At the onset of 2023, a bipartisan group of lawmakers, led by Senator Sharon Carson, introduced a sweeping New Hampshire privacy act, SB 255, intending to provide New Hampshire consumers with more control over their personal data.
In May 2023, progress on the New Hampshire privacy law came to a screeching halt, as the House Committee voted on suspending consideration of the bill for six months.
The New Hampshire data privacy act is similar to the law that Connecticut adopted in 2022, which itself was based on similar laws from other states, like Virginia, Colorado, and Utah. The bill would give consumers broad rights regarding their privacy and control over personal data. We’ll outline some key points of the New Hampshire data privacy law below.
As the U.S. Congress struggles to enact a federal privacy law, the New Hampshire consumer protection bill was seen by privacy supporters as a step in the right direction toward privacy safeguarding. However, the Attorney General’s Office made it clear that the measure was too expensive to implement. Indeed, the attorney general’s testimony emphasizing the lack of the budgeting resources available to enforce the measure in its current form was a significant factor in the committee’s decision to hold up the bill’s progression.
Individual Rights Included in the Bill
If Senate Bill 255 is accepted by New Hampshire, it will bring that state’s legislation into line with the laws of the many other states and nations that have cybersecurity and privacy laws. Residents of New Hampshire, for instance, would have access to the following rights.
- Right to know how personal data is collected and used
- Right to see and get a copy of personal data
- Right to amend erroneous personal information
- Right to restrict and reject the gathering, using, and disclosing of personal data
- Right to request the deletion of personal data
- Right not to face discrimination if you exercise your privacy rights
While Senate Bill 255 helps individuals, it also gives corporations crucial, specific instructions on how to comply with their obligations. Some of the more significant features of the legislation are outlined in the section below.
Key Points for Businesses
Scope
The bill covers any entity that conducts business in New Hampshire or markets goods or services to the people of New Hampshire if that company or entity meets the threshold requirement as outlined in the law. The law also expressly exempts from its provisions certain organizations and types of business, including state and local governments, charities, personal information used solely for employment purposes, certain educational institutions and information covered by the federal Family Educational Rights and Privacy Act, and organizations covered by certain federal banking, health care, and credit reporting laws, such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.
Notice of Privacy Policies and Individual Rights
A controller is obligated to notify consumers about any activity regarding the collection of personal data and its privacy practices. The notice may be posted on the business website or otherwise communicated to consumers.
In addition, controllers must notify individuals of their privacy rights and provide a practical way to exercise them. A privacy rights request webpage, an email address, and a phone number for a designated person in charge of privacy issues are just a few examples of the ready mechanisms that businesses may choose to make available to individuals so they can exercise their privacy rights.
Consent
Consent under Senate Bill 225 must be affirmative and not generally implied. Businesses are required to obtain consent before collecting, using, or disclosing certain sensitive information, including about children, race, ethnicity, religion, physical or mental health, sexual orientation, sex life, citizenship or immigration status, genetics, biometrics, and geolocation.
In addition, controllers must receive consent to sell personal information to a third party.
Cybersecurity Safeguards
Businesses are required to adopt and maintain reasonable administrative, physical, and technological protections to preserve the privacy, accuracy, and usability of personal data.
What is a Comprehensive Privacy Law?
A comprehensive privacy law, also known as a comprehensive data protection law or a general data privacy law, data-sharing privacy law, or consumer data protection law is a legal framework that sets out rules and regulations for the collection, use, storage, and protection of personal data. It is designed to safeguard individuals’ privacy rights and establish guidelines for organizations that handle personal information.
A comprehensive privacy law typically encompasses several key elements:
- Scope and Applicability
Scope defines the types of personal data covered by the law and specifies the entities and individuals subject to its provisions. This may include businesses, government agencies, and other organizations that process personal data.
- Individual Rights
This section outlines the requirements for obtaining valid consent from individuals before collecting and processing their personal data. It also grants individuals certain rights, such as the right to access their data, correct inaccuracies, and request its deletion.
- Data Handling Practices
These rules establish requirements and principles for how organizations should handle personal data. This may include requirements for data minimization (collecting only the necessary data), purpose limitation (using data only for specified purposes), and data accuracy.
- Security and Data Breaches
This includes a set of requirements that mandate organizations to implement appropriate security measures to protect personal data from unauthorized access, loss, or misuse. It may also require organizations to report data breaches promptly and take necessary actions to mitigate harm.
- Enforcement and Penalties
Enforcement and Penalty clauses designate regulatory authorities responsible for enforcing the privacy law, conducting investigations, and imposing penalties or fines for non-compliance. The penalties may vary based on the severity of the violation.
The European Union’s General Data Protection Regulation (GDPR) is an example of a comprehensive privacy law that sets high standards for data protection and privacy across its member states. Many US states have also implemented comprehensive laws, and the trendsetter is California’s CPRA.
Centraleyes State Privacy Tracker
Stay with Centraleyes as we provide day-to-day updates on new developments in the area of state privacy laws.
