Earlier this month, Governor Chris Sununu of New Hampshire signed SB255, “An Act Relative to the Expectation of Privacy”, into law. The latest comprehensive state privacy law—bringing the total to 14 now—will go into effect January 1, 2025 and is intended to ensure protections for residents’ personal data through the ability to know and understand how their personal data is held and the ability to delete such personal data upon request.

Applicability

The New Hampshire privacy law applies to businesses “…that produce products or services that are targeted to residents [of New Hampshire]…during a one year period” and that have (1) controlled or processed the personal data of not less than 35,000 unique customers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) controlled or processed the personal data of not less than 10,000 unique customers and derived more than 25% of their gross revenue from the sale of personal data. 

The law does not apply to state agencies, nonprofit organization, higher education institutions, financial institutions and data subject to the Gramm-Leach-Bliley Act (“GLBA”) as well as covered entities, business associates and protected health information under HIPAA, among other types of data.

Comparison to Other State Privacy Laws

In comparing the New Hampshire privacy law to other state privacy laws, businesses should first note the lower threshold number of consumers for applicability. Businesses that have not otherwise met the threshold in newer state privacy laws (New Jersey, Montana, and Tennessee) may find that they actually do meet the threshold in New Hampshire.

Businesses subject to the New Hampshire privacy law must limit their collection of personal data to that which “is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer…” and establish, implement and maintain data security practices to protect the data.  Businesses must also obtain the consumer’s consent before processing sensitive data.

The New Hampshire privacy law includes an expanded definition of “sensitive data” (“personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collect from a known child; or precise geolocation data”) and also includes a definition for “consent” (“a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer”).

The new law requires contractual agreements with data processors setting forth the instructions, nature, purpose and other details of the processing. Businesses must conduct and document a data protection assessment for processing activities that present a “heightened risk of harm” to consumers.  Such “heightened risk of harm” includes:  (1) the processing personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) processing of personal data for profiling; and (4) the processing of sensitive data.  These data protection assessments must identify and weigh the benefits and risks of such processing to consumers as well as expectations with respect to consumer personal data.

Notice Requirements

Businesses subject to the New Hampshire law must provide consumers with a privacy notice that is “reasonably accessible, clear and meaningful”.  The privacy notice must include:  (1) the categories of personal data processed; (2) the purpose for processing personal data; (3) details regarding how consumers may exercise their privacy rights; (4) categories of personal data shared with third parties (as applicable); (5) the categories of third parties with which the controller shares personal data; and (6) an active email address or other online mechanism to contact the business.  Further, the privacy notice must clearly state whether the business sells personal data and detail how a consumer may opt-out of such sale of personal data.

Consumer Rights

Under the New Hampshire privacy law, a consumer, or their authorized agent, parent or guardian, will have familiar rights (1) to confirm whether or not a controller is processing their personal data, and to access such personal data (subject to any access that would reveal a business’s trade secret); (2) to correct any inaccuracies in their personal data; (3) to delete personal data provided by or about the consumer; (4) to obtain a portable copy of their personal data; and (5) to opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions.

Following authentication of the request, businesses will have 45 days in which to respond with an additional 45-day extension permitted where reasonably necessary.  The business must also establish an appeals process for any requests that are denied, including the ability to contact the Attorney General to submit a complaint, if needed.

Preparing for Enforcement

The New Hampshire Attorney General will have exclusive authority to enforce violations of the law and throughout 2025 shall issue notice allowing for a 60-day cure period.  Starting January 1, 2026, that cure period will be allowed only following consideration of the number of violations by the business; the size and complexity of the business; and the nature and extent of the business’s processing activities, among others.

Businesses subject to the New Hampshire law should continue to refine their processes for updating privacy policies, handling data subject requests, updating data processing agreements, and conducting data protection assessments.

Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new laws like this one. If you have any questions concerning this law or any other data privacy or cybersecurity laws, please do not hesitate to contact any member of our team.