Background Brief: New Hampshire Consumer Expectation of Privacy Act

Are you New HampSURE you’re ready for the new NH Privacy Act?

New Hampshire became the 14th state to enact a comprehensive consumer privacy law when Governor Chris Sununu signed SB 255-FN (“An Act relative to the expectation of privacy”) into law on March 6, 2024.

The Act delivers many of the privacy protections consumers have in other U.S. states that have already introduced similar data privacy laws, including rights to request access to their personal data records held by controllers and have those records corrected and/or deleted, as well as opt-out from having their personal data sold or used for targeted advertising.

Also known as the New Hampshire Consumer Expectation of Privacy Act (NHPA), the state’s privacy law is enforceable from January 1, 2025. Controllers must honor opt-out requests by no later than January 1, 2025.

Key Dates: New Hampshire Consumer Data Privacy Law

• January 19, 2023 – SB255 “Relative to the expectation of privacy” is introduced in the New Hampshire Senate and referred to the Judiciary Committee.
• March 16, 2023 – House Bill 314-FN “relative to the expectation of privacy in the collection and use of personal information” is introduced in the New Hampshire House of Representatives. It differs slightly from SB255 with broader privacy protections for the state’s citizens, including a private right of action against companies.
• March 6, 2024 – New Hampshire Governor Chris Sununu signs SB 255-FN, (“relative to the expectation of privacy”) into law. In a media release announcing the new law he says: “New Hampshire is living up to our motto as the ‘Live Free or Die’ state by ensuring that ‘The Granite Staters’ have control over their personal information. This law provides transparency about what information is collected, why, and confidence that in the age of AI, steps are taken to protect that data.”
• January 1, 2025 – New Hampshire Consumer Expectation of Privacy Act becomes enforceable.

New Hampshire Expectation of Privacy: Consumer Personal Data Rights

SB255-FN / the New Hampshire Act relative to the expectation of privacy defines a consumer as “an individual who is a resident of this state” and just like many other U.S. state data privacy laws (apart from those in California), the definition of a consumer excludes individuals “acting in a commercial or employment context.”

The text of the Act defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual.” This definition excludes “de-identified data or publicly available information.”

New Hampshire residents – along with parents/guardians on behalf of their children and conservators/guardians of consumers subject to protective arrangements – can exercise their personal data privacy rights by contacting each controller via “a secure and reliable means established by the secretary of state and described to the consumer in the controller’s privacy notice.”

By January 1, 2024, controllers must also honor verified consumers’ opt-out requests signaled via browser extension or device settings such as Global Privacy Control (GPC).

The ‘expectation of privacy’ rights for consumers in New Hampshire include:

• Right to confirm (right to know) whether a controller is processing their personal data and Right to access their personal data about them held by a controller, “unless such confirmation or access would require the controller to reveal a trade secret.”
• Right to correct inaccuracies in their personal data, “taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”
• Right to delete personal data provided by or about the consumer.
• Right to obtain a copy (portability) of their personal data processed by the controller. Controllers must provide the consumer with a copy of their personal data “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret.”
• Right to opt-out from the processing of their personal data for the purposes of targeted advertising, sale of personal data (the text also refers to controller responsibilities under NH 507-H:6, which prohibit controllers from selling personal data consumers aged 13 to 16 without the consumer’s consent) or personal data used for profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.”
  Note: controllers are not required to authenticate opt-out requests, but may deny any requests they believe are fraudulent, provided they send notices to the people who made the requests.
• Right to non-discrimination for exercising consumer rights – this right is listed in the same subsection as the opt-out right. Prohibited forms of discrimination mentioned include “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.”

Controllers must respond to New Hampshire consumers’ personal data rights requests within 45 days.

A controller can extend the period to process the requests by 45 more days (considering their complexity and number), but the consumer must first be told the reason for the extension within the initial 45 day period. Consumers must be informed of a decision to decline the rights request within 45 days, and be given a justification for the decision along with instructions on how to appeal.

Consumers are allowed to make such requests free of charge once in any 12-month period; while controllers may charge “a reasonable fee” to cover the administrative costs or responding to consumer requests the controller can demonstrate are “manifestly unfounded, excessive or repetitive.”

Sensitive Personal Data Requirements

New Hampshire’s data privacy law prevents controllers from processing a consumer’s sensitive personal data unless they’ve first obtained the consumer’s consent (opt-in). This provision is in line with sensitive data privacy protections in other state’s similar laws and includes a requirement for controllers to comply with the federal Children’s Online Privacy Protection Act (COPPA) when processing the sensitive data of a known child.

Any personal data collected from a known child is classified as sensitive data.

New Hampshire SB255 privacy law defines ‘sensitive data’ for adults as personal data that reveals a consumer’s:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data (“for the purpose of uniquely identifying an individual”); and/or
• Precise geolocation within 1750 feet (excluding “the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility”).

Applicability: Who Must Comply with New Hampshire SB255 Privacy Law?

The compliance requirements of New Hampshire’s privacy law apply to any person who conducts business in New Hampshire or produces products or services targeted to residents of New Hampshire during a one-year period:

• Controlled or processed the personal data of 35,000 or more unique consumers. However, this threshold excludes “personal data controlled or processed solely for the purpose of completing a payment transaction.”

or

• Controlled or processed the personal data of 10,000 or more unique consumers and derived more than 25% of their gross revenue from the sale of personal data.

Exempted Organizations and Data Under New Hampshire Privacy Law

The New Hampshire Privacy Law includes exemptions similar to those under other state consumer privacy laws, such as organizations regulated by HIPAA and GLBA, and personal information regulated by FCRA, DPPA, and FERPA.

Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act (COPPA) shall be deemed compliant with any obligation to obtain parental consent.

New Hampshire Privacy Law Compliance Requirements

Under New Hampshire’s data privacy law, controllers must comply with the following requirements related to the collection and processing of personal data:

• Limit the collection of personal data to what is adequate, relevant and reasonably necessary to the disclosed purposes for which the data is processed
• Obtain the consumer’s consent before processing their personal data for other purposes that are neither reasonably necessary to, nor compatible, with the disclosed purposes – this consent requirement also applies to the processing of personal data for sale or for the purposes of targeted advertising or profiling, and the processing of sensitive data – or in the case of a known child, the controller must process such data in compliance with COPPA
• Not process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers
• Support consumers’ right to revoke consent to selected data collection and processing activities by providing an effective mechanism that is at least as easy to use as the mechanism by which the consumer provided their consent – and when a consumer exercises this right, stop processing the data as soon as practicable and at least within 15 days of consent being revoked
• Publish a privacy notice (see below) and
• Disclose whether the controller sells personal data to third parties or processes personal data for targeted advertising and if so, provide a clear and conspicuous link on the controller’s website to a page that enables a consumer or an agent acting on their behalf to opt-out of the target advertising of sale of the consumer’s personal data.
  Note: universal opt-out signals (e.g., Global Privacy Control) must be honored by January 1, 2025.

Controllers must also comply with the following data protection requirements:

• Establish, implement and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue
  and
• Conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to the consumer including:
  – processing of sensitive data
  – sale of personal data
  – processing of personal data for the purposes of targeted advertising or profiling.

Privacy Notice Requirements in New Hampshire

Controllers must provide consumers with a privacy notice that is reasonably accessible, clear and meaningful, which meets the “standards established by the secretary of state”) and includes:

• Categories of personal data processed by the controller
• Purpose for processing personal data
• How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about a consumer rights request;
• Categories of personal data shared by the controller with third parties (if any)
• Categories of third parties (if any) with which the controller shares personal data and
• An active email address or other online mechanism the consumer may use to contact the controller.

New Hampshire Privacy Act Processor Responsibilities

Processors must adhere to the instructions of a controller and assist the controller in meeting the controller’s obligations, taking into consideration the nature of processing and the information available to the processor to:

• Fulfill the controller’s obligations to respond to consumer rights requests
• Ensure security of processing personal data
• Notify a breach of security or breach of the processor’s system/s and
• Provide information needed by the controller to conduct and document data protection assessments.

A controller and a processor must enter a binding contract governing the processor’s data processing procedures performed on behalf of the controller that clearly details instructions for:

• Processing data and the nature and purpose of processing
• Type of data subject to processing
• Duration of processing and
• Rights and obligations of both parties.

The contract must also require the processor to:

• Ensure each person processing personal data is subject to a duty of confidentiality with respect to the data
• When directed, delete or return all personal data to the controller at the end of the provision of services – unless retention of personal data is required by law
• When reasonably requested, make available to the controller all information necessary to demonstrate the processor’s compliance with New Hampshire’s data privacy law
• After providing the controller an opportunity to object, engage any subcontractor under a written contract requiring the subcontractor to meet the processor’s obligations with respect to personal data and
• Allow and cooperate with reasonable compliance assessments, and provide a report of such assessment to the controller on request. These assessments can be conducted by the controller, an assessor designated by the controller or a qualified and independent assessor arranged by the processor, and must use an appropriate and accepted control standard or framework and assessment procedure.

New Hampshire Privacy Act Notice and Enforcement

In New Hampshire the state’s Attorney General has exclusive authority to enforce violations of the Act. Consumers do not have a private right of action.

For the first year the Act is in force – from January 1 to December 31, 2025 – before the Attorney General initiates any action for violation of the Act, the AG shall:

• Issue a notice of a violation to a controller if the AG determines that a cure is possible
• Give the controller up to 60 days to cure the violation and
• Bring an enforcement action if the controller fails to cure the violation.

From January 1, 2026, the New Hampshire Attorney General may consider whether to grant a controller or processor the opportunity to cure an alleged violation of the Act based on several factors, including:

• Number of violations
• Size and complexity of the controller or processor
• Nature and extent of the controller’s or processor’s processing activities
• Substantial likelihood of injury to the public
• Safety of persons or property and
• Whether the alleged violation was likely caused by human or technical error.

Penalties are not specified in the text of the New Hampshire Consumer Expectation of Privacy Act, although it does state that a violation “shall constitute an unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce within this state under RSA 358-A:2.” (New Hampshire Regulation of Business Practices for Consumer Protection.)