On March 6, 2024, the New Hampshire Governor signed SB 255 (the New Hampshire Privacy Act, NHPA for short) into law, making New Hampshire the 15th US state to enact its own data privacy law.
If you are familiar with the other state-specific comprehensive data privacy laws in the USA such as California’s CCPA/CPRA, Florida’s FDBR, or Virginia’s VCDPA, the New Hampshire Privacy Law will be easier to understand and implement. This is because the new Act contains requirements similar to those in other state laws. For instance, it requires consent before processing sensitive data and provides individuals with the right to access, delete, and correct inaccuracies. However, despite these similarities in terms of the requirements, there are still significant divergences from other state-specific data privacy laws.
Considering that the new law will take effect in January 2025, you must familiarize yourself immediately with the New Hampshire Privacy Act and its requirements.
Interested to learn more? Keep reading to determine whether the New Hampshire Privacy Act applies to you and how to comply with its requirements.
What is the New Hampshire Privacy Act?
The New Hampshire Privacy Act is a consumer data privacy law signed on March 6, 2024. If certain thresholds are met, the Act applies to organizations and individuals that collect and process New Hampshire consumers’ personal data.
The new Act’s requirements will become effective on January 1, 2025, giving businesses a short timeframe to understand them and implement the necessary compliance steps.
The Act consists of five separate chapters and imposes various obligations on organizations doing business in New Hampshire, such as establishing a privacy policy, complying with data subject requests, and obtaining consent from New Hampshire consumers when they collect sensitive data.
Does the New Hampshire Privacy Act apply to you?
The Act will apply to organizations and individuals that operate in New Hampshire and that exceed the specified thresholds. An organization will be subject to the Act’s obligations if it satisfies the following two criteria cumulatively:
- Criteria 1: The Organization or individual conducts business in New Hampshire or produces products/services targeted to New Hampshire consumers.
- Criteria 2: The organization fulfills one of the following specific thresholds:
- It controls or processes the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- It controls or processes the personal data of not less than 10,000 unique consumers and derives more than 25 percent of its gross revenue from the sale of personal data.
These are specifically lower thresholds compared to other states, reflecting New Hampshire's smaller population.
Furthermore, the Act applies to both controllers and processors because the applicability criteria do not distinguish between them. For instance, if you provide a data analytics or tracking tool used to process the personal data of New Hampshire residents, you may be subject to processor obligations under the Act, such as the obligation to enter into a data processing agreement with controllers.
What are the exemptions from the scope of the New Hampshire Privacy Act?
The New Hampshire Privacy Act excludes specific categories of organizations and data types from its scope.
Firstly, organizations such as nonprofit organizations, higher education institutions, and financial institutions subject to Title V of the Gramm-Leach-Bliley Act are outside the scope of the Privacy Act.
Secondly, specific categories of data, such as health information subject to HIPAA (Health Insurance Portability and Accountability Act), data under the Family Educational Rights and Privacy Act, and personal data processed in an employment or B2B context, are excluded from the scope of the Act's applicability.
What are the main obligations of data controllers under the New Hampshire Privacy Act?
The New Hampshire Privacy Act imposes the following obligations on controllers.
- Obtain consent before processing sensitive data: If you collect and process sensitive personal data such as biometric data, precise geolocation data, data about religious beliefs, or data related to racial or ethnic origin, data related to sexual orientation, or immigration status, you will need to obtain prior consent from the consumers.
- Display a privacy notice: The Act requires that organizations provide consumers with a clear, reasonably accessible, and meaningful privacy notice. This privacy notice should explain what categories of personal data are collected, for what purposes an organization is processing personal data, and for how long data is stored. Furthermore, an organization should also explain what categories of third parties it may share personal data with and how consumers can exercise their rights, such as the right of access and the right to opt out of the sale of personal data and targeted advertising.
- Provide an opt-out mechanism for the sale of data and targeted advertising: Under the Act, organizations are obligated to provide a clear and conspicuous link on their website that allows New Hampshire consumers to exercise their right to opt out of the sale of their personal data or the use of their data for targeted advertising.
- Provide a consent withdrawal mechanism: The organizations are required to provide consumers with a consent withdrawal mechanism that is as easy as giving consent.
- Provide a universal opt-out mechanism: Organizations must comply with universal opt-out preference signals to opt out of the sale of personal data or the use of data for targeted advertising.
- Data Security: The Act requires that controllers implement and maintain appropriate administrative, technical, and physical data security practices to protect the confidentiality, availability, and integrity of personal data.
- Conduct data protection assessments: When there is a heightened risk of harm to consumers, controllers must carry out and document data protection assessments to comply with the Act. For instance, the Act states that the sale of personal data and the use of data for targeted advertising purposes requires controllers to complete a data protection assessment because there is a heightened risk to consumers.
- Consumer rights: The Act requires that organizations respond to the consumers’ requests to exercise their rights such as the right to access consumer's personal data, the right to confirm whether their data is processed, and the right to delete personal data provided, and right to correct inaccuracies. Such requests shall be fulfilled within 45 days.
- Data minimization: Organizations should only collect data that is adequate, relevant, and reasonably necessary in relation to the purposes for which they process the data.
What are the primary obligations of data processors under the New Hampshire Privacy Act?
The New Hampshire Privacy Act imposes distinct obligations on processors:
- Data processing agreement: The Act requires that controllers and processors enter into a processing agreement.
- Assistance with responding to consumer rights requests: Under the Act, processors are required to assist controllers with responding to consumer rights requests, such as the right to access data.
On that last point, learn more about data subject access rights in our comprehensive guide:
NHPA Enforcement and Penalties
Under the Act, the New Hampshire Attorney General has the exclusive authority to take legal action for an alleged violation of the Privacy Act.
The law provides a 60-day cure period for the first year (until January 1, 2026), after which cure opportunities become discretionary based on the Attorney General's assessment. Each individual violation can be fined up to $10,000.
However, there is no private right of action under the New Hampshire Privacy Act.
How Didomi can help you comply with the New Hampshire Privacy Act
If you operate in the USA and have consumers from New Hampshire, the new Act’s various requirements, such as obtaining consent and providing an opt-out mechanism for data sale, may apply to you.
In particular, the new Law requires you to provide consumers with an easily accessible mechanism for exercising their rights, such as the right to opt out of targeted advertising. This is where Didomi can help with our Global Privacy UX Solutions, which range from a Consent Management Platform (CMP) to Preference Management, Data Subject Access Requests (DSAR), and more.
Get in touch with our team to discuss your privacy challenges, and learn more about data privacy laws in the U.S. in our dedicated article:
{{us-map-link}}
Frequently Asked Questions (FAQ)
When does the New Hampshire Privacy Act come into force?
The New Hampshire Privacy Act will become effective on January 1st, 2025. Therefore, organizations should take swift action to ensure that their personal data processing activities comply with the new law’s requirements.
Is consent necessary before processing sensitive data under the New Hampshire Privacy Act?
Yes. Under the Act, organizations must obtain consumer consent if they collect sensitive data such as genetic or biometric data, data revealing racial or ethnic origin, or data about mental or physical health conditions or sex life.
Are organizations required to honor universal opt-out signals?
Yes, the New Hampshire Privacy Act requires that organizations honor a universal opt-out preference signal for the opt-out of the sale of personal data or the use of data for targeted advertising.
Is there a private right of action under the New Hampshire Privacy Act?
No, individuals cannot initiate legal proceedings for violations of the Act. The New Hampshire Attorney General has the exclusive right to bring legal action for alleged violations.
What thresholds apply to my organization for the New Hampshire Privacy Act?
The Act applies if you process data of 35,000+ New Hampshire consumers, or 10,000+ consumers while deriving over 25% of revenue from data sales.
Are nonprofit organizations subject to the New Hampshire Privacy Act?
No, nonprofit organizations are exempt from the Act's requirements.
What is considered sensitive data under the Act?
Sensitive data includes but is not limited to, biometric data, precise geolocation, racial/ethnic origin, religious beliefs, sexual orientation, immigration status, and data about minors.
How long do organizations have to respond to consumer rights requests?
Organizations must respond within 45 days, with a possible 45-day extension if necessary.
What happens if my organization violates the Act?
Violations can result in fines of up to $10,000 per violation, enforced exclusively by the New Hampshire Attorney General.
Do I need to implement a universal opt-out mechanism?
Yes, organizations must comply with universal opt-out preference signals for the sale of personal data and targeted advertising.