New Hampshire’s governor has signed into law the second state comprehensive privacy law of 2024. The law takes effect on January 1, 2025 – the same day as Iowa and Delaware (with New Jersey going into effect two weeks later). The law closely resembles other state privacy laws.
Like most other state privacy laws, New Hampshire does not define “consumer” to include those in an employment context. The New Hampshire Attorney General’s office has enforcement powers and like other states, there is no private right of action. The law also does not include provisions for additional rulemaking, mirroring most of the states (with the notable exception of California, Colorado, and New Jersey).
Key provisions include:
- Applicability. Like Delaware and Montana, New Hampshire’s privacy law has a lower applicability threshold, perhaps reflecting the state’s lower overall population. The law will apply to businesses that either (1) process personal data of at least 35,000 New Hampshire residents or (2) control or process personal data of at least 10,000 consumers and derives more than twenty-five percent of their gross revenue from the sale of personal data. The law also contains several familiar exemptions. Non-profits, higher education institutions, and national securities associations are exempt. The law also contains exemptions for entities that comply with GLBA and HIPAA.
- Sensitive information. Businesses that process New Hampshire consumers’ sensitive information must obtain consumer consent before processing. The list of information deemed “sensitive” is familiar by now and aligns with other state laws. This information includes consumers’ religion, health information, and sexual orientation.
- Consumer rights. New Hampshire consumers will have a familiar slate of rights as those found in other states. This includes the right to access, correct, delete, and port personal information. Consumers may designate an authorized agent to act on the consumer’s behalf. Timing for processing rights is 45 days – the same as other states except Iowa and New Jersey, which states provide 60 days and 90 days respectively. Like nine other states, businesses will need to comply with universal online opt-out mechanisms by July 1, 2025, six months after the law takes effect.
- Opt-outs mechanism targeted advertising, sale, profiling. New Hampshire residents must be given notice of, and the ability to opt out of, targeted advertising, the sale of their data, and profiling. If a business engages in these activities, they will need to conduct a data protection assessment.
- Data Protection Impact Assessments. Like all states except Iowa and Utah, businesses must conduct data protection impact assessments if processing data that presents a heightened risks to consumers. This includes processing consumer data for targeted advertising, risky profiling, selling consumer data, or processing sensitive information.
Putting it Into Practice: If these provisions are sounding familiar, it is because they are in many ways. It appears that passage of these laws will continue apace in 2024. Businesses will want to keep this in mind as they develop their privacy programs. Keeping in mind the potential for new requirements as well as understanding the nuanced differences between these states will be useful for a scalable compliance program.
Listen to this article here.