On January 18, 2024, the New Hampshire Senate passed by voice vote SB255, the New Hampshire Privacy Act (NHPA), amended by the New Hampshire House of Representatives. The bill will head to Governor Chris Sununu’s desk. After his signature, the bill is slated to take effect January 1, 2025.

As has become the norm, while this new state privacy law largely tracks the Virginia model, there are some nuances that make it unique.

Below is an overview of key aspects of the NHPA. You can access information about all of the state consumer laws that have been enacted by consulting our interactive state privacy law map.

IN DEPTH

WHO DOES THE NHPA APPLY TO?

The NHPA does not include a revenue threshold. Rather, it applies to any business or person that produces products or services that are targeted to residents of New Hampshire, and either:

1. Controls or processes the personal data of at least 35,000 unique New Hampshire consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
2. Controls or processes the personal data of at least 10,000 unique New Hampshire consumers and derives more than 25% of its gross revenue from the sale of personal data.

New Hampshire is the first state to add the “unique” descriptor to consumers in this context, though most industry readers have read that qualification into other state privacy laws to date.

WHO IS A “CONSUMER”?

Under the NHPA, a consumer is an individual who is a resident of New Hampshire, but it excludes individuals acting in commercial or employment context.

WHAT IS “PERSONAL DATA”?

Personal data is information that is linked or reasonably linkable to an identified or identifiable individual. The NHPA specifically excludes de-identified data or publicly available information from the definition of personal data. In turn, the definitions of de-identified data and publicly available information track closely with the Virginia model.

WHO CAN ENFORCE?

New Hampshire’s attorney general has exclusive enforcement power. Through the end of 2025, the attorney general must provide businesses with a 60-day notice and cure period prior to taking any action in response to a violation if the attorney general determines a cure is possible. Beginning January 1, 2026, the attorney general will have the option to provide notice with the opportunity to cure. Violations of the NHPA can accrue at a rate of up to $10,000 per violation.

WHO IS EXEMPT?

The NHPA includes several broad entity-level exemptions, including common ones for:

• Any government body or agency;
• Nonprofit organizations;
• Higher education institutions;
• Covered Entities and Business Associates under the Health Insurance Portability and Accountability Act (HIPAA); and
• Any financial institution or data subjected to the Gramm-Leach-Bliley Act.

The NHPA also includes 19 data-level exemptions, including data processed in accordance with a litany of federal laws including, but not limited to, HIPAA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Family Educational Rights and Privacy Act and the Farm Credit Act.

WHAT OBLIGATIONS ARE IMPOSED?

The NHPA imposes controller obligations that largely mirror what we have seen in other states. The obligations include requirements to:

1. Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed;
2. Establish, implement and maintain reasonable administrative, technical and physical data security practices;
3. Prohibit processing personal data in violation of the laws that prohibit unlawful discrimination against consumers, and refrain from discriminating against consumers that exercise their rights;
4. Provide an effective mechanism such that a consumer can revoke their consent; and
5. Prohibit processing for targeted advertising or selling the consumer’s personal data without the consumer’s consent where the controller knows that the consumer is at least 13 years of age but younger than 16 years of age.

WHAT CONSUMER RIGHTS ARE CREATED BY THE NHPA?

The NHPA will require controllers to provide New Hampshire consumers the following rights:

1. A right to confirm whether or not the controller is processing the consumer’s personal data and provide access to that data unless access would require the controller to reveal a trade secret;
2. Correction rights, considering the nature of the personal data and the purposes for processing the personal data;
3. Deletion rights, with respect to the data provided by or obtained about the consumer;
4. Opt-out rights related to the sale of personal data, targeted advertising and profiling, where profiling is being used to produce a legal or similarly significant effect;
5. Appeal rights; and
6. Data portability rights.

SENSITIVE PERSONAL DATA

The NHPA includes a definition of sensitive personal data, which should look familiar, and includes information that reveals:

• Racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
• The processing of genetic or biometric data for the purpose of uniquely identifying an individual;
• Personal data collected from a known child (under 13); or
• Precise geolocation data (within a 1,750-foot radius).

Controllers may not process sensitive data without first obtaining the consumer’s consent (or a parent’s consent where processing data about a known child).

RESPONSE TO CONSUMER INQUIRES

Under the NHPA, controllers must respond to a data subject request within 45 days after receipt, with a 45-day extension available as reasonably necessary. There must be a method of appealing the controller’s denial of a request, and a decision on the appeal must be provided within 60 days of receipt of the appeal. If an appeal is denied, the decision must include a method for the consumer to submit a complaint with the attorney general.

DATA PROTECTION ASSESSMENTS

The NHPA requires “data protection assessments” be conducted whenever the controller is:

1. Processing personal data for targeted advertising;
2. Selling personal data;
3. Processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers or result in other substantial injury to consumers; and
4. Processing sensitive data.

The assessment must identify and weigh the benefits to all stakeholders against the risks and potential harms, accounting for any potential mitigating steps that the controller could employ. Thankfully, the NHPA allows impact assessments completed pursuant to other state privacy laws to satisfy the assessment requirements of the NHPA.

Assessments are only required for any processing activities that occur on or after July 1, 2024.

WHEN DOES THE NHPA TAKE EFFECT?

The NHPA is slated to take effect January 1, 2025.