It’s official – New Hampshire has joined the procession of states across the nation (from California to Connecticut and many states in between) enacting broadly applicable consumer privacy laws.
Core Requirements
Like its predecessors, the New Hampshire Privacy Act (NHPA) requires any business that operates in New Hampshire, or produces products or provides services targeted to residents there, and meets certain applicability thresholds, to comply with several new requirements, including:
- Providing consumers with a comprehensive privacy notice that includes relatively granular information about the personal data that the business collects from or about the consumer (with “personal data” defined very broadly to include any information that is “linked or reasonably linkable to an identified or identifiable individual”), describes how that data is used and shared with third parties, and explains consumers’ new rights enshrined by the NHPA with respect to that data (e.g., rights to access, correct, and delete personal data) and how to exercise those rights.
- Allowing consumers to “opt out” of the sale of their personal data or the use of their personal data for targeted advertising or profiling purposes.
- Upon request, providing the consumer with access to the personal data the business holds about them, correcting or deleting that personal data, and making the personal data available in a commonly used format to the consumer or a third party.
- Obtaining a consumer’s affirmative consent before processing certain sensitive personal data, including racial or ethnic data, certain health data, biometric data, personal data of children under 13 years old, and precise geolocation data.
- Entering into written data protection contracts with downstream service providers that process personal data on behalf of the business.
Operational Impacts
Having counseled and advised many clients navigating similar laws passed by other states, we encourage businesses subject to the NHPA to evaluate the law’s operational impacts by:
- Ensuring that the business is prepared to respond to consumers’ requests to exercise their rights within the law’s prescribed timeframe, which may require conducting a data mapping exercise to determine what personal data the business holds about consumers and where that personal data is stored.
- Reviewing contracts with service providers that process personal data on the business’s behalf to ensure each contract includes appropriate restrictions on the service provider’s use and disclosure of such personal data.
- Conducting and documenting any required data protection assessments prior to engaging in certain conduct involving consumer personal data, including processing sensitive data or processing any personal data for purposes of targeted advertising.
- Adopting a data minimization approach to collecting consumer personal data, limiting that collection to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is collected, and maintaining and complying with an internal data retention policy.
- Implementing reasonable administrative, technical, and physical safeguards to protect consumers’ personal data from unauthorized access, use, and disclosure.
The NHPA takes effect January 1, 2025, so businesses have time to get their practices, policies, and procedures in order before the NH attorney general begins enforcing the law.