New Hampshire set to pass comprehensive data privacy act

New Hampshire is now the 14th state to pass a comprehensive data privacy law, with Senate Bill 255, the New Hampshire Data Privacy Act (the Act). The Act is similar to other states data privacy laws, but most closely mirrors Connecticut’s Data Privacy Act. Assuming the Act makes it through the remaining legislative process, the new law would go in effect on January 1, 2025.

The Act applies to individuals or entities conducting business in the state of New Hampshire or those providing products or services aimed at residents of the state if, within one year, they handle or process the personal data of at least 35,000 unique consumers, except for data solely related to payment transactions; or they handle or process the personal data of at least 10,000 unique costumers and generate over 25 percent of their total revenue from selling personal data.

The Act also includes broad exemptions for certain entities and data categories, including, state entities and political subdivisions of the state; associations registered under 15 U.S.C. section 78o-3 of the Securities Exchange Act of 1934; financial institutions subject to the Gramm-Leach Bliley Act; covered entities or business associates governed by Health Insurance Portability and Accountability Act of 1996; nonprofit organizations; higher education institutions; personal data governed by Family Education Rights and Privacy Act.

Consumers would have the following rights under the Act:

1. The right to confirm if their personal data is being processed and access to that data, except if revealing it would disclose a trade secret.
2. The right to correct inaccuracies in their personal data, considering the nature and purpose of the data processing.
3. The right to deletion of their personal data.
4. The right to receive a copy of their processed personal ata in a portable and usable format where feasible.
5. The right to opt-out of personal data processing for targeted advertising, the sale of personal data, or profiling solely for automated decisions, such as decisions that result in the provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services or access to basic necessities.

Another key take away is the Act’s definition of consent, indicating that consent cannot be implied nor can it be obtained through acceptance of broad terms, interaction with nonrelated content, or any deceptive design patterns.

Additionally, controllers must provide consumers with a clear and accessible privacy notice that meets standards set by the secretary of state. This notice must include:

1. Information about the types of personal data processed.
2. The purpose of processing the personal data.
3. Instructions on how consumers can exercise their rights, including the process for appealing a controller’s decision.
4. Disclosure of personal data categories shared with third parties, if applicable.
5. Information on the categories of third parties, if any, that receive personal data.
6. An active email address or other online contact method for consumers to reach the controller.

Furthermore, if a controller sells personal data or engages in targeted advertising, they must clearly and prominently disclose these practices and provide a method for consumers to opt out of them.

The Act also imposes data protection assessment for any processing activities that pose a heightened risk of harm to a consumer. Such activities include processing personal data for targeted advertising, selling personal data, processing personal data for profiling that could lead to potential harm to consumers, and processing sensitive data.

The New Hampshire Attorney General’s office is the authority responsible for enforcing violations. The Act establishes a 60-day opportunity for violators to remedy their actions before the state AG can initiate enforcement proceedings, provided the AG believes a remedy is typically feasible. Starting January 2026, the discretion to allow a cure period for a violation becomes optional, and the state AG may assess certain specified factors when deciding whether to grant a cure period.

If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.