NH’s new comprehensive privacy law

On March 6, Gov. Chris Sununu approved Senate Bill 255-FN, a comprehensive privacy law designed to protect consumers’ personal data. The law will take effect on Jan. 1, 2025. Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual, but does not include publicly available information.

Generally speaking, any information that reasonably could be used to identity an individual, and any private information about that identified or identifiable individual, is protected under the law, with some exceptions.

Most of the obligations under the proposed law apply to a “controller,” that is, the person (individual or entity) that alone or jointly with others determines the purposes and means of the processing of personal data.

A key question is how many businesses will the law really affect. The starting point is that the law applies to persons that conduct business in New Hampshire or produce products or services that are targeted to residents of New Hampshire.

In addition, the person must, during a one-year period, either (a) control or process the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or (b) control or process the personal data of not less than 10,000 unique consumers and derive more than 25% of the person’s gross revenue from the sale of personal data.

Sale of personal data means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. There are a number of exceptions to the definition of sale of personal data, including the disclosure of personal data to a processor that processes the personal data on behalf of the controller.

The law also contains a number of exclusions for certain types of persons, including New Hampshire governmental bodies, authorities, boards, bureaus, commissions, districts and agencies, nonprofit organizations, and institutions of higher education.

While 35,000 residents might seem like a lot, that number is significantly lower than the threshold in many other states. And even if 35,000 seems like a stretch, it is important to keep in mind that even IP addresses, device identifiers and other unique identifiers are personal information. Data analytics and digital marketing collection of these types of personal information could cause the threshold to be met.

The new law specifies certain rights that consumers have with regard to their personal data, including the right (with some limitations) to:

• confirm whether a controller is processing the consumer’s personal data as well as the right to access such personal data.
• correct inaccuracies in the consumer’s personal data.
• delete personal data provided by, or obtained about, the consumer.
• obtain a copy of the consumer’s personal data processed by the controller.
• opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data (except as otherwise provided in the law), or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

The new law also would require consumers to be informed of these rights and how to exercise them through a reasonably accessible, clear and meaningful privacy notice (what some call a “privacy policy”) meeting standards established by the New Hampshire Secretary of State, and that includes: • the categories of personal data processed by the controller.

• the purpose for processing personal data.
• how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request.
• the categories of personal data that the controller shares with third parties, if any.
• the categories of third parties, if any, with which the controller shares personal data.
• an active electronic mail address or other online mechanism that the consumer may use to contact the controller.
• The New Hampshire attorney general has exclusive enforcement rights — there is no private right of action under the law. Violation of the privacy law will constitute a violation of RSA 358-A:2 (the New Hampshire consumer protection law).

While many businesses already have considered and addressed requirements similar to those imposed by the new law, many have not. Much work is required to properly prepare for and effectuate compliance with the law, such as undertaking personal data inventories and mapping, and making sure proper privacy notices and data processing agreements are in place. Time to get going!

Doug Verge is co-chair of the data privacy and security practice group at Sheehan Phinney.