State Privacy Law Tracker: New Hampshire

On January 4, 2023, the New Hampshire House of Representatives approved Senate Bill 255 with amendments, paving the way for New Hampshire to adopt a comprehensive privacy law. This move sets the stage for New Hampshire to hop on the comprehensive privacy law bandwagon. 

Notably, New Hampshire is set to become the 14th state to pass a comprehensive privacy law and the second state to make such legislative strides in 2024. New Jersey beat New Hampshire to the finish line earlier in January with the New Jersey Data Protection Act.

The Act is now making its way through the House, waiting for the Senate to give it a thumbs up (which seems likely, as they’ve already greenlit a similar version). If the Senate gives the latest version the thumbs up, it’s off to the New Hampshire Governor’s desk for a signature. If all goes as planned, this new privacy law will kick in on January 1, 2025.

The New Hampshire Data Privacy Act is similar to the law that Connecticut adopted in 2022, which was based on similar laws from other states, like Virginia, Colorado, and Utah. The bill would give consumers broad rights regarding their privacy and control over personal data. Below, we’ll outline some key points of the New Hampshire data privacy law. 

As the U.S. Congress struggles to enact a federal privacy law, the New Hampshire consumer protection bill was seen by privacy supporters as a step in the right direction toward privacy safeguarding. However, the Attorney General’s Office clarified that the measure was too expensive to implement. Indeed, the attorney general’s testimony emphasizing the lack of the budgeting resources available to enforce the measure in its current form was a significant factor in the committee’s decision to hold up the bill’s progression in 2023.

Individual Rights Included in the Bill

The newly passed New Hampshire bill brings that state’s legislation into line with the laws of many other states with cybersecurity and privacy laws. Residents of New Hampshire, for instance, would have access to the following rights.

1. Right to know how personal data is collected and used 
2. Right to see and get a copy of personal data
3. Right to amend erroneous personal information
4. Right to restrict and reject the gathering, using, and disclosing of personal data
5. Right to request the deletion of personal data
6. Right not to face discrimination if you exercise your privacy rights

While Senate Bill 255 helps individuals, it also gives corporations crucial, specific instructions on how to comply with their obligations. Some of the more significant features of the legislation are outlined in the section below.

Key Points for Businesses

Scope

The bill covers any entity that conducts business in New Hampshire or markets goods or services to the people of New Hampshire if that company or entity meets the threshold requirement as outlined in the law. The law also expressly exempts from its provisions certain organizations and types of business, including state and local governments, charities, personal information used solely for employment purposes, certain educational institutions and information covered by the federal Family Educational Rights and Privacy Act, and organizations covered by certain federal banking, health care, and credit reporting laws, such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.

Notice of Privacy Policies and Individual Rights

A controller is obligated to notify consumers about any activity regarding the collection of personal data and its privacy practices. The notice may be posted on the business website or otherwise communicated to consumers.

In addition, controllers must notify individuals of their privacy rights and provide a practical way to exercise them. A privacy rights request webpage, an email address, and a phone number for a designated person in charge of privacy issues are just a few examples of the ready mechanisms that businesses may choose to make available to individuals so they can exercise their privacy rights. 

Consent

Consent under Senate Bill 225 must be affirmative and not generally implied. Businesses are required to obtain consent before collecting, using, or disclosing certain sensitive information, including about children, race, ethnicity, religion, physical or mental health, sexual orientation, sex life, citizenship or immigration status, genetics, biometrics, and geolocation. 

In addition, controllers must receive consent to sell personal information to a third party. 

Cybersecurity Safeguards

Businesses are required to adopt and maintain reasonable administrative, physical, and technological protections to preserve the privacy, accuracy, and usability of personal data.

What is a Comprehensive Privacy Law?

A comprehensive privacy law, also known as a comprehensive data protection law or a general data privacy law, data-sharing privacy law, or consumer data protection law is a legal framework that sets out rules and regulations for the collection, use, storage, and protection of personal data. It is designed to safeguard individuals’ privacy rights and establish guidelines for organizations that handle personal information. 

A comprehensive privacy law typically encompasses several key elements:

1. Scope and Applicability

Scope defines the types of personal data covered by the law and specifies the entities and individuals subject to its provisions. This may include businesses, government agencies, and other organizations that process personal data.

2. Individual Rights

This section outlines the requirements for obtaining valid consent from individuals before collecting and processing their personal data. It also grants individuals certain rights, such as the right to access their data, correct inaccuracies, and request its deletion.

3. Data Handling Practices

These rules establish requirements and principles for how organizations should handle personal data. This may include requirements for data minimization (collecting only the necessary data), purpose limitation (using data only for specified purposes), and data accuracy.

4. Security and Data Breaches

This includes a set of requirements that mandate organizations to implement appropriate security measures to protect personal data from unauthorized access, loss, or misuse. It may also require organizations to report data breaches promptly and take necessary actions to mitigate harm.

5. Enforcement and Penalties

Enforcement and Penalty clauses designate regulatory authorities responsible for enforcing the privacy law, conducting investigations, and imposing penalties or fines for non-compliance. The penalties may vary based on the severity of the violation.

The European Union’s General Data Protection Regulation (GDPR) is an example of a comprehensive privacy law that sets high standards for data protection and privacy across its member states. Many US states have also implemented comprehensive laws, and the trendsetter is California’s  CPRA.

Centraleyes State Privacy Tracker

Stay with Centraleyes as we provide day-to-day updates on new developments in the area of state privacy laws.