New Hampshire’s New Comprehensive Privacy Law

CLIENT ALERT


New Hampshire’s New Comprehensive Privacy Law

By Attorney Douglas Verge

On March 6, 2024, Governor Sununu approved Senate Bill 255-FN (NH RSA 507-H – Expectation of Privacy) (the “law”), a comprehensive privacy law designed to protect consumers’ private information. The law will take effect on January 1, 2025. It applies to the personal data of consumers (i.e., New Hampshire residents). Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual, but does not include “de-identified data” or “publicly available information” (as those terms are defined in the law). Generally speaking, any information that reasonably could be used to identify an individual, and any private information about that identified or identifiable individual, is protected under the law, with some exceptions.

Most of the obligations under the proposed law apply to a “controller”, that is, the person (individual or entity) that alone or jointly with others determines the purposes and means of the processing of personal data (although there are obligations imposed on persons processing the personal data for the controller as well).

A key question is how many businesses will the law really affect. The starting point is that the law applies to persons that conduct business in New Hampshire or produce products or services that are targeted to residents of New Hampshire. In addition, the person must during a one year period either (a) control or process the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or (b) control or process the personal data of not less than 10,000 unique consumers and derive more than 25 percent of the person’s gross revenue from the sale of personal data. Sale of personal data means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. There are a number of exceptions to the definition of sale of personal data, including the disclosure of personal data to a processor that processes the personal data on behalf of the controller.

The law also contains a number of exclusions for certain types of persons, including New Hampshire governmental bodies, authorities, boards, bureaus, commissions, districts and agencies; nonprofit organizations; and institutions of higher education.

While 35,000 residents might seem like a lot, that number is significantly lower than the threshold in many other states. And it is important to keep in mind that the law applies to persons that “control” or “process” the personal data of not less than 35,000 unique consumers (i.e., NH residents) during a one year period (unclear which one year period, but presumably any one year period subsequent to the effective date of January 1, 2025, and possibly as of the immediately preceding year). Control is not a defined term, but process means “any operation or set of operations performed, whether by manual or automated means, on personal data or sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.”

The new law excludes from the 35,000 threshold computation personal data controlled or processed solely for the purpose of completing a payment transaction. On its face the law would appear to exclude things like a customer placing an order online through a shopping cart and providing personal information to make that purchase. The exemption would not cover instances where the payment transaction personal information is retained and used for other purposes, such as marketing. There are other exemptions not related to the initial threshold determination, some entity determinative and others data determinative, that should be examined by each organization for applicability.

Presumably many organizations use, store, and/or analyze the personal data of at least 35,000 NH residents in any given year, even if they do not collect personal data of 35,000 residents each year. Combining all of the possible processing operations identified certainly could result in organizations reaching the 35,000 residents threshold. Furthermore, it is important to keep in mind that IP addresses, browser identifiers, device identifiers, and the like are all forms of personal data. Also, if organizations are using marketing or analytics companies, or are themselves implementing cookies or other tracking technologies for visitors to their websites, the threshold is more likely to be met. Similarly, technologies such as web beacons included in emails that extract personal information must be factored into the threshold number.

The new law specifies certain rights that consumers have with regard to their personal data, including the right (with some limitations) to:

  • confirm whether or not a controller is processing the consumer’s personal data as well as the right to access such personal data
  • correct inaccuracies in the consumer’s personal data
  • delete personal data provided by, or obtained about, the consumer
  • obtain a copy of the consumer’s personal data processed by the controller
  • opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data (except as otherwise provided in the law), or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer

The new law also would require consumers to be informed of these rights and how to exercise them through a reasonably accessible, clear and meaningful privacy notice (what some call a “privacy policy”) meeting standards established by the New Hampshire Secretary of State, and that includes:

(a) the categories of personal data processed by the controller;
(b) the purpose for processing personal data;
(c) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
(d) the categories of personal data that the controller shares with third parties, if any;
(e) the categories of third parties, if any, with which the controller shares personal data; and
(f) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing.

The law imposes other obligations on the controller, including limiting the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed and, unless otherwise permitted, not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, unless the controller obtains the consumer’s consent.

Importantly, the controller must establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue. And, the controller must not process sensitive data (as defined in the law) concerning a consumer without obtaining the consumer’s consent, or discriminate against a consumer for exercising any of the consumer rights contained in the law.

The NH Attorney General has exclusive enforcement rights – there is no private right of action under the law. Violation of the privacy law will be a violation of RSA 358-A:2 (the NH consumer protection law).

While many businesses already have considered and addressed requirements similar to those imposed by the new law, many have not. Much work is required to properly prepare for and effectuate compliance with the law, such as undertaking personal data inventories and mapping, and making sure proper privacy notices and data processing agreements are in place. The clock is ticking – only a little over 6 months to get everything in place. Time to get going!


This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice.