The New Hampshire Comprehensive Data Privacy Act:What You Need to Know

The New Hampshire legislature passed Senate Bill 255, also known as the New Hampshire Consumer Data Privacy Act. This law grants New Hampshire residents significant privacy rights while placing important obligations on businesses.

With the law taking effect on January 1, 2025, you still have time to prepare, but it's crucial to understand your compliance requirements now.

Does New Hampshire have a data privacy law?

Yes, New Hampshire has a data privacy law.

On March 6, 2024, the state passed the New Hampshire Consumer Data Privacy Act (SB 255), which safeguards consumers' personal data. This law provides similar protections to those found in other state privacy laws, giving individuals the right to access, delete, and opt out of the sale of their personal data. Additionally, as a business, you must be transparent about your data practices and ensure you implement reasonable data security measures.

What is the New Hampshire Act relative to the expectation of privacy

The New Hampshire Consumer Data Privacy Act sets a legal framework that requires you to respect consumers' privacy by giving them control over their personal data. Your customers will have the right to manage their data and opt out of certain processing activities, such as targeted advertising, which means your business needs to adapt its practices to meet these requirements.

Does the New Hampshire Consumer Data Privacy Act apply to your business?

The NHCDPA applies to your business if you're located in New Hampshire or outside the state but offer products and services targeted at New Hampshire residents. You must comply if, during one year, you either:

• Control or process the personal data of at least 35,000 unique consumers, excluding personal data used solely to complete a payment transaction, or
• Control or process the personal data of at least 10,000 unique consumers and derive more than 25% of your gross revenue from the sale of personal data.

These thresholds are lower than those in other states, meaning even collecting IP addresses through tools like Google Analytics could trigger compliance requirements.

However, certain organizations are exempt, including:

• Government bodies
• Nonprofit organizations
• Higher education institutions
• National securities associations
• Financial institutions or data covered by the Gramm-Leach-Bliley Act

What is the invasion of privacy law in New Hampshire?

In New Hampshire, the NHCDPA requires your business to protect individuals from unauthorized use or disclosure of their personal data. The law reinforces these protections by giving residents control over how their personal information is used, sold, or shared, meaning your business must comply with these regulations to ensure proper handling of consumer data.

What is personal data under the New Hampshire privacy bill?

Personal data, under the NHCDPA, includes any information linked or reasonably linkable to an identified or identifiable individual. This means any information related to your customers can be considered personal data unless it is de-identified or made publicly accessible.

The law also provides stricter protections for sensitive personal information. Sensitive data includes:

• Data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sex life, sexual orientation, or citizenship/immigration status
• Genetic or biometric data used to uniquely identify an individual
• Personal data of a known child
• Precise geolocation data

However, some personal data is excluded from the NHCDPA, such as:

• Health data covered by HIPAA and related laws
• Financial data covered by the FCRA, GLBA, and other laws
• FERPA-protected data
• Data protected under the Driver's Privacy Protection Act
• Personal data covered by other industry-specific laws

What duties does your business as a controller have under the NH comprehensive privacy law?

As a business acting as a controller under the New Hampshire Consumer Data Privacy Act, you must meet several significant requirements:

• Collect only personal data that is necessary and directly related to the stated purpose, and inform your customers about this purpose.
• Avoid using personal data for unrelated purposes unless the consumer provides consent.
• Implement strong data security measures appropriate to the volume and type of data you handle.
• Obtain consent for processing sensitive personal data.
• Follow state and federal anti-discrimination laws when handling personal data.
• Allow consumers to withdraw consent easily and stop using their data within 15 days of withdrawal.
• Do not use personal data for targeted ads or sell it without consent, particularly if the consumer is between 13 and 16 years old.
• Honor consumer requests within 45 days of submission.
• Provide consumers the option to opt out of the sale of personal data or its use for targeted advertising.
• Ensure consumers aren't penalized for exercising their rights, such as by charging higher prices or offering lower-quality services.
• Maintain written data processing agreements with data processors.
• Conduct data protection impact assessments when required.

What are the processor's responsibilities?

The processor is the person or entity processing personal data on behalf of the controller.

Let's say that you use Google Analytics on your website. They process personal data on your behalf, which means they are your processors and you are the controller.

Processors must follow the controller's directions as laid down in a written contract. The contract is obligatory. Not having a contract makes the processing unlawful.

The contract should outline the data processing activities a processor does for a controller. This contract must be clear and legally binding, detailing how data will be processed, why, what kind of data, how long, and the responsibilities of both parties. The contract should also require the processor to:

Make sure everyone handling personal data keeps it confidential.

Delete or return all personal data to the controller when asked, at the end of their services, unless the law says to keep the data.

Provide the controller with all the information needed to show the processor is meeting its obligations in this chapter when the controller asks for it.

If hiring subcontractors, inform the controller first and ensure the subcontractors agree in writing to meet the same data handling standards.

Allow the controller (or their chosen assessor) to check how well the processor is meeting its obligations, or arrange for an independent assessor to do this. The processor must then give the controller a report of this assessment when asked.

On top of that, the processors' duties also include helping the controller fulfill their duties, such as:

• Handling requests from consumers about their rights, considering the type of data processing and information the processor has;
• Assisting the controller in ensuring data processing is secure and in managing and reporting any data breaches, based on the type of data processing and information the processor has.
• Giving the controller the information they need to carry out and record data protection assessments.

Do you need to obtain consent for data processing?

In general, the New Hampshire Consumer Data Privacy Act follows the opt-out principle. It means that you don't need consent for data processing.

However, you need explicit consent for processing consumers' sensitive personal information. Consent must be freely given, unambiguous, informed, and specific.

When it comes to obtaining consent for the processing of children's data, you can rely on the methods described in the Children Online Privacy Protection Act.

What is the NHCDPA privacy policy?

As a controller, you are required to provide your consumers with a privacy policy that, at a minimum, includes:

• The categories of personal data you process
• The purpose for processing personal data
• How consumers can exercise their rights and appeal your decisions regarding their requests
• The categories of personal data you share with third parties, if any
• The categories of third parties you share personal data with, if applicable
• An email address or other online mechanism that consumers can use to contact you

What are the NH state privacy law opt-out requirements?

As a business, you must allow New Hampshire residents to opt out of the sale of their personal information or targeted advertising. You are required to provide an opt-out link on your website where consumers or their authorized agents can exercise this right.

Additionally, you must honor consumers' universal opt-out signals as valid requests. If a consumer's browser sends opt-out signals, you cannot sell their data or use it for targeted advertising.

If these opt-out signals conflict with a consumer's participation in loyalty or reward programs, you must comply with the opt-out request and inform the consumer that their data will no longer be processed for the program.

What are the NHCDPA consumer privacy rights and how do you exercise them?

New Hampshire consumers have the following rights:

• Know about the data processing
• Access their personal information
• Erase their data
• Opt out of the sale or processing of their data for targeted advertising
• Data portability

As a business, you must explain the methods for exercising these rights in your privacy policy. When consumers submit requests, you have 45 days to respond, but you must first verify their identity. Consumers also have the option to designate an authorized agent to submit requests on their behalf.

Data Protection Assessments according to the NH Data Privacy Law

As a business, you must conduct and document a data protection assessment for each data handling activity that could significantly harm consumers. Activities considered high-risk include:

• Using personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling, especially if it may lead to unfair or deceptive actions, discrimination, financial harm, reputational damage, or physical harm, or if it intrudes on personal life in a way that could cause significant distress
• Processing sensitive data

When conducting these assessments, you should weigh the benefits of data processing for your business, consumers, others, and the public against the potential risks to consumer rights. Consider factors like:

• How risks can be minimized through security and privacy measures
• Whether non-identifiable data can be used
• What consumers expect
• The context of data processing
• Your relationship with the consumer whose data is being processed

If requested by the attorney general, you must provide any data protection assessment for investigation purposes.

One assessment can cover multiple similar activities, and if you've completed a similar assessment under another law or regulation, it may fulfill these requirements.

These data protection assessments are mandatory for data processing activities starting after July 1, 2024, and do not apply retroactively.

NHCDPA enforcement and penalties

The New Hampshire Attorney General has the authority to enforce the provisions of the New Hampshire Consumer Data Privacy Act. During the first year, if your business violates the law, you will have a 60-day cure period to correct the issue.

However, starting in 2026, penalties may be imposed without offering a cure period.

The Attorney General's Office will decide whether to grant a cure period based on several factors:

• The number of violations
• The size and complexity of your business as a controller or processor
• The nature and scope of your data processing activities
• The likelihood of public harm
• The safety of individuals or property
• Whether the violation was caused by human or technical error

How to comply with the New Hampshire comprehensive privacy bill

If your business operates in New Hampshire, it's essential to prepare for compliance with the New Hampshire Consumer Data Privacy Act (NHCDPA).

Secure Privacy's data privacy compliance solution supports over 40 global data protection laws, including all 14 US state privacy laws. We will also support the New Hampshire Consumer Data Privacy Act (SB 255) once it takes effect.

We can assist you in managing consumer consent for processing sensitive data, handling consumer requests, and creating a comprehensive privacy policy that meets all the legal requirements.

Stay ahead of compliance and protect your business by preparing today.