New Hampshire’s Privacy Law
New Hampshire’s privacy law, Bill 255, was passed by the full legislature on January 18, 2024, and signed by the governor March 7. It will go into effect January 1, 2025. The law follows the Washington Privacy Act model, closely aligning with the Connecticut Data Privacy Act.
What You Need to Know About New Hampshire’s Privacy Law
NH’s data privacy law applies to you if your business:
- Is for-profit and conducts business or provides products or services to residents (“consumers”) in New Hampshire, and
- Annually controls or processes the Personal Data of either:
- 35,000 unique residents, excluding data solely used for completing payment transactions; or
- 10,000 unique residents, and derives 25%+ of gross revenue from sale of Personal Data
- Exempt Data: (a) GLBA-covered data, (b) HIPAA-covered PHI, (c) Patient-identifying information for purchases of 42 U.S.C. section 290dd-2, (d) Identifiable private information for human subjects under the “Common Rule”, (e) Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, (f) information derived from any of the health care related information listed here that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA, (g) Patient safety work product for purposes of the Patient Safety and Quality Improvement Act, (h) Information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section that is maintained by a covered entity or business associate, program or qualified service organization, as specified in 42 U.S.C.290dd-2, (i) Information used for public health activities and purposes as authorized by HIPAA, community health activities and population health activities, (j) Information regarding credit under the FCRA, (k) Data collected, processed, sold or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, (l) FERPA covered data, (m) Farm Credit Act covered data, (n) Employment data, (o) Emergency contact data, (p) Data needed for benefits to a HIPAA covered individual, (q) Personal Data collected, processed, sold or disclosed in relation to price, route or service (as defined by the airline Deregulation Act) by an air carrier subject to said act, (r) Personal Data used or maintained for compliance with the regulation of listed chemicals under the Controlled Substances act, and (s) Information included in a limited dataset as described at 45 C.F.R.164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified at 45 C.F.R. 164.514(e).
- Context: New Hampshire has many data-level exemptions! Among the many exemptions, it is notable the number of specific scenarios which are granted data-level exemptions. This stands in contrast to exempting industries altogether. The practical affect is that organizations should pay special attention to the data exemptions list, as certain elements of their processing may be exempt, even if others are not. A robust inventory of processing and data collection activities will likely be of huge value for organizations seeking to maximize their exemption opportunities.
- Exempt Entities: (a) Non-profits, (b) Higher education institutions, (c) Government agencies or public bodies, (d) A National Securities Association (FINRA), and (e) GLBA-covered entities
- Context: New Hampshire offers more limited entity wide exemptions than other state laws, though it captures the most common ones.
- If you are already compliant with existing US state data privacy laws, the answer is: keep it up! The suggestions below are largely common requirements and best practices for all US data privacy laws.
- Review and update your privacy notice to specify the purpose for collection of Personal Data.
- Review whether you process sensitive Personal Data and offer appropriate consent.
- Implement or update your process for receiving and responding to Individual Rights Requests (including appeals).
- Create or update Data Protection Assessments (similar to Data Privacy Impact Assessments, if completed for GDPR).
- Ensure that your vendor contracts include appropriate privacy protections.
- Update your technology so that you can recognize universal opt-out mechanisms, such as the Global Privacy Control (GPC).
Key Components of NH’s Data Privacy Law
New Hampshire’s definition of Personal Data is relatively standard: “any information that is linked or reasonably linkable to an identified or identifiable individual.” Like many other states, there is an exception for de-identified and publicly available data.
New Hampshire’s definition of sensitive Personal Data is in keeping with older laws, like Colorado and California. Whereas some of the newer laws include financial information, transgender status and more, Sensitive Personal Data in NH consists of:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical condition or diagnosis;
- Sex life or sexual orientation;
- Citizenship or immigration status (introduced by several recent state laws);
- Personal Data about a known child;
- Precise geolocation data (identifies the specific location within a radius of 1750 feet) and Genetic or biometric data.
In a word: Yes!
Parental consent is required to process Personal Data about a known child (under 13) in accordance with COPPA, and data subject consent is required to sell the Personal Data of a person between the ages of 13 and 15 or use it for targeted advertising.
Under the New Hampshire privacy law, a privacy notice must include:
- The categories of Personal Data processed;
- The purpose for processing Personal Data;
- The categories of third parties with which Personal Data is shared;
- The categories of Personal Data that are shared with third parties;
- The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request;
- An active email address or other electronic method for a consumer to contact the company
New Hampshire follows Oregon and many other states in defining ‘sale’ to include exchange for monetary or other valuable consideration.
Like most state laws, the New Hampshire attorney general (AG) has sole enforcement authority. Under the NH law the AG may bring an enforcement action after providing a 60-day notice and an opportunity for the business to cure the alleged violation(s); the cure period will end Jan. 1, 2026, with the AG having discretion over whether to grant an opportunity to cure from that point on. Actions can be brought that seek injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $10,000 as determined by the NH Unfair and Deceptive Trade Practice Act.
Notably, the law calls for the Secretary of State to determine appropriate means for submission methods for data subject rights requests and to provide standards for privacy notices.
Individual Rights
The individual rights created under NH’s consumer privacy law generally align with those provided under other state laws. If the NH law applies to your business, you must allow consumers to:
- Right to know whether a business is processing your Personal Data;
- Right to access Personal Data;
- Right to Correct inaccuracies in Personal Data;
- Right to delete Personal Data;
- Right to obtain a copy of Personal Data (data portability); and
- Right to opt out of the sale of personal, processing for targeted advertising, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer
New Hampshire requires that businesses respond to individual rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.
As we have seen with other recent state privacy laws, including Montana, Iowa, Tennessee, and New Jersey, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide the consumer with a method (online if available) to file a complaint with the attorney general.
Where a controller processes de-identified data, New Hampshire requires them to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the NH law.
De-identified data is exempt from the NH law, and New Hampshire exempts pseudonymous data where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its access for use for re-identification.
Privacy Impact Assessments
Like many of the recent state privacy laws, including Virginia, Connecticut, Montana, Tennessee, and Indiana, the NH law requires that businesses conduct data protection or privacy impact assessments.
New Hampshire requires assessments for processing that presents a heightened risk of harm, including:
- Processing for targeted advertising;
- Processing sensitive data;
- Selling Personal Data;
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial, physical or reputational injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
- Other substantial injury.
Vendor Contracts
Like most other state consumer privacy laws, New Hampshire requires a contract that dictates how vendors (also called service providers or processors) may process Personal Data. Contracts must have instructions for processing data, the nature and purpose of processing, the type of data that is subject to processing, the duration of processing and specify the rights and obligations of both parties. In addition, the contract must require that the processor:
- Ensure that each person who processes Personal Data is subject to a duty of confidentiality;
- Delete or return all Personal Data at the controller’s direction or when it has completed the services, unless retention of the Personal Data is required by law;
- Make available all information necessary to demonstrate the processor’s compliance with its obligations;
- Allow and cooperate with audits by the controller, or an independent auditor to review its policies and practices, and provide a report of the assessment to the controller;
- Provide the opportunity for the controller to object to any sub-processors;
- And pass along the same obligations to any subcontractors in a written contract.
Business Friendly Exceptions
Like most recent state laws, including the laws in Colorado, Connecticut, Montana, Iowa, Tennessee, and Indiana, the NH law specifies that it should not be construed to restrict a business’s collection, use, or retention of Personal Data for:
- Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
- Product recalls;
- Identifying and repairing technical errors that impair existing or intended functionality; and
- Performing internal operations.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.