The individual rights created under NH’s consumer privacy bill generally align with those provided under other state laws. If the NH bill applies to your business, you must allow consumers to:
- Right to know whether a business is processing your Personal Data;
- Right to access Personal Data;
- Right to Correct inaccuracies in Personal Data;
- Right to delete Personal Data;
- Right to obtain a copy of Personal Data (data portability); and
- Right to opt out of the sale of personal, processing for targeted advertising, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer
New Hampshire requires that businesses respond to individual rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.
As we have seen with other recent state privacy laws, including Montana, Iowa, Tennessee, and New Jersey, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide the consumer with a method (online if available) to file a complaint with the attorney general.
Where a controller processes de-identified data, New Hampshire requires them to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the NH bill.
De-identified data is exempt from the NH bill, and New Hampshire exempts pseudonymous data where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its access for use for re-identification.