An Overview of New Hampshire Consumer Privacy Law

I. Introduction

On March 06, 2024, Governor Chris Sununu signed Senate Bill 255, making New Hampshire the 14th US State to enact a comprehensive privacy law (“NHDPA”). New Hampshire also became the second US state in 2024 to pass a data privacy law, with New Jersey being the first one to enact a comprehensive data privacy law.

The NHDPA is structured along the lines of previously passed state data privacy legislations, such as Colorado, California, Utah, etc. It offers broad provisions empowering consumers with privacy rights and controls over the collection, processing, or selling of their personal data. Similar to most of the US state data privacy laws, the NHDPA is exclusively enforceable by the Attorney General of the state and provides a 60-day cure period for violations.

The law will become effective on January 1, 2025.

II. Who Needs to Comply with the NHDPA

A. Application

The NHDPA applies to controllers operating businesses in the New Hampshire state that produce products and services targeted at the residents of New Hampshire and are engaged during a one year period in:

• Controlling and processing the personal data of at least 35,000 consumers, excluding the personal data controlled or processed solely for the purpose of   completing a payment transactions; or
• Controlling and processing the personal data of at least 10,000 unique consumers and deriving more than 25% of the gross revenue from the sale of personal data.

B. Exemptions

The NHDPA exempts certain entities from the application of its provisions, including the following:

• Nonprofit organizations.
• Body, authority, board, bureau, commission, district or agency of New Hampshire or of any political subdivision of New Hampshire.
• Higher education institutions.
• National securities associations covered under 15 U.S.C. Section 78o-3 of the Securities Exchange Act of 1934.
• Financial institutions covered under Title V of the Gramm-Leach-Bliley Act (GLBA).
• A Covered Entity or business associate that is defined under 45 C.F.R. 160.103. (b).

Notably, there are certain types of data that are exempted, including, but not limited to, the following:

• Protected health information is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
• Patient-identifying data is covered under 42 U.S.C. section 290dd-2.
• Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. 46.
• Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use.
• The protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research, as defined in 45 C.F.R. 164.501.
• Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq.
• Patient safety work product for purposes of the Patient Safety and Quality Improvement Act, 42 U.S.C. 299b-21 et seq., as amended.
• Information derived from any of the healthcare-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA.
• Consumer information covered under the Fair Credit Reporting Act (FCRA).
• Data collected, processed, or sold under the Driver’s Privacy Protection Act.
• Personal data regulated under the Family Educational Rights and Privacy Act.
• Farmers’ credit information under the Farm Credit Act.
• Personal data subject to the Airline Deregulation Act.
• Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the federal Controlled Substances Act.

III. Definitions of Key Terms

A. Biometric Data

Any data generated by automatic measurements of an individual’s unique biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics, can be used to identify a specific individual. Biometric data does not include any of the following:

• A digital or physical photograph.
• An audio or video recording.
• Any data generated from a digital or physical photograph or an audio or video recording, unless such data is generated to identify a specific individual.

B. Consumer

Individuals who reside in the state of New Hampshire, excluding individuals operating in the commercial or employment context.

C. Consent

A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, or any other unambiguous, affirmative action; however, it does not include any of the following:

• Acceptance of general or broad terms of use or similar document containing descriptions of personal data processing and other unrelated information.
• Hovering over, muting, pausing, or closing a given piece of content.
• Agreement obtained through the use of dark patterns.

D. Controller

Individuals or legal entities that determine the purpose or means of processing the personal data of consumers.

E. Personal Data

Any information linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

F. Sale of Personal Data

Personal data that a controller exchanges with a third party for the purpose of monetary gain or any other valuable consideration is referred to as the “sale of personal data.” However, the definition doesn’t include:

• The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• The disclosure or transfer of personal data to an affiliate of the controller;
• The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
• The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience.
•  The disclosure or transfer of data to a third party that is part of a merger or to a third party for purposes like providing a product requested by the consumer to an affiliate of the controller.

G. Sensitive Data

The definition of sensitive data includes a type of data that gives information about an individual’s religious beliefs, ethnic or racial origin, mental or physical health condition, citizenship or immigration status, processing of biometric and genetic data, or data related to sexual orientation of an individual. It also includes data from a known child or the precise geolocation data of an individual.

IV. Obligations for Organizations Under NHDPA

A. Data Minimization and Purpose Limitation

The NHDPA follows the privacy by design principle. The law restricts controllers from collecting or processing any additional categories of personal data or using the already collected data for purposes that are not reasonably necessary or for purposes not communicated initially unless they obtain the consumer’s consent for it.

B. Consent Requirements

Controllers require the consent of consumers before processing their sensitive data. As mentioned earlier, consent may further be required for collecting additional categories of personal data or using already collected data for purposes other than initially communicated or that are not reasonably necessary.

Controllers shall communicate and provide consumers with a mechanism to easily revoke their consent, which is at least as easy as the mechanism by which the consumer provided the request. Upon receiving a request for revocation of consent, controllers may cease to process the personal data no later than 15 days after receiving the request.

C. Privacy Notification Requirements

Controllers are required to provide consumers with a reasonably clear and easily accessible privacy notice that includes the following important information:

• Categories of personal data collected and processed.
• Purpose of processing.
• Instructions regarding how consumers can exercise their rights, including the right to appeal the decision of a controller.
• Categories of personal data shared with third parties as well as the categories of those third parties.
• An active email address or any other online means to contact the controller.

Controllers that sell personal data to third parties or process it for targeted advertising must clearly communicate and disclose such processing to the consumers, as well as the manner in which a consumer may exercise the right to opt-out of such processing.

Apart from that, controllers must provide a clear and conspicuous link on its website or web page enabling consumers to effortlessly opt out of targeted advertising or the sale of personal data.

D. Opt-out Signal Preferences

Effective from January 1, 2025, controllers must allow consumers to opt out of the processing of personal data for targeted advertising or the sale of personal data through an opt-out signal. The mechanism used for opt-out preference signals must not unfairly disadvantage another controller, be user-friendly, consistent with other similar platforms, and must enable consumers to make an “affirmative, freely given and unambiguous choice” and enable the controller to accurately determine whether the consumer is a resident of New Hampshire and whether the consumer has made a legitimate request to opt-out of any sale of such consumer’s personal data or targeted advertising. The mechanism must be as consistent as possible with other similar platforms, technology, or mechanisms required by any federal or state law or regulation.

E. Data Protection Assessment Requirements

The NHDPA also requires controllers to run data protection assessments for activities that present a heightened risk of harm. These activities may include processing of personal data for targeted advertising, sale of personal data, processing of sensitive data, and processing for the purpose of profiling where the activity may present reasonably foreseeable unfair risks, physical, financial or reputational harm to consumers, and deceptive treatment, to name a few.

Data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The controller shall factor into the data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

The attorney general may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general.  The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in the law. Data protection assessments shall be confidential and shall be exempt from disclosure.

F. Data Processor's Obligations

The NHDPA imposes a number of requirements for processors. Among other things, the data processors are required to take into account the nature of processing and the information available to the processor in order to:

• fulfill the controller’s obligations to respond to consumer rights requests.
• assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security or of the system of the processor.
• to provide necessary information to enable the controller to conduct and document data protection assessments.

G. Processing Under a Contract

Controllers and processors are to be bound by an agreement governing processors’ data processing practices with respect to processing performed on behalf of the controller. Under the contract, the processor shall have the following obligations:

• To ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• delete or return personal data at the end of the provision of services or as per controllers’ instructions unless retention of the personal data is required by law;
• Upon reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the obligation under NHDPA;
• After providing the controller an opportunity to object, the controller may engage any subcontractor pursuant to a written contract requiring the subcontractor to meet the obligations of the processor; and
• Allow and cooperate with reasonable assessments by the controller of the processor’s policies and technical and organizational measures in order to comply with the obligations set forth in NHDPA.

H. Data Security Requirements

The NHDPA provides baseline data security requirements, requiring controllers to ensure they have implemented technical, administrative, and organizational security measures to protect data against unauthorized access.

V. Data Subject Rights

The consumers have the following rights under the NHDPA:

A. Right to Access

Consumers can exercise their right to confirm whether the controller is processing the personal data and can further request access to such data unless such confirmation or access would require the controller to reveal a trade secret.

B. Right to Correct

Consumers can request controllers to correct any inaccuracies in their personal data.

C. Right to Delete

Consumers can ask the controller to delete the personal data provided by, or obtained about, the consumer.

D. Right to Opt-Out

Consumers have the right to opt out of the processing of personal data for the purposes of:

1. targeted advertising,
2. sale of personal data, or
3. profiling, where it is used to further any automated decision making that may produce legal or similarly significant effects concerning the consumer.

E. Right to Data Portability

Consumers may request controllers to provide them with a copy of their personal data in a portable and, to the extent technically feasible, readily usable format, enabling the consumer to transmit the data to another controller without any hindrances.

F. Exercising Rights on Consumer’s Behalf

Consumers may designate an authorized agent to exercise their right to opt out of personal data processing on consumer’s behalf. In the event of the right of a known child, the parents or a legal guardian may exercise the rights of a known child on their behalf.

Response Period

The controller should respond to a consumer’s request to exercise their rights without undue delay. However, the response period should not extend beyond 45 days. Controllers may extend the period to an additional 45 days when reasonably necessary due to complexities or a high volume of requests. However, the reason for the delay must be informed to the consumer.

If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

Data Subject Authentication

In the event a controller is unable to authenticate, using commercially reasonable efforts, the consumer making the request or their designated authorized agent, the controller has the right to not comply with the consumer request and provide a notice to the consumer stating that the controller is unable to authenticate the request until such consumer provides additional information reasonably necessary to authenticate such request.

A controller shall not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable and documented belief that such request is fraudulent.

VI. Regulatory Authority

The Attorney General’s Office of New Hampshire (AG) has the exclusive authority to enforce the provisions of the NHDPA.

During the period beginning January 1, 2025, and ending December 31, 2025, the AG shall, and following said period, the AG may, prior to initiating any action for a violation under the law, issue a notice of violation to the controller if cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the AG may bring an action under the NHDPA.

The NHDPA defines violations as unfair methods of competition or any deceptive act or practice in the conduct of trade or commerce within New Hampshire.

VII. How Organizations Can Operationalize NHDPA

Controllers may operationalize the NHDPA by:

• Establishing policies and procedures for processing data in compliance with the requirements of the NHDPA;
• Developing clear and accessible privacy notices in compliance with the requirements of the NHDPA;
• Obtaining informed consent from individuals before processing their sensitive personal data;
• Developing a robust framework for receiving and processing data requests and complaints from consumers;
• Ensuring personal data security by taking appropriate security measures; and
• Training employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the NHDPA.

VIII. How Securiti Can Help

Securiti PrivacyOps, an integration of the Data Command Center, empowers businesses to streamline their privacy and compliance operations with the NHDPA by leveraging contextual data and AI intelligence and unified automated controls.

PrivacyOps has been named as a leader by the world’s top-rated independent firms. The tool uses a Data Command Graph to create a comprehensive knowledge graph containing all the rich metadata, security, and privacy policies, and regulatory intelligence. The knowledge graph provides you with a single source of truth around your data across all systems. This rich understanding of your data helps you to automate your data privacy operations, including but not limited to privacy impact assessments, ROPA reports or GDPR Article 30 reports, consumer privacy rights, cookie preferences, consent management, privacy notices, and breach notifications.

Request a demo to learn more.