over-the-road bus operations, passenger and all-cargo aircraft, indirect air carriers, airports, and Certified Cargo Screening Facilities; own/operate vessel, facility, or outer continental shelf facilities subject to 33 C.F.R. parts 104, 105, or 106; that are required to implement a TSA-approved security program under 49 C.F.R. parts 1542, 1544, 1548, and 1549; or that own/operate assets subject to the Maritime Transportation Security Act (Transportation Systems Sector).

• any entity that owns or operates a Community Water System, as defined in 42 U.S.C. § 300f(15), or a Publicly Owned Treatment Works that serve more than 3,300 people (Water and Wastewater Systems Sector).

Note, CISA did not propose further sector-based criteria for three sectors: the Commercial Facilities Sector, the Dams Sector, and the Food and Agriculture Sector. Rather, it will rely on the size-based criteria to capture the largest entities in these remaining sectors.

What Are the Reporting Requirements for Covered Entities?

CIRCIA requires covered entities to report (1) covered cyber incidents, (2) ransom payments made in response to a ransomware attack, and (3) any substantial new or different information discovered related to a previously submitted report to CISA.[4]

Reporting Covered Cybersecurity Incidents

The Proposed Rule will require covered entities to report – or have a third-party report on the covered entity’s behalf – a substantial cyber incident experienced by a covered entity. CISA proposes the term “substantial cyber incident” be defined as a cyber incident that leads to any of the following impacts:

1. substantial loss of confidentiality, integrity, or availability of a covered entity’s information system (including OT) or network;
2. serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
3. disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
4. unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

Under the Proposed Rule, a cyber incident that actually results in any one of the listed impacts would be a substantial cyber incident, triggering reporting. The proposed definition also does not hang on the cause of the incident. Therefore, incidents where the covered entity is not yet able to confirm root cause may still trigger the reporting requirements if the incident otherwise meets the reporting criteria.

CISA provided several examples of what would, and would not, qualify as a substantial cyber incident under the Proposed Rule including the following.

CISA also clarifies its interpretation of the Act to require reporting at any point during the occurrence of the covered cyber incident. For example, if an entity discovers that it experienced a covered cyber incident two years ago that has continued into the present (given that entity is a covered entity at the time of discovery) CISA’s Proposed Rule would require that entity to submit a report.

Reporting Ransom Payments

The Proposed Rule also requires a covered entity to report any ransom payment, including payments made where the underlying ransomware attack that led to the ransom payment is not a covered cyber incident. The Proposed Rule would trigger the 24-hour reporting requirement upon disbursement of the payment by the covered entity or a third party directly authorized to make a payment on the covered entity’s behalf.

Supplemental Reports

The Act also mandates that a covered entity promptly provide CISA with updates or supplements in certain circumstances. Under the Proposed Rule, such reports are triggered by information that (1) is responsive to a required data field in a covered cyber incident report that the covered entity was unable to substantively answer at the time of submission of that report or any supplemental report related to that incident, or (2) shows that a previously submitted report  is materially incorrect or incomplete in some manner.

A covered entity is required to provide these supplemental reports unless and until it has notified CISA that the underlying covered cyber incident has concluded and been fully mitigated and resolved.[5]

How to Submit Reports

CISA is proposing that a covered entity submit CIRCIA Reports through the web-based CIRCIA Incident Reporting Form on CISA’s website.

Next Steps for the Rulemaking Process

The Draft Regulations are open for public comment for 60 days from the publication of the draft rules in the Federal Register (until June 3, 2024). Comments may be submitted at www.regulations.gov and must reference the Federal Docket Number CISA 2022-0010.

For more information about these developments, contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Security team.

[1] 6 U.S.C. § 681b(c)(1).

[2] 6 U.S.C. § 681(4).

[3] In the Proposed Rule, CISA acknowledged that these entities are already subject to reporting requirements under the Health Information Portability and Accountability Act (HIPAA) and the Federal Trade Commission Health Breach Notification Rule (HBNR); however, CISA noted that those breach reporting requirements focus on impact to certain data and not other cybersecurity incidents potentially covered by CIRCIA.

[4] 6 U.S.C. § 681b(a)(1)-(3).

[5] 6 U.S.C. § 681b(a)(3).

Applicability

The NH Act applies to covered businesses that either conduct business in New Hampshire or produce products or services targeted toward New Hampshire residents, and meet either of the following thresholds during a one-year period:

• control or process the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of not less than 10,000 unique consumers and derive more than 25 percent of their gross revenue from the sale of personal data.

These thresholds are considerably lower than most other states’ privacy laws. Businesses who may not trigger compliance with other state privacy laws, including those currently in effect (such as California, Colorado, Connecticut, Virginia, and Utah) should review their practices and determine whether these lower thresholds trigger compliance in New Hampshire.

Like many other state privacy laws, the NH Act contains various exemptions such as those for nonprofits, institutes of higher education, financial institutions or data subject to the Gramm-Leach-Bliley Act. Additionally, the NH Act provides several Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) exemptions including those for “covered entities,” “business associates,” and “protected health information” (as these terms are defined under HIPAA).

Key Definitions

The NH Act’s definitions largely align with definitions from other state privacy laws. For instance:

Consent: Like most other state privacy laws, “consent” means “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.” This does not include “acceptance of a general or broad terms of use,” similar methods that bury language regarding processing personal data, or “the use of deceptive design patterns.”

Consumer: Under the NH Act, a “consumer” is “an individual who is a resident of [New Hampshire].” Similar to many other state privacy laws, “consumer” does not include an “individual acting in a commercial or employment context.”

De-identified Data: Means “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual.”

Personal Data: Means “any information that is linked or reasonably linkable to an identified or identifiable individual” but “does not include de-identified data or publicly available information.”

Profiling: Means “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

Sale of Personal Data: Means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” This does not include disclosures to processors or to third parties for purposes of providing a product or service that the consumer requested. The NH Act also limits this definition by carving out disclosures when the consumer requests that the disclosure occurs or when the consumer intentionally makes the information available to the general public “via a channel of mass media.” Additionally, a “sale of personal data” does not occur when the controller discloses or transfers the information to an affiliate.

Sensitive Data: Means “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data.”

Targeted Advertising: Means advertising to a consumer “based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests.”

Key Obligations

The NH Act imposes obligations on both controllers and processors, and like most comprehensive privacy laws, the majority of the responsibilities fall on controllers. Similar to other state comprehensive privacy laws, processors must adhere to the controller’s instructions, assist the controller in meeting its obligations, and enter into a data processing agreement with the controller.

Key requirements under the NH Act include:

• Privacy Notice: Under the NH Act, controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third-parties, if any, with which the controller shares personal data; and (6) an active electronic mail address or other online mechanism that the consumer may use to contact the controller. Importantly, the notice must meet the standards that the NH Act delegates to the New Hampshire Secretary of State to develop. These standards are forthcoming.

• Data Minimization & Purpose Limitation: Like most other comprehensive state privacy laws, the NH Act requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer and not process the data for incompatible purposes unless the controller first obtains the consumer’s consent.

• Security: The NH Act requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data “appropriate to the volume and nature of the personal data at issue.” Processors must ensure that persons that process personal data are subject to a confidentiality duty for that data and assist controllers in meeting their obligations to provide data breach notices and maintain reasonable security.

• Opt-Out Preference Signal: By January 1, 2025, the NH Act requires controllers to allow consumers to opt-out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal.

• Data Protection Assessments: The NH Act also requires controllers to conduct and document data protection assessments for each processing activity that “presents a heightened risk of harm to the consumer.” This includes: (1) the processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of sensitive data, and (4) profiling, when such profiling presents a reasonably foreseeable risk of:
  • Unfair or deceptive treatment of consumers;
  • Unlawful disparate impact on consumers;
  • Financial, physical or reputational injury to consumers;
  • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; and
  • Other substantial injury to consumers.

Consumer Rights

In line with other state privacy laws in effect, the NH Act provides consumers with the following rights:

• Right to access personal data
• Right to correct inaccuracies in personal data
• Right to delete personal data
• Right to obtain a copy of personal data
• Right to opt-out of the processing of the personal data for purposes of targeted advertising
• Right to opt-out of the sale of personal data (as defined above)
• Right to opt-out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
• Right to appeal a controller’s denial of a request to exercise one of the rights above

A consumer may also designate an authorized agent to submit opt out requests on the consumer’s behalf, but not requests to correct, delete, or access information about, or obtain a copy of, their personal data processed by the controller. Additionally, consumers are entitled to at least one free request per year, after which a controller may charge a “reasonable fee” to cover administrative costs associated with handling the request.

Similar to many other states, the NH Act requires controllers to respond to a rights request within 45 days absent an additional 45-day extension when “reasonably necessary.” The controller must inform the consumer about the extension within the initial 45-day period and provide a rationale for the extension.

Enforcement

The New Hampshire Attorney General (the “Attorney General”) has the exclusive authority to enforce the NH Act. The NH Act does not specify any statutory penalties. Like most other state privacy laws, the NH Act does not provide for a private right of action.

The NH Act also provides covered businesses a 60-day cure period to address alleged violations until December 31, 2025. Beginning January 1, 2026, the Attorney General may provide controllers the opportunity to cure after considering the following factors: (1) the number of violations; (2) the size and complexity of the controller or processor; (3) the nature and extent of the controller’s or processor’s processing activities; (4) the substantial likelihood of injury to the public; (5) the safety of persons or property; and (6) whether such alleged violation was likely caused by human or technical error.

In addition to the NH Act, several other newly adopted privacy laws are set to take effect in 2024, 2025, and beyond. For more information about these developments, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Cybersecurity Practice.