New Hampshire’s Senate Bill (SB) 255

Background & Developments

New Hampshire is poised to become the 14th state to enact a comprehensive privacy law, following New Jersey’s lead with the New Jersey Data Protection Act earlier this year. Currently, the Act is moving through the House, awaiting approval from the Senate, which appears likely given their support of a similar version. If the Senate gives the latest version the green light, it will head to the New Hampshire Governor’s desk for signing. If all goes according to plan, this new privacy law will take effect on January 1, 2025.

The New Hampshire Data Privacy Act mirrors Connecticut’s 2022 law, which drew inspiration from legislation in other states like Virginia, Colorado, and Utah. The bill aims to grant consumers broad rights concerning their privacy and control over personal data. Below, we’ll highlight some key points of the New Hampshire data privacy law.

While the U.S. Congress grapples with federal privacy legislation, the New Hampshire consumer protection bill is viewed favorably by privacy advocates as a step towards enhanced privacy protections. However, the Attorney General’s Office has raised concerns about implementation costs, which played a significant role in the committee’s decision to delay the bill’s progression in 2023. You can access the text of the law here.

Applicability & Exemptions

SB 255 reaches out to businesses operating within New Hampshire, following specific guidelines. Entities handling personal data from a substantial consumer base or earning significant revenue from data sales fall under the scope of this legislation.

Applicability

SB 255 applies to individuals conducting business in New Hampshire (“NH”) or those who:

“produce products or services targeted to residents of” NH and, within a year:

• 1. Managed personal data from at least 35,000 unique consumers, excluding data for payment transactions; or
  2. Managed personal data from at least 10,000 unique consumers and derived over 25 percent of their gross revenue from selling personal data.
  3. The lower thresholds reflect NH’s smaller population, akin to Delaware’s Personal Data Privacy Act (H.B. 154) (the “DPDPA”).

SB 255’s protections extend to NH residents outside of commercial or employment settings, aligning with exemptions in most state privacy laws except California.

Exemptions & Exceptions

However, SB 255 includes exemptions. Government agencies, nonprofits, and educational institutions are not subject to this law. Certain data categories regulated by existing statutes, like HIPAA or the Fair Credit Reporting Act, are also exempt from SB 255’s provisions. New Hampshire Privacy Law (SB 255) does not apply to the following entities:

• • Individuals acting commercially or in employment contexts with interactions limited to their role in the company
  • Government agencies
  • Nonprofit organizations
  • Higher education institutions
  • Certain national securities associations
  • Financial institutions under the Gramm-Leach-Bliley Act
  • Covered entities or business associates
  • Certain types of data are exempt from New Hampshire Privacy Law (SB 255):
  • Financial data under the Gramm-Leach-Bliley Act
  • Health information protected by HIPAA
  • Specific patient-identifying data
  • Certain data used for human subject research
  • Data covered by other laws, including the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, and the Family Educational Rights and Privacy Act

What Obligations Do Controllers have?

Controllers bear several responsibilities under New Hampshire law. A key obligation is to furnish a “reasonably accessible, clear, and meaningful privacy notice” meeting standards set by the secretary of state. This notice should cover:

1. The categories of personal data processed;
2. The purposes for processing personal data;
3. Consumer rights and appeal processes;
4. Categories of personal data shared with third parties, if any;
5. Categories of third parties with whom data is shared; and
6. Contact information for consumer inquiries.

This entails conducting due diligence to understand the personal information collected, processed, and maintained. Additionally, controllers must:

• Limit personal data collection to what’s necessary for disclosed purposes;
• Obtain consent for processing personal data not reasonably necessary or compatible with disclosed purposes;
• Implement reasonable data security measures;
• Obtain consent for processing sensitive data, including data revealing racial or ethnic origin, health information, etc.;
• Comply with state and federal laws prohibiting unlawful discrimination;
• Provide an easy mechanism for consumers to revoke consent;
• Refrain from targeted advertising or selling personal data without consent for consumers aged 13 to 16;
• Not discriminate against consumers for exercising their rights under New Hampshire law.

Controllers may need to conduct and document data protection assessments for processing sensitive data or profiling activities posing a heightened risk of harm to consumers.

Consumer Rights

New Hampshire Privacy Law (SB 255) grants consumers various rights concerning their privacy, such as the right to know if their personal data is being processed and to access, amend, or erase their personal information. Consumers can:

1. Confirm if a controller is processing their personal data and access such data.
2. Rectify any inaccuracies in their personal data.
3. Erase personal data provided by or collected about them.
4. Obtain a copy of their personal data processed by the controller.
5. Opt-out of personal data processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with legal or similarly significant effects. Note that under the law, a “sale” of personal data includes exchanging it for monetary or other valuable consideration, similar to the California Consumer Privacy Act (CCPA).

When consumers exercise these rights, controllers must respond promptly, within 45 days of receiving the request. If necessary, the controller may extend the response time by another 45 days. Consumers can appeal a controller’s decision within a reasonable time frame. Similar to the CCPA, controllers may authenticate requests to exercise these rights and are not obligated to comply if authentication fails, provided they inform the requesting party.

How Does SB 255 Affect Businesses?

Businesses in New Hampshire must follow Privacy Law (SB 255) to protect consumer data and be transparent about how they use it. They must collect only necessary data, tell consumers why they collect it, and use it only for those reasons unless they get more consent. Businesses must also keep data safe and get explicit permission before using sensitive information. They must comply with COPPA when handling kids’ data and let consumers withdraw consent easily. Before using data for targeted ads or selling it, they need consumer consent. Consumers should have simple ways to exercise their data rights. Regular security checks are required to ensure compliance. Section 507-H:6 outlines specific duties for data controllers, emphasizing limited data collection, strong security, and consumer-focused consent.

Compliance Checklist

Craft a Clear Privacy Policy

Creating a transparent and user-friendly Privacy Policy is crucial for complying with SB 255. Your policy should explain your data processing activities, reasons for collecting data, how consumers can exercise their rights, and any data sharing with third parties. To comply with New Hampshire Privacy Law (SB 255), your Privacy Policy should include:

• Types of personal data you collect
• Reasons for collecting consumers’ personal data
• How consumers can exercise their rights
• Categories of personal data shared with third parties
• Types of third parties personal data is shared with
• Online contact information

Section 507-H:6 of New Hampshire Privacy Law (SB 255) outlines the required clauses for a Privacy Policy, including the types of personal data processed and reasons for processing.

Limit Data Collection

SB 255 requires businesses to only collect data necessary for disclosed purposes, following the principle of data minimization.

Enhance Data Security

Implement strong security measures, including physical, administrative, and technical safeguards, to protect collected personal data from breaches and unauthorized access.

Obtain Explicit Consent

Obtain prior consumer consent before processing sensitive data, conducting targeted advertising, or selling personal data. Utilize “I Agree” checkboxes to facilitate consent.

Respond Promptly to Consumer Requests

Address consumer requests regarding their personal data promptly, following specified response timelines and providing appeal avenues in case of disputes.

Conduct Data Protection Assessments

Certain data processing activities require thorough assessments to evaluate risks to consumer privacy, ensuring compliance with SB 255.

Keep Data Secure

Implement physical, administrative, and technical safeguards appropriate to the volume of personal data collected. Examples include firewalls, multi-factor authentication, staff training, and security systems.

Get Consent

Obtain consumer consent before processing sensitive data, engaging in targeted advertising, or selling personal data, as outlined in legal documents such as Terms and Conditions and Privacy Policy.

Enforcement and Penalties

Enforcement of SB 255 lies with the attorney general, who ensures compliance. SB 255 does not allow private action and is enforced solely by the New Hampshire Attorney General. Additional funds have reportedly been allocated to support enforcement. The bill allows for a 60-day cure period for violations, with a one-year sunset period on broad right-to-cure provisions as of January 1, 2026. Violations may incur fines of up to $10,000 per violation under New Hampshire’s Regulation of Business Practices for Consumer Protection.

Wrapping Up

Senate Bill (SB) 255 represents a significant step forward for privacy regulation in New Hampshire. This legislation aims to protect personal data and empower consumers while imposing important obligations on businesses. SB 255 underscores the importance of transparency, accountability, and consumer rights in the digital era. From defining its scope to outlining responsibilities for data controllers and safeguarding consumer rights, SB 255 provides a comprehensive framework for privacy regulation. It emphasizes limiting data collection, enhancing security measures, obtaining consent, and promptly addressing consumer requests.

In essence, SB 255 reflects New Hampshire’s commitment to creating a trustworthy digital environment where privacy is respected. As businesses adapt to these regulations, it’s crucial to prioritize consumer privacy and uphold the principles outlined in SB 255.