New Hampshire Enacts Comprehensive Consumer Data Privacy Law

New Hampshire Gov. Chris Sununu on March 6 signed into law Senate Bill 255, making New Hampshire the 14th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware, and New Jersey.  The law will go into effect Jan. 1, 2025.

Applicability 

The Act applies to persons that conduct business in New Hampshire or persons that produce products or services that are targeted to residents of New Hampshire that during a one-year period:

• Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

Exemptions

Exemptions include, but are not limited to:

• A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.;
• Protected health information under the Health Insurance Portability and Accountability Act of 1996;
• The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.

Consumer Rights

Consumers have the right to:

• Confirm whether a controller is processing their personal data and access such personal data;
• Correct inaccuracies in their personal data;
• Delete personal data provided by, or obtained about, the consumer;
• Obtain a copy of their data processed by the controller in a portable and, to the extent technically feasible, readily usable format;
• Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data (subject to exceptions), or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Sensitive Data

A controller may not process sensitive data concerning a consumer without obtaining the consumer’s consent or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the Children’s Online Privacy and Protection Act.

“Sensitive data” means personal data that includes data revealing:

• Racial or ethnic origin;
• Religious beliefs;
• Mental or physical health condition or diagnosis;
• Sex life or sexual orientation;
• Citizenship or immigration status;
• Genetic or biometric data processed for the purpose of uniquely identifying an individual;
• Personal data collected from a known child;
• Precise geolocation data.

Contract Requirements

A contract between a controller and a processor must set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor:

Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

• At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
• Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter;
• After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
• Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this chapter, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor must provide a report of such assessment to the controller upon request.

Data Protection Assessments

A controller must conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer, including:

• The processing of personal data for the purposes of targeted advertising;
• The sale of personal data;
• The processing of personal data for the purposes of certain profiling; and
• The processing of sensitive data.

Enforcement

The Act does not create a private right of action. A violation that is not cured within 60 days of notice from the Attorney General is an unfair method of competition or an unfair or deceptive act or practice in the conduct of any trade or commerce under N.H. Rev. Stat. Ann. § 358-A:2 which provides for injunctive relief and civil penalties up to $10,000 for each violation.

Impression

This law follows the pattern of many post-California comprehensive data privacy laws and should not present overly burdensome compliance challenges for those complying with those other laws. For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.