New Hampshire Passes Comprehensive Consumer Privacy Laws – Orr & Reno

New Hampshire joins the growing number of states to pass comprehensive data privacy legislation.

New Hampshire recently joined fourteen other states in enacting comprehensive data privacy legislation. Governor Christopher T. Sununu, who signed SB 255 into law on March 6, 2024, said, “This law provides transparency about what information is collected, why, and confidence that in the age of AI, steps are taken to protect that data.” This new state law comes after the state Constitution was amended in 2018 to add Article 2-b establishing a constitutional right to privacy.

Many industry leaders would prefer a national bill because privacy “frameworks” are primarily national and international in scope. Plus, having one set of national standards makes compliance easier than staying up to date with a state-by-state patchwork
approach. But, in the absence of federal legislation — the American Data Privacy and Protection Act remains stalled in the Senate Commerce Committee — states are taking action, often tailoring their data privacy laws to their state’s specific needs and
demographics. New Hampshire is now the 15th state to enact a comprehensive data privacy bill, and we expect several more states to enact similar legislation in the year ahead.

Who is Covered?

New Hampshire’s new privacy law covers anyone who “conducts business” in New Hampshire or anyone who “produces products or services” that are targeted to residents of New Hampshire and that controlled or processed either of the following categories of
personal data over a one year period:

• The personal data of not less than 35,000 consumers, excluding personal data processed to complete a payment transaction;

OR

• The personal data of not less than 10,000 consumers, in instances where the individual or entity derived more than 25 percent of their gross revenue from the sale of personal data.

Like privacy laws enacted in other states, the New Hampshire law contains data minimization, purpose limitation, and data protection requirements. The entities who collect and control data (controllers) are required to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary.” Controllers are also prohibited from using the data “for purposes that are neither reasonably necessary to, nor compatible with” those original purposes.

Through the legislative process, the scope of who is covered by the bill was narrowed. As enacted, there are entity-level exemptions, such as entities subject to the GrammLeach-Bliley Act. There are also data-level exemptions, such as data protected under HIPAA. Therefore, organizations should carefully review the new law and determine if they are exempted from the bill’s requirements.

Disclosure

Controllers handling personal data are also required to disclose what they are doing to consumers and that such “privacy notices” be “reasonably accessible, clear, and meaningful” and meet other standards established by the New Hampshire Secretary of State. SB255 stipulates the general information that a privacy notice must include:

• the categories of personal data processed
• the purpose of processing personal data
• how consumers may exercise their rights
• the categories of personal information are shared with third parties
• the categories of third parties, if any, with which data is shared
• an active e-mail address or other online location where the consumer can contact the person or entity processing and controlling personal data.

Consumers have the right to confirm whether or not a controller is processing their data and to access that personal data upon request. They also have the right to correct inaccuracies, delete personal data, “opt-out” of processing for particular purposes, and
obtain a copy of the personal data in the controller’s possession in a usable and transportable format.

Security

The law requires anyone controlling or processing personal data to perform “data protection assessments” for every processing activity that could “present a heightened risk of harm,” including the processing of sensitive data for targeted advertising, profiling, or sale to third parties.

Enforcement

Senate Bill 255 will go into effect on January 1, 2025. The New Hampshire Legislature has provided the state’s Department of Justice Consumer Protection Bureau funds to facilitate enforcement. The final version of SB 255 provides a 60-day cure period before the Attorney General can bring an enforcement action. This general right-to-cure provisions has a one-year sunset period though. After January 1, 2026, the Attorney General may consider the unique circumstances of a particular violation in determining whether the opportunity to cure is appropriate.

Stay Current

As the data privacy framework continues to evolve in the United States, employers are reminded to review external privacy policies and perform regular data mapping exercises to ensure that their data collection, sharing, and processing practices comply with current statutes.

If you have any questions about the implications of SB 255 for your company’s privacy compliance programs — or questions about any state or federal regulations or enforcement actions — don’t hesitate to contact Orr & Reno for assistance.

Lindsay E. Nadeau and Steven L Winer