New Hampshire Enacts Comprehensive Privacy Law – SB 255

Troutman Pepper
Contact

Troutman Pepper

On March 6, 2024, New Hampshire Governor Chris Sununu signed Senate Bill 255 into law, making New Hampshire the 14th U.S. state to enact a comprehensive privacy law. The law, which becomes effective on January 1, 2025, is only enforceable by the state attorney general (AG), and provides a 60-day cure period for compliance violations for one year after enactment. After that, beginning on January 1, 2026, the AG will have the discretionary power to provide any cure period.

Applicability

The law applies to persons that conduct business in the state of New Hampshire or that produce products or services that are targeted to its residents. Specifically, it applies to those who, during a one-year period: (a) controlled or processed the personal data of no less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controlled or processed the personal data of no less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. The threshold requirements are typically lower compared to other states. For example, New Jersey, which only recently enacted its comprehensive privacy law, regulates businesses that “control or process the personal data of at least 100,000 consumers or control or process the personal data of at least 25,000 consumers (in line with Colorado, Connecticut, Iowa, Indiana, Oregon, and Virginia).” In contrast, California and Utah also established annual revenue thresholds in addition to thresholds on volume and sales.

Exemptions

The law, like other state privacy laws, carves out exemptions for certain entities and categories of data. For example, these exemptions include entities subject to Title V of the Gramm-Leach-Bliley Act, nonprofit organizations, and institutions of higher education to name a few. Additionally, the law provides data level exemptions, such as protected health information under HIPAA.

Consumer Rights

The new law provides consumers with a range of rights present in other comprehensive state privacy laws. These rights include the right to verify if a controller is processing their personal data; the right to rectify inaccuracies; the right to erase personal data; the right to receive a portable and easily usable copy of personal data; and the right to opt out of data processing for targeted advertising, personal data sales, or profiling that solely results in automated decisions with legal or similarly significant implications.

Expansive Definitions

In line with other comprehensive state privacy laws, New Hampshire will require that a business secure a consumer’s opt-in consent before processing sensitive data. The consent must be a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of their personal data. Additionally, under the new law, sensitive data is defined to encompass data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

Enforcement

The AG maintains exclusive authority to enforce violations under the law, with no provision for a private right of action. Additionally, the law does not explicitly specify any fines or penalties for noncompliance.

Final Take-Away

Three months into the new year, New Hampshire has become the second state to implement a comprehensive privacy law. While the law does not impose new obligations, it underscores the necessity for organizations to reassess privacy compliance programs to guarantee adherence to the plethora of existing state privacy laws and prepare for future ones.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Troutman Pepper

Written by:

Troutman Pepper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide